diff --git a/.gitmodules b/.gitmodules index 1fc166f9..eb98bb00 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,6 @@ [submodule "mkdocs-material-insiders"] path = modules/mkdocs-material url = git@github.com:privacyguides/mkdocs-material-insiders.git -[submodule "docs/assets/brand"] +[submodule "theme/assets/brand"] path = theme/assets/brand url = https://github.com/privacyguides/brand.git diff --git a/config/mkdocs.ar.yml b/config/mkdocs.ar.yml new file mode 100644 index 00000000..f1f4b15b --- /dev/null +++ b/config/mkdocs.ar.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides is your central privacy and security resource to protect yourself online. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.bn.yml b/config/mkdocs.bn.yml new file mode 100644 index 00000000..5fd1f3a7 --- /dev/null +++ b/config/mkdocs.bn.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + প্রাইভেসী গাইডস হলো আপনার অনলাইন প্রাইভেসী এবং সিকিউরিটি সম্পর্কে জানবার প্রধান জায়গা। +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.common.yml b/config/mkdocs.common.yml new file mode 100644 index 00000000..31b0310a --- /dev/null +++ b/config/mkdocs.common.yml @@ -0,0 +1,110 @@ +extra: + social: + - icon: simple/mastodon + link: https://mastodon.neat.computer/@privacyguides + name: Mastodon + - icon: simple/matrix + link: https://matrix.to/#/#privacyguides:matrix.org + name: Matrix + - icon: simple/discourse + link: https://discuss.privacyguides.net/ + name: Forum + - icon: simple/github + link: https://github.com/privacyguides + name: GitHub + alternate: + - name: English + link: /en/ + lang: en + - name: Français + link: /fr/ + lang: fr + - name: עִברִית + link: /he/ + lang: he + - name: Nederlands + link: /nl/ + lang: nl + +repo_url: https://github.com/privacyguides/privacyguides.org +repo_name: "" + +theme: + name: material + custom_dir: ../theme + favicon: assets/img/brand/PNG/Favicon/favicon-32x32.png + icon: + logo: octicons/shield-16 + repo: simple/github + font: false + features: + - navigation.tracking + - navigation.tabs + - navigation.sections + - navigation.expand + - content.tooltips + - search.highlight + +extra_css: + - assets/stylesheets/extra.css?v=3.2.0 +extra_javascript: + - assets/javascripts/mathjax.js + - assets/javascripts/feedback.js + +watch: + - ../theme + - ../includes + - mkdocs.common.yml + +plugins: + tags: {} + search: {} + macros: {} + meta: {} + git-committers: + enabled: !ENV [PRODUCTION, false] + repository: privacyguides/privacyguides.org + branch: main + git-revision-date-localized: + enabled: !ENV [PRODUCTION, false] + exclude: + - index.md + fallback_to_build_date: true + privacy: + external_assets_exclude: + - cdn.jsdelivr.net/npm/mathjax@3/* + - api.privacyguides.net/* + +markdown_extensions: + admonition: {} + pymdownx.details: {} + pymdownx.superfences: + custom_fences: + - name: mermaid + class: mermaid + format: !!python/name:pymdownx.superfences.fence_code_format + pymdownx.tabbed: + alternate_style: true + pymdownx.arithmatex: + generic: true + pymdownx.critic: {} + pymdownx.caret: {} + pymdownx.keys: {} + pymdownx.mark: {} + pymdownx.tilde: {} + pymdownx.snippets: {} + pymdownx.tasklist: + custom_checkbox: true + attr_list: {} + def_list: {} + md_in_html: {} + meta: {} + abbr: {} + pymdownx.emoji: + emoji_index: !!python/name:materialx.emoji.twemoji + emoji_generator: !!python/name:materialx.emoji.to_svg + tables: {} + footnotes: {} + toc: + permalink: true + toc_depth: 4 diff --git a/config/mkdocs.de.yml b/config/mkdocs.de.yml new file mode 100644 index 00000000..4f5d2cb3 --- /dev/null +++ b/config/mkdocs.de.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides ist deine zentrale Informationsquelle für Datenschutz und Sicherheit, um dich online zu schützen. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "War diese Seite hilfreich?" + ratings: + - + icon: material/robot-happy-outline + name: "Diese Seite war hilfreich" + data: Helpful + note: "Danke für dein Feedback!" + - + icon: material/robot-confused + name: "Diese Seite könnte verbessert werden" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Zum hellen Modus wechseln" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Zum dunklen Modus wechseln" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.el.yml b/config/mkdocs.el.yml new file mode 100644 index 00000000..f1f4b15b --- /dev/null +++ b/config/mkdocs.el.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides is your central privacy and security resource to protect yourself online. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/mkdocs.en.yml b/config/mkdocs.en.yml similarity index 99% rename from mkdocs.en.yml rename to config/mkdocs.en.yml index fa927841..6fdee980 100644 --- a/mkdocs.en.yml +++ b/config/mkdocs.en.yml @@ -1,7 +1,7 @@ INHERIT: mkdocs.common.yml -docs_dir: 'docs' +docs_dir: '../docs' site_url: "https://www.privacyguides.org/en/" -site_dir: 'site/en' +site_dir: '../site/en' site_name: Privacy Guides site_description: | @@ -30,6 +30,7 @@ extra: note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." theme: + language: en palette: - media: "(prefers-color-scheme)" scheme: default diff --git a/config/mkdocs.eo.yml b/config/mkdocs.eo.yml new file mode 100644 index 00000000..f1f4b15b --- /dev/null +++ b/config/mkdocs.eo.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides is your central privacy and security resource to protect yourself online. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.es.yml b/config/mkdocs.es.yml new file mode 100644 index 00000000..cf4cc032 --- /dev/null +++ b/config/mkdocs.es.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides es tu recurso central de privacidad y seguridad para protegerte en línea. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.fa.yml b/config/mkdocs.fa.yml new file mode 100644 index 00000000..82c75096 --- /dev/null +++ b/config/mkdocs.fa.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + وبسایت Privacy Guides منبع اصلی حریم خصوصی و امنیت شما برای محافظت از خودتان در اینترنت است. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.fr.yml b/config/mkdocs.fr.yml new file mode 100644 index 00000000..04e219b6 --- /dev/null +++ b/config/mkdocs.fr.yml @@ -0,0 +1,150 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../i18n/fr' +site_url: "https://www.privacyguides.org/fr/" +site_dir: '../site/fr' +site_name: Privacy Guides +site_description: | + Privacy Guides est votre ressource centrale en matière de vie privée et de sécurité pour vous protéger en ligne. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/i18n/fr/ +plugins: + social: + cards: false +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Cette page vous a été utile ?" + ratings: + - + icon: material/robot-happy-outline + name: "Cette page a été utile" + data: Helpful + note: "Merci pour votre retour !" + - + icon: material/robot-confused + name: "Cette page pourrait être améliorée" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: fr + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Basculer en mode clair" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Basculer vers le thème du système" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Basculer en mode sombre" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.he.yml b/config/mkdocs.he.yml new file mode 100644 index 00000000..00bd8d9e --- /dev/null +++ b/config/mkdocs.he.yml @@ -0,0 +1,150 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../i18n/he' +site_url: "https://www.privacyguides.org/he/" +site_dir: '../site/he' +site_name: Privacy Guides +site_description: | + Privacy Guides (מדריכי פרטיות) הם משאב הפרטיות והאבטחה המרכזי שלכם כדי להגן על עצמכם באופן מקוון. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/i18n/he/ +plugins: + social: + cards: false +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "האם הדף הזה עזר לך?" + ratings: + - + icon: material/robot-happy-outline + name: "הדף הזה היה מועיל" + data: Helpful + note: "תודה על המשוב שלך!" + - + icon: material/robot-confused + name: "דף זה יכול להשתפר" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: he + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "עבור למצב בהיר" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "עבור לערכת הנושא של המערכת" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "עבור למצב כהה" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.hi.yml b/config/mkdocs.hi.yml new file mode 100644 index 00000000..f1f4b15b --- /dev/null +++ b/config/mkdocs.hi.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides is your central privacy and security resource to protect yourself online. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.hu.yml b/config/mkdocs.hu.yml new file mode 100644 index 00000000..e651b14a --- /dev/null +++ b/config/mkdocs.hu.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + A Privacy Guides a te központi adatvédelmi és adatbiztonsági erőforrásod magad megvédéséhez online. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Hasznosnak találtad az oldalt?" + ratings: + - + icon: material/robot-happy-outline + name: "Az oldal hasznos volt" + data: Helpful + note: "Köszönjük a visszajelzést!" + - + icon: material/robot-confused + name: "Az oldalon lehetne javítani" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Váltás világos módra" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Váltás a rendszer témájára" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Váltás sötét módra" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.id.yml b/config/mkdocs.id.yml new file mode 100644 index 00000000..dadc5171 --- /dev/null +++ b/config/mkdocs.id.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides adalah sumber daya privasi dan keamanan Anda untuk melindungi Anda secara daring. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Apakah laman ini bermanfaat?" + ratings: + - + icon: material/robot-happy-outline + name: "Laman ini bermanfaat" + data: Helpful + note: "Terima kasih atas tanggapan Anda!" + - + icon: material/robot-confused + name: "Laman ini dapat diperbaiki" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Ubah ke mode terang" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Ubah ke tema sistem" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Ubah ke mode gelap" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.it.yml b/config/mkdocs.it.yml new file mode 100644 index 00000000..1627bc56 --- /dev/null +++ b/config/mkdocs.it.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides è la risorsa centrale per la privacy e la sicurezza per proteggersi online. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.nl.yml b/config/mkdocs.nl.yml new file mode 100644 index 00000000..d4cf7e67 --- /dev/null +++ b/config/mkdocs.nl.yml @@ -0,0 +1,150 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../i18n/nl' +site_url: "https://www.privacyguides.org/nl/" +site_dir: '../site/nl' +site_name: Privacy Guides +site_description: | + Privacy Guides is jouw centrale bron voor privacy en beveiliging om jezelf online te beschermen. +copyright: | + Privacy Guides is een non-profit, sociaal gemotiveerde website die informatie biedt voor de bescherming van jouw gegevensbeveiliging en privacy.
+ Wij verdienen geen geld met het aanbevelen van bepaalde producten, en wij maken geen gebruik van affiliate links.
+ © 2022 Privacy Guides en medewerkers. Inhoud gelicentieerd onder CC BY-ND 4.0. +edit_uri: edit/main/i18n/nl/ +plugins: + social: + cards: false +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was deze pagina nuttig?" + ratings: + - + icon: material/robot-happy-outline + name: "Deze pagina was nuttig" + data: Handig + note: "Bedankt voor je feedback!" + - + icon: material/robot-confused + name: "Deze pagina kan worden verbeterd" + data: Behoefte aan verbetering + note: "Bedankt voor jouw feedback! Help ons deze pagina te verbeteren door een discussie te openen op ons forum." +theme: + language: nl + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Verander naar licht thema" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Verander naar systeem thema" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Verander naar donker thema" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/dreigingsmodellering.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'geavanceerd/dns-overview.md' + - 'geavanceerd/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'zoekmachines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryptie.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authenticatie.md' + - 'nieuws-aggregatoren.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communicatie.md' + - 'video-streaming.md' + - + About: + - 'over/index.md' + - 'over/criteria.md' + - 'over/statistics.md' + - 'over/notices.md' + - 'over/privacy-policy.md' + - + Community: + - 'over/donate.md' + - + Online Services: 'over/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'over/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/schrijfstijl.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.pl.yml b/config/mkdocs.pl.yml new file mode 100644 index 00000000..ce6aa36c --- /dev/null +++ b/config/mkdocs.pl.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides to Twoje centrum dla prywatności oraz bezpieczeństwa, które pomoże Ci chronić się w Internecie. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.pt-BR.yml b/config/mkdocs.pt-BR.yml new file mode 100644 index 00000000..07fcefb4 --- /dev/null +++ b/config/mkdocs.pt-BR.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides é sua central de recursos no que diz respeito a privacidade e segurança para se proteger online. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Esta página foi útil?" + ratings: + - + icon: material/robot-happy-outline + name: "Esta página foi útil" + data: Helpful + note: "Agradecemos o feedback!" + - + icon: material/robot-confused + name: "Esta página poderia melhorar" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Mudar para o tema claro" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Usar o tema do sistema" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Mudar para o tema escuro" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.pt.yml b/config/mkdocs.pt.yml new file mode 100644 index 00000000..f1f4b15b --- /dev/null +++ b/config/mkdocs.pt.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides is your central privacy and security resource to protect yourself online. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.ru.yml b/config/mkdocs.ru.yml new file mode 100644 index 00000000..de1fc74c --- /dev/null +++ b/config/mkdocs.ru.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides - это ваш главный ресурс по конфиденциальности и безопасности для защиты себя в Интернете. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.sv.yml b/config/mkdocs.sv.yml new file mode 100644 index 00000000..f1f4b15b --- /dev/null +++ b/config/mkdocs.sv.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides is your central privacy and security resource to protect yourself online. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.tr.yml b/config/mkdocs.tr.yml new file mode 100644 index 00000000..a46b9df0 --- /dev/null +++ b/config/mkdocs.tr.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides, kendinizi çevrimiçi olarak korumanız için merkezi gizlilik ve güvenlik kaynağıdır. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Bu sayfa yararlı oldu mu?" + ratings: + - + icon: material/robot-happy-outline + name: "Bu sayfa yararlı oldu" + data: Helpful + note: "Geri bildiriminiz için teşekkürler!" + - + icon: material/robot-confused + name: "Bu sayfa geliştirilebilir" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Aydınlık moda geç" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Sistem temasına geç" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Karanlık moda geç" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.uk.yml b/config/mkdocs.uk.yml new file mode 100644 index 00000000..44b8b4b8 --- /dev/null +++ b/config/mkdocs.uk.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides - ваш головний ресурс для захисту конфіденційності та безпеки в Інтернеті. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.vi.yml b/config/mkdocs.vi.yml new file mode 100644 index 00000000..c07bf923 --- /dev/null +++ b/config/mkdocs.vi.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides là tài nguyên bảo mật và quyền riêng tư trung tâm của bạn để bảo vệ bạn khi trực tuyến. +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.zh-Hant.yml b/config/mkdocs.zh-Hant.yml new file mode 100644 index 00000000..ab9cb5b6 --- /dev/null +++ b/config/mkdocs.zh-Hant.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides 是您不可或缺的網路隱私安全自衞手冊。 +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/config/mkdocs.zh.yml b/config/mkdocs.zh.yml new file mode 100644 index 00000000..bbdaf769 --- /dev/null +++ b/config/mkdocs.zh.yml @@ -0,0 +1,147 @@ +INHERIT: mkdocs.common.yml +docs_dir: '../docs' +site_url: "https://www.privacyguides.org/en/" +site_dir: '../site/en' +site_name: Privacy Guides +site_description: | + Privacy Guides是您保护自己在线隐私的实用资源。 +copyright: | + Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
+ We do not make money from recommending certain products, and we do not use affiliate links.
+ © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. +edit_uri: edit/main/docs/ +extra: + generator: false + analytics: + provider: plausible + property: privacyguides.org + feedback: + title: "Was this page helpful?" + ratings: + - + icon: material/robot-happy-outline + name: "This page was helpful" + data: Helpful + note: "Thanks for your feedback!" + - + icon: material/robot-confused + name: "This page could be improved" + data: Needs Improvement + note: "Thanks for your feedback! Help us improve this page by opening a discussion on our forum." +theme: + language: en + palette: + - + media: "(prefers-color-scheme)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-auto + name: "Switch to light mode" + - + media: "(prefers-color-scheme: dark)" + scheme: slate + accent: amber + toggle: + icon: material/brightness-2 + name: "Switch to system theme" + - + media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/brightness-5 + name: "Switch to dark mode" +nav: + - + Home: 'index.md' + - + Knowledge Base: + - 'basics/threat-modeling.md' + - 'basics/common-threats.md' + - 'basics/common-misconceptions.md' + - 'basics/account-creation.md' + - 'basics/account-deletion.md' + - + Technology Essentials: + - 'basics/passwords-overview.md' + - 'basics/multi-factor-authentication.md' + - 'basics/email-security.md' + - 'basics/vpn-overview.md' + - + Operating Systems: + - 'os/android-overview.md' + - 'os/linux-overview.md' + - 'os/qubes-overview.md' + - + Advanced Topics: + - 'advanced/dns-overview.md' + - 'advanced/tor-overview.md' + - 'advanced/communication-network-types.md' + - kb-archive.md + - + Recommendations: + - 'tools.md' + - + Internet Browsing: + - 'tor.md' + - 'desktop-browsers.md' + - 'mobile-browsers.md' + - + Operating Systems: + - 'android.md' + - 'desktop.md' + - 'router.md' + - + Providers: + - 'cloud.md' + - 'dns.md' + - 'email.md' + - 'search-engines.md' + - 'vpn.md' + - + Software: + - 'calendar.md' + - 'data-redaction.md' + - 'email-clients.md' + - 'encryption.md' + - 'file-sharing.md' + - 'frontends.md' + - 'multi-factor-authentication.md' + - 'news-aggregators.md' + - 'notebooks.md' + - 'passwords.md' + - 'productivity.md' + - 'real-time-communication.md' + - 'video-streaming.md' + - + About: + - 'about/index.md' + - 'about/criteria.md' + - 'about/statistics.md' + - 'about/notices.md' + - 'about/privacy-policy.md' + - + Community: + - 'about/donate.md' + - + Online Services: 'about/services.md' + - + Code of Conduct: 'CODE_OF_CONDUCT.md' + - 'about/privacytools.md' + - + Contributing: + - + Writing Guide: + - 'meta/writing-style.md' + - 'meta/brand.md' + - + Technical Guides: + - 'meta/uploading-images.md' + - 'meta/git-recommendations.md' + - + Changelog: 'https://github.com/privacyguides/privacyguides.org/releases' + - + Forum: 'https://discuss.privacyguides.net/' + - + Blog: 'https://blog.privacyguides.org/' diff --git a/crowdin.yml b/crowdin.yml index a1f00766..f32a20b2 100644 --- a/crowdin.yml +++ b/crowdin.yml @@ -9,13 +9,14 @@ files: translation: "/theme/overrides/%file_name%.%two_letters_code%.html" translation_replace: "en.": "" - skip_untranslated_files: true + skip_untranslated_files: false - source: "/includes/*.en.*" translation: "/includes/%file_name%.%two_letters_code%.%file_extension%" translation_replace: "en.": "" - skip_untranslated_files: true -- source: "/mkdocs.en.yml" - translation: "/mkdocs.%two_letters_code%.yml" + skip_untranslated_files: false +- source: "/config/mkdocs.en.yml" + translation: "/config/mkdocs.%two_letters_code%.yml" translation_replace: "en.": "" + skip_untranslated_files: false diff --git a/i18n/ar/404.md b/i18n/ar/404.md new file mode 100644 index 00000000..5cdf2201 --- /dev/null +++ b/i18n/ar/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/CODE_OF_CONDUCT.md b/i18n/ar/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/ar/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/ar/about/criteria.md b/i18n/ar/about/criteria.md new file mode 100644 index 00000000..64f2e021 --- /dev/null +++ b/i18n/ar/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/about/donate.md b/i18n/ar/about/donate.md new file mode 100644 index 00000000..f6dc68bd --- /dev/null +++ b/i18n/ar/about/donate.md @@ -0,0 +1,52 @@ +--- +title: قم بدعمنا +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/about/index.md b/i18n/ar/about/index.md new file mode 100644 index 00000000..cee6eb99 --- /dev/null +++ b/i18n/ar/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/about/notices.md b/i18n/ar/about/notices.md new file mode 100644 index 00000000..4b5b7526 --- /dev/null +++ b/i18n/ar/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Notices and Disclaimers" +hide: + - toc +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licenses + +Unless otherwise noted, all content on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to this repository you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/about/privacy-policy.md b/i18n/ar/about/privacy-policy.md new file mode 100644 index 00000000..131bed6b --- /dev/null +++ b/i18n/ar/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/about/privacytools.md b/i18n/ar/about/privacytools.md new file mode 100644 index 00000000..8f230029 --- /dev/null +++ b/i18n/ar/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/about/services.md b/i18n/ar/about/services.md new file mode 100644 index 00000000..837c1fa4 --- /dev/null +++ b/i18n/ar/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/about/statistics.md b/i18n/ar/about/statistics.md new file mode 100644 index 00000000..07e29af8 --- /dev/null +++ b/i18n/ar/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/advanced/communication-network-types.md b/i18n/ar/advanced/communication-network-types.md new file mode 100644 index 00000000..33accb6e --- /dev/null +++ b/i18n/ar/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/advanced/dns-overview.md b/i18n/ar/advanced/dns-overview.md new file mode 100644 index 00000000..909de2ac --- /dev/null +++ b/i18n/ar/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/advanced/tor-overview.md b/i18n/ar/advanced/tor-overview.md new file mode 100644 index 00000000..508d5e6a --- /dev/null +++ b/i18n/ar/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.ar.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/ar/android.md b/i18n/ar/android.md new file mode 100644 index 00000000..6ddd0801 --- /dev/null +++ b/i18n/ar/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/assets/img/account-deletion/exposed_passwords.png b/i18n/ar/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/ar/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/ar/assets/img/android/rss-apk-dark.png b/i18n/ar/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/ar/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/ar/assets/img/android/rss-apk-light.png b/i18n/ar/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/ar/assets/img/android/rss-apk-light.png differ diff --git a/i18n/ar/assets/img/android/rss-changes-dark.png b/i18n/ar/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/ar/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/ar/assets/img/android/rss-changes-light.png b/i18n/ar/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/ar/assets/img/android/rss-changes-light.png differ diff --git a/i18n/ar/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/ar/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/ar/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ar/assets/img/how-tor-works/tor-encryption.svg b/i18n/ar/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/ar/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ar/assets/img/how-tor-works/tor-path-dark.svg b/i18n/ar/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/ar/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ar/assets/img/how-tor-works/tor-path.svg b/i18n/ar/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/ar/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ar/assets/img/multi-factor-authentication/fido.png b/i18n/ar/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/ar/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/ar/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/ar/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/ar/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/ar/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/ar/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/ar/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/ar/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/ar/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/ar/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/ar/basics/account-creation.md b/i18n/ar/basics/account-creation.md new file mode 100644 index 00000000..b9428b85 --- /dev/null +++ b/i18n/ar/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/basics/account-deletion.md b/i18n/ar/basics/account-deletion.md new file mode 100644 index 00000000..05f04ceb --- /dev/null +++ b/i18n/ar/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/basics/common-misconceptions.md b/i18n/ar/basics/common-misconceptions.md new file mode 100644 index 00000000..b79b03fa --- /dev/null +++ b/i18n/ar/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.ar.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/ar/basics/common-threats.md b/i18n/ar/basics/common-threats.md new file mode 100644 index 00000000..752bccff --- /dev/null +++ b/i18n/ar/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.ar.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/ar/basics/email-security.md b/i18n/ar/basics/email-security.md new file mode 100644 index 00000000..6ec5133a --- /dev/null +++ b/i18n/ar/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/basics/multi-factor-authentication.md b/i18n/ar/basics/multi-factor-authentication.md new file mode 100644 index 00000000..8073f0d4 --- /dev/null +++ b/i18n/ar/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/basics/passwords-overview.md b/i18n/ar/basics/passwords-overview.md new file mode 100644 index 00000000..528f55c8 --- /dev/null +++ b/i18n/ar/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/basics/threat-modeling.md b/i18n/ar/basics/threat-modeling.md new file mode 100644 index 00000000..ac365515 --- /dev/null +++ b/i18n/ar/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "تصميم التهديات" +icon: 'المادة/الحساب-المستهدف' +--- + +موازنة الأمان، الخصوصية، وقابلية الاستخدام تعد واحدة من أول وأصعب المهام التي ستواجهها في رحلة الخصوصية. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/basics/vpn-overview.md b/i18n/ar/basics/vpn-overview.md new file mode 100644 index 00000000..ad6aaf23 --- /dev/null +++ b/i18n/ar/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/calendar.md b/i18n/ar/calendar.md new file mode 100644 index 00000000..f612bd8f --- /dev/null +++ b/i18n/ar/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/cloud.md b/i18n/ar/cloud.md new file mode 100644 index 00000000..72ae0a3f --- /dev/null +++ b/i18n/ar/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/data-redaction.md b/i18n/ar/data-redaction.md new file mode 100644 index 00000000..1cd1fc0c --- /dev/null +++ b/i18n/ar/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/desktop-browsers.md b/i18n/ar/desktop-browsers.md new file mode 100644 index 00000000..739a2e9f --- /dev/null +++ b/i18n/ar/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.ar.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/ar/desktop.md b/i18n/ar/desktop.md new file mode 100644 index 00000000..f97c1166 --- /dev/null +++ b/i18n/ar/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/dns.md b/i18n/ar/dns.md new file mode 100644 index 00000000..109f8b07 --- /dev/null +++ b/i18n/ar/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.ar.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/ar/email-clients.md b/i18n/ar/email-clients.md new file mode 100644 index 00000000..ba679288 --- /dev/null +++ b/i18n/ar/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/email.md b/i18n/ar/email.md new file mode 100644 index 00000000..08cd55fb --- /dev/null +++ b/i18n/ar/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/encryption.md b/i18n/ar/encryption.md new file mode 100644 index 00000000..92179831 --- /dev/null +++ b/i18n/ar/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Encryption Software" +icon: material/file-lock +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/file-sharing.md b/i18n/ar/file-sharing.md new file mode 100644 index 00000000..73c7f863 --- /dev/null +++ b/i18n/ar/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/frontends.md b/i18n/ar/frontends.md new file mode 100644 index 00000000..ece20287 --- /dev/null +++ b/i18n/ar/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/index.md b/i18n/ar/index.md new file mode 100644 index 00000000..b8eee47b --- /dev/null +++ b/i18n/ar/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.ar.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/kb-archive.md b/i18n/ar/kb-archive.md new file mode 100644 index 00000000..501543e6 --- /dev/null +++ b/i18n/ar/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/meta/brand.md b/i18n/ar/meta/brand.md new file mode 100644 index 00000000..29094256 --- /dev/null +++ b/i18n/ar/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/meta/git-recommendations.md b/i18n/ar/meta/git-recommendations.md new file mode 100644 index 00000000..7a740f1f --- /dev/null +++ b/i18n/ar/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/meta/uploading-images.md b/i18n/ar/meta/uploading-images.md new file mode 100644 index 00000000..e6f60e70 --- /dev/null +++ b/i18n/ar/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/meta/writing-style.md b/i18n/ar/meta/writing-style.md new file mode 100644 index 00000000..1b725ee2 --- /dev/null +++ b/i18n/ar/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/mobile-browsers.md b/i18n/ar/mobile-browsers.md new file mode 100644 index 00000000..f0ff4cd2 --- /dev/null +++ b/i18n/ar/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/multi-factor-authentication.md b/i18n/ar/multi-factor-authentication.md new file mode 100644 index 00000000..62a364d8 --- /dev/null +++ b/i18n/ar/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/news-aggregators.md b/i18n/ar/news-aggregators.md new file mode 100644 index 00000000..84a93fae --- /dev/null +++ b/i18n/ar/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/notebooks.md b/i18n/ar/notebooks.md new file mode 100644 index 00000000..24fbfce9 --- /dev/null +++ b/i18n/ar/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/os/android-overview.md b/i18n/ar/os/android-overview.md new file mode 100644 index 00000000..d1e74d51 --- /dev/null +++ b/i18n/ar/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/os/linux-overview.md b/i18n/ar/os/linux-overview.md new file mode 100644 index 00000000..937ae021 --- /dev/null +++ b/i18n/ar/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/os/qubes-overview.md b/i18n/ar/os/qubes-overview.md new file mode 100644 index 00000000..294fa7af --- /dev/null +++ b/i18n/ar/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/passwords.md b/i18n/ar/passwords.md new file mode 100644 index 00000000..dcfdf185 --- /dev/null +++ b/i18n/ar/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/productivity.md b/i18n/ar/productivity.md new file mode 100644 index 00000000..45a24c21 --- /dev/null +++ b/i18n/ar/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/real-time-communication.md b/i18n/ar/real-time-communication.md new file mode 100644 index 00000000..57144134 --- /dev/null +++ b/i18n/ar/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/router.md b/i18n/ar/router.md new file mode 100644 index 00000000..59839379 --- /dev/null +++ b/i18n/ar/router.md @@ -0,0 +1,51 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/search-engines.md b/i18n/ar/search-engines.md new file mode 100644 index 00000000..99df76a9 --- /dev/null +++ b/i18n/ar/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/tools.md b/i18n/ar/tools.md new file mode 100644 index 00000000..a2c26648 --- /dev/null +++ b/i18n/ar/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/tor.md b/i18n/ar/tor.md new file mode 100644 index 00000000..d4df42fc --- /dev/null +++ b/i18n/ar/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/video-streaming.md b/i18n/ar/video-streaming.md new file mode 100644 index 00000000..52db5be0 --- /dev/null +++ b/i18n/ar/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/ar/vpn.md b/i18n/ar/vpn.md new file mode 100644 index 00000000..3aae1492 --- /dev/null +++ b/i18n/ar/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN Services" +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.ar.txt" diff --git a/i18n/bn/404.md b/i18n/bn/404.md new file mode 100644 index 00000000..5e69100c --- /dev/null +++ b/i18n/bn/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/CODE_OF_CONDUCT.md b/i18n/bn/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/bn/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/bn/about/criteria.md b/i18n/bn/about/criteria.md new file mode 100644 index 00000000..fd7753d1 --- /dev/null +++ b/i18n/bn/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/about/donate.md b/i18n/bn/about/donate.md new file mode 100644 index 00000000..10975cbd --- /dev/null +++ b/i18n/bn/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/about/index.md b/i18n/bn/about/index.md new file mode 100644 index 00000000..0fdd7d65 --- /dev/null +++ b/i18n/bn/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/about/notices.md b/i18n/bn/about/notices.md new file mode 100644 index 00000000..bd487e69 --- /dev/null +++ b/i18n/bn/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Notices and Disclaimers" +hide: + - toc +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licenses + +Unless otherwise noted, all content on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to this repository you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/about/privacy-policy.md b/i18n/bn/about/privacy-policy.md new file mode 100644 index 00000000..2cb20d13 --- /dev/null +++ b/i18n/bn/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/about/privacytools.md b/i18n/bn/about/privacytools.md new file mode 100644 index 00000000..c5bab16e --- /dev/null +++ b/i18n/bn/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/about/services.md b/i18n/bn/about/services.md new file mode 100644 index 00000000..a6f2c070 --- /dev/null +++ b/i18n/bn/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/about/statistics.md b/i18n/bn/about/statistics.md new file mode 100644 index 00000000..b5923edf --- /dev/null +++ b/i18n/bn/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/advanced/communication-network-types.md b/i18n/bn/advanced/communication-network-types.md new file mode 100644 index 00000000..d451376a --- /dev/null +++ b/i18n/bn/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/advanced/dns-overview.md b/i18n/bn/advanced/dns-overview.md new file mode 100644 index 00000000..55454a86 --- /dev/null +++ b/i18n/bn/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/advanced/tor-overview.md b/i18n/bn/advanced/tor-overview.md new file mode 100644 index 00000000..89d7f76e --- /dev/null +++ b/i18n/bn/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.bn.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/bn/android.md b/i18n/bn/android.md new file mode 100644 index 00000000..336d59d4 --- /dev/null +++ b/i18n/bn/android.md @@ -0,0 +1,353 @@ +--- +title: "অ্যান্ড্রয়েড" +icon: 'ফন্টঅ্যাওসাম/ ব্র্যান্ড / অ্যান্ড্রয়েড' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. রেকমেন্ডেশন + +- [সাধারণ অ্যান্ড্রয়েড ওভারভিউ এবং সুপারিশ :hero-arrow-circle-right-fill:](os/android-overview.md) +- [আমরা কেন GrapheneOS এর বদলে CalyxOS এর সুপারিশ করি :hero-arrow-circle-right-fill:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP এর ডেরিভেটিভস্ + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + পুরোনো ডিভাইসগুলিতে (যেমন GrapheneOS CalyxOS এর "extended support" ডিভাইসগুলো) সম্পুর্ন সিকিউরিটি থাকে না, OEM সাপোর্ট দেওয়া বন্ধ করে দেওয়ার জন্য। যেকোনো সফটওয়্যার ইনস্টলড থাকুক না কেনো এইসমস্ত ডিভাইসগুলো কে কখনোই সম্পূর্ণ ভাবে নিরাপদ বিবেচনা করা যাবে না + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + প্রাইভেসি এবং সিকিউরিটি এর জন্য **GrapheneOS** সবথেকে ভালো। + + GrapheneOS তে কিছু বাড়তি [সিকিউরিটি](https://en.wikipedia.org/wiki/Hardening_(computing)) এবং প্রাইভেসি রয়েছে। It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/assets/img/account-deletion/exposed_passwords.png b/i18n/bn/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/bn/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/bn/assets/img/android/rss-apk-dark.png b/i18n/bn/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/bn/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/bn/assets/img/android/rss-apk-light.png b/i18n/bn/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/bn/assets/img/android/rss-apk-light.png differ diff --git a/i18n/bn/assets/img/android/rss-changes-dark.png b/i18n/bn/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/bn/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/bn/assets/img/android/rss-changes-light.png b/i18n/bn/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/bn/assets/img/android/rss-changes-light.png differ diff --git a/i18n/bn/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/bn/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/bn/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/bn/assets/img/how-tor-works/tor-encryption.svg b/i18n/bn/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/bn/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/bn/assets/img/how-tor-works/tor-path-dark.svg b/i18n/bn/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/bn/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/bn/assets/img/how-tor-works/tor-path.svg b/i18n/bn/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/bn/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/bn/assets/img/multi-factor-authentication/fido.png b/i18n/bn/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/bn/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/bn/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/bn/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/bn/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/bn/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/bn/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/bn/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/bn/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/bn/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/bn/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/bn/basics/account-creation.md b/i18n/bn/basics/account-creation.md new file mode 100644 index 00000000..dfba2416 --- /dev/null +++ b/i18n/bn/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/basics/account-deletion.md b/i18n/bn/basics/account-deletion.md new file mode 100644 index 00000000..1c83935c --- /dev/null +++ b/i18n/bn/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/basics/common-misconceptions.md b/i18n/bn/basics/common-misconceptions.md new file mode 100644 index 00000000..2dc2b6f0 --- /dev/null +++ b/i18n/bn/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.bn.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/bn/basics/common-threats.md b/i18n/bn/basics/common-threats.md new file mode 100644 index 00000000..dd0c3989 --- /dev/null +++ b/i18n/bn/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.bn.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/bn/basics/email-security.md b/i18n/bn/basics/email-security.md new file mode 100644 index 00000000..253a3157 --- /dev/null +++ b/i18n/bn/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/basics/multi-factor-authentication.md b/i18n/bn/basics/multi-factor-authentication.md new file mode 100644 index 00000000..86e96cad --- /dev/null +++ b/i18n/bn/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +সাধারণত, যদি কোনো হ্যাকার (বা শত্রু) আপনার পাসওয়ার্ড ডিক্রিপ্ট করতে সক্ষম হয় তাহলে তারা যে অ্যাকাউন্টে ওই পাসওয়ার্ড আছে সেটিতে প্রবেশ করতে সক্ষম হবে। MFA আছে এমন একটি অ্যাকাউন্ট-এর ক্ষেত্রে হ্যাকারকে পাসওয়ার্ড ( যা আপনি *জানেন*) এবং আপনার মালিকানাধীন একটি ডিভাইস (যা আপনার *কাছে আছে*), যেমন আপনার ফোন,উভয়ই থাকলে তবে হ্যাকার হ্যাক করতে সক্ষম হবে। + +MFA পদ্ধতিগুলির নিরাপত্তা বিভিন্নরকম হতে পারে ,আক্রমণকারীর পক্ষে আপনার MFA পদ্ধতিতে অ্যাক্সেস লাভ করা যত কঠিন, ততই ভালো। Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA পদ্ধতিগুলির তুলনা + +### এসএমএস বা ইমেইল MFA + +এসএমএস বা ইমেলের ওটিপি কোডগুলির মাধ্যমে MFA-এর ব্যবহার অ্যাকাউন্টগুলিকে সুরক্ষিত করার একটি দুর্বল উপায়৷ ইমেল বা এসএমএস-এর মাধ্যমে কোড পাওয়া "যা আপনার *আছে*" ধারণা থেকে দূরে সরে যায়, কারণ হ্যাকার বিভিন্ন রকম ভাবে আপনার [ফোন নম্বর দখল করতে পারে](https://en.wikipedia.org/wiki/SIM_swap_scam) বা আপনার কোনো ডিভাইস স্পর্শ না করেই আপনার ইমেলে অ্যাক্সেস পেতে পারে। যদি কোনো অননুমোদিত ব্যক্তি আপনার ইমেলের অ্যাক্সেস লাভ করে, তাহলে তারা আপনার সেই ইমেইল ব্যবহার করে পাসওয়ার্ড রিসেট করতে পারে এবং অথেনটিকেশন কোড পেতে পারে, যা শেষ পর্যন্ত তাকে আপনার একাউন্ট-এর সম্পূর্ণ এক্সেস দেবে। + +### মোবাইলের নোটিফিকেশন + +পুশ নোটিফিকেশন MFA এমন একটা পদ্ধতি যেখানে আপনার ফোনের একটি অ্যাপে নোটিফিকেশন পাঠানো হয়, যাতে আপনাকে নতুন অ্যাকাউন্ট লগইন নিশ্চিত করতে বলে। এই পদ্ধতিটি এসএমএস বা ইমেলের চেয়ে তুলনামূলকভাবে অনেক ভালো, যেহেতু একজন আক্রমণকারী সাধারণত লগগড -ইন করা ডিভাইস ছাড়া এই নোটিফিকেশনগুলি পেতে সক্ষম হবে না, যার মানে তাদের প্রথমে আপনার অন্য ডিভাইসগুলির মধ্যে একটিকে হ্যাক করতে হবে ৷ + +আমরা প্রত্যেকেই ভুল করি, এবং আপনি অন্যমনস্কতাবশত লগইন এপ্রুভ করে দিতে পারেন তার সম্ভাবনা রয়েছে। লগইন এর জন্য নোটিফিকেশনগুলি সাধারণত আপনার *সমস্ত ডিভাইসে* একসঙ্গে পাঠানো হয়, যদি আপনার অনেকগুলি ডিভাইস থাকে তবে তা MFA কোড পাওয়ার সম্ভাবনা বৃদ্ধি করে৷ + +পুশ নোটিফিকেশন MFA -এর নিরাপত্তা অ্যাপের গুণমান, সার্ভারের, এবং এটি তৈরিকারী ব্যাক্তির ওপর নির্ভর করে। একটি অ্যাপ্লিকেশন ইনস্টল করার অর্থ হল যে আপনাকে প্রায়ই ক্ষতিকারক পারমিশনগুলি একসেপ্ট করতে হবে, যা ওই অ্যাপ্লিকেশনকে ডিভাইসের অন্যান্য ডেটা অ্যাক্সেস করার অনুমতি দেয়৷ অনেক সময় বিভিন্ন পরিষেবার জন্য আপনাকে বিভিন্ন এপ্লিকেশন ইনস্টল করতে হতে পারে, সেই এপ্লিকেশন টি আবার কোনো পাসওয়ার্ড ছাড়াই ওপেন হতে পারে, যা মোটেও ভালো TOTP জেনারেটার এপ্লিকেশন এর লক্ষণ নয়। + +### সময়-সাপেক্ষ ওয়ান-টাইম পাসওয়ার্ড (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. শেয়ার্ড সিক্রেট অথেনটিকেশন অ্যাপের ভিতরে সুরক্ষিত থাকে এবং কখনও কখনও পাসওয়ার্ড দ্বারা সুরক্ষিত থাকে। + +সময়-সাপেক্ষ কোড তারপর শেয়ার্ড সিক্রেট এবং সময় থেকে জেনারেট হয়। As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +যদি আপনার কাছে TOTP সহ একটি হার্ডওয়্যার সিকিউরিটি কী থাকে (যেমন Yubico অথেন্টিকেটর সাথে একটি YubiKey), আমরা সুপারিশ করি যে আপনি হার্ডওয়্যারে আপনার "শেয়ার্ড সিক্রেট " রাখুন৷ YubiKey-এর মতো হার্ডওয়্যার এমনভাবে তৈরী করা হয়েছিল যাতে "শেয়ারড সিক্রেট" বের করা এবং কপি করা কঠিন হয় একটি YubiKey ইন্টারনেটের সাথে যুক্ত থাকে না, কিন্তু TOTP যুক্ত একটি ফোন ইন্টারনেট এর সাথে যুক্ত থাকে। + +[WebAuthn](#fido-fast-identity-online) এর অপরপক্ষে TOTP [ফিশিং](https://en.wikipedia.org/wiki/Phishing) বা রি-উজ এটাক এর বিরুদ্ধে কোন সুরক্ষা প্রদান করে না। If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +আপনার উজার-নেম, পাসওয়ার্ড এবং বর্তমান TOTP কোড হাতানোর জন্য, আপনাকে প্রতারণা করার চেষ্টায় একজন আক্ক্রমণকারী একটি অফিসিয়াল পরিষেবার অনুকরণ করে একটি ওয়েবসাইট সেট আপ করতে পারে। আক্রমণকারী সেই রেকর্ড করা তথ্যগুলি ব্যবহার করে প্রকৃত পরিষেবাতে লগ ইন করতে এবং অ্যাকাউন্ট হাইজ্যাক করতে সক্ষম হতে পারে। + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### হার্ডওয়্যার সিকিউরিটি কী + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### সময়-সাপেক্ষ ওয়ান-টাইম পাসওয়ার্ড (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/basics/passwords-overview.md b/i18n/bn/basics/passwords-overview.md new file mode 100644 index 00000000..08871e37 --- /dev/null +++ b/i18n/bn/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/basics/threat-modeling.md b/i18n/bn/basics/threat-modeling.md new file mode 100644 index 00000000..b169f729 --- /dev/null +++ b/i18n/bn/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +--- + +প্রাইভেসি সিকিউরিটি, এবং ব্যবহারযোগ্যতা এর মধ্যে ভারসাম্য রক্ষা করা আপনার প্রাইভেসি যাত্রার সবথেকে কঠিন কাজ। Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +যদি আপনি **সবথেকে** সিকিউর সফটও়্যারগুলো ব্যাবহার করতে চান আপনাকে *কিছু* ব্যবহারযোগ্যতা বিসর্জন দিতে হবে। And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. একারণে থ্রেট মডেল তৈরি করা জরুরি। + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. আমি কি রক্ষা করতে চাই? +2. কার থেকে আমি রক্ষা করতে চাই? +3. এটি আমার কতটা রক্ষা করা প্রয়োজন? +4. আমি ব্যর্থ হলে পরিণতি কতটা খারাপ? +5. সম্ভাব্য ফল রোধ করার জন্য আমি কতটা সমস্যার মধ্য দিয়ে যেতে ইচ্ছুক? + +### আমি কি রক্ষা করতে চাই? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### কার থেকে আমি রক্ষা করতে চাই? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### এটি আমার কতটা রক্ষা করা প্রয়োজন? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### আমি ব্যর্থ হলে পরিণতি কতটা খারাপ? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### সম্ভাব্য ফল রোধ করার জন্য আমি কতটা সমস্যার মধ্য দিয়ে যেতে ইচ্ছুক? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**আপনি কি রক্ষা করতে চান? (অথবা, *আপনার কাছে কি এমন জিনিস আছে যা রক্ষা করার দরকার?*)** +: + +আপনার জিনিসপত্র এর মধ্যে গয়না, ইলেকট্রনিকস, গুরুত্বপূর্ণ কাগজপত্র অথবা ফটো পড়তে পারে। + +**কার থেকে আপনি রক্ষা করতে চান?** +: + +আপনার সিকিউরিটি এর আক্রমণকারী ডাকাত, রুমমেট বা অতিথি হতে পারে। + +**আপনাকে রক্ষা করতে হবে তার সম্ভাবনা কত?** +: + +আপনার আশেপাশে কি চুরির ইতিহাস আছে? How trustworthy are your roommates or guests? আপনার প্রতিপক্ষের ক্ষমতা কি? আপনার কী কী ঝুঁকি বিবেচনা করা উচিত? + +**আপনি ব্যর্থ হলে পরিণতি কতটা খারাপ?** +: + +আপনার বাড়িতে এমন কিছু আছে যা আপনি অন্য কিছু দিয়ে পরিবর্তন করতে পারবেন না? Do you have the time or money to replace those things? আপনার কি বীমা আছে যা আপনার বাড়ি থেকে চুরি হওয়া জিনিসগুলি কভার করে? + +**সম্ভাব্য ফল রোধ করার জন্য আপনি কতটা সমস্যার মধ্য দিয়ে যেতে ইচ্ছুক?** +: + +আপনি সংবেদনশীল নথি রাখার জন্য একটি সেফ কিনতে ইচ্ছুক? আপনি কি একটি উচ্চ মানের তালা কিনতে সামর্থ্য? আপনার কি স্থানীয় ব্যাঙ্কে কোনও সিকিউরিটি বাক্স খোলার এবং সেখানে আপনার মূল্যবান জিনিসপত্র রাখার সময় আছে? + +আপনি একবার নিজেকে এই প্রশ্নগুলি জিজ্ঞাসা করলে আপনি কী পদক্ষেপ নেবেন তা বুঝতে পারবেন। যদি আপনার জিনিসপত্রগুলো দামী হয়, কিন্তু ডাকাতি হওয়ার সম্ভাবনা কম, তাহলে বেশি টাকা তলাতে খরচ করার দরকার হবে না। But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/basics/vpn-overview.md b/i18n/bn/basics/vpn-overview.md new file mode 100644 index 00000000..26a8eeac --- /dev/null +++ b/i18n/bn/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/calendar.md b/i18n/bn/calendar.md new file mode 100644 index 00000000..a50c72ac --- /dev/null +++ b/i18n/bn/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/cloud.md b/i18n/bn/cloud.md new file mode 100644 index 00000000..d01a476f --- /dev/null +++ b/i18n/bn/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/data-redaction.md b/i18n/bn/data-redaction.md new file mode 100644 index 00000000..e8eed0b5 --- /dev/null +++ b/i18n/bn/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/desktop-browsers.md b/i18n/bn/desktop-browsers.md new file mode 100644 index 00000000..f7928a49 --- /dev/null +++ b/i18n/bn/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.bn.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/bn/desktop.md b/i18n/bn/desktop.md new file mode 100644 index 00000000..95b7f77f --- /dev/null +++ b/i18n/bn/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/dns.md b/i18n/bn/dns.md new file mode 100644 index 00000000..551bd52f --- /dev/null +++ b/i18n/bn/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### অ্যান্ড্রয়েড + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.bn.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/bn/email-clients.md b/i18n/bn/email-clients.md new file mode 100644 index 00000000..e83a7eaa --- /dev/null +++ b/i18n/bn/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/email.md b/i18n/bn/email.md new file mode 100644 index 00000000..808077f4 --- /dev/null +++ b/i18n/bn/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/encryption.md b/i18n/bn/encryption.md new file mode 100644 index 00000000..47227a7b --- /dev/null +++ b/i18n/bn/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Encryption Software" +icon: material/file-lock +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/file-sharing.md b/i18n/bn/file-sharing.md new file mode 100644 index 00000000..a13590e7 --- /dev/null +++ b/i18n/bn/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/frontends.md b/i18n/bn/frontends.md new file mode 100644 index 00000000..056d952a --- /dev/null +++ b/i18n/bn/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/index.md b/i18n/bn/index.md new file mode 100644 index 00000000..6c202359 --- /dev/null +++ b/i18n/bn/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.bn.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/kb-archive.md b/i18n/bn/kb-archive.md new file mode 100644 index 00000000..9151eb10 --- /dev/null +++ b/i18n/bn/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/meta/brand.md b/i18n/bn/meta/brand.md new file mode 100644 index 00000000..e2f6cc5f --- /dev/null +++ b/i18n/bn/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/meta/git-recommendations.md b/i18n/bn/meta/git-recommendations.md new file mode 100644 index 00000000..2a3f81e1 --- /dev/null +++ b/i18n/bn/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/meta/uploading-images.md b/i18n/bn/meta/uploading-images.md new file mode 100644 index 00000000..75d599fb --- /dev/null +++ b/i18n/bn/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/meta/writing-style.md b/i18n/bn/meta/writing-style.md new file mode 100644 index 00000000..50ac0182 --- /dev/null +++ b/i18n/bn/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/mobile-browsers.md b/i18n/bn/mobile-browsers.md new file mode 100644 index 00000000..f014aca5 --- /dev/null +++ b/i18n/bn/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## অ্যান্ড্রয়েড + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/multi-factor-authentication.md b/i18n/bn/multi-factor-authentication.md new file mode 100644 index 00000000..5e1c1e30 --- /dev/null +++ b/i18n/bn/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/news-aggregators.md b/i18n/bn/news-aggregators.md new file mode 100644 index 00000000..dc5f154d --- /dev/null +++ b/i18n/bn/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/notebooks.md b/i18n/bn/notebooks.md new file mode 100644 index 00000000..54f6524a --- /dev/null +++ b/i18n/bn/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/os/android-overview.md b/i18n/bn/os/android-overview.md new file mode 100644 index 00000000..4cd3f7b2 --- /dev/null +++ b/i18n/bn/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: ফন্টঅ্যাওসাম/ ব্র্যান্ড / অ্যান্ড্রয়েড +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/os/linux-overview.md b/i18n/bn/os/linux-overview.md new file mode 100644 index 00000000..13489c52 --- /dev/null +++ b/i18n/bn/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/os/qubes-overview.md b/i18n/bn/os/qubes-overview.md new file mode 100644 index 00000000..1ced5418 --- /dev/null +++ b/i18n/bn/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/passwords.md b/i18n/bn/passwords.md new file mode 100644 index 00000000..8ce00e78 --- /dev/null +++ b/i18n/bn/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/productivity.md b/i18n/bn/productivity.md new file mode 100644 index 00000000..8000471a --- /dev/null +++ b/i18n/bn/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/real-time-communication.md b/i18n/bn/real-time-communication.md new file mode 100644 index 00000000..9c8b56d3 --- /dev/null +++ b/i18n/bn/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/router.md b/i18n/bn/router.md new file mode 100644 index 00000000..6b9b1b3b --- /dev/null +++ b/i18n/bn/router.md @@ -0,0 +1,51 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/search-engines.md b/i18n/bn/search-engines.md new file mode 100644 index 00000000..cf9a3774 --- /dev/null +++ b/i18n/bn/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/tools.md b/i18n/bn/tools.md new file mode 100644 index 00000000..9f614711 --- /dev/null +++ b/i18n/bn/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/tor.md b/i18n/bn/tor.md new file mode 100644 index 00000000..e26da175 --- /dev/null +++ b/i18n/bn/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/video-streaming.md b/i18n/bn/video-streaming.md new file mode 100644 index 00000000..993ccc67 --- /dev/null +++ b/i18n/bn/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/bn/vpn.md b/i18n/bn/vpn.md new file mode 100644 index 00000000..b5d2a6a1 --- /dev/null +++ b/i18n/bn/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN Services" +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.bn.txt" diff --git a/i18n/de/404.md b/i18n/de/404.md new file mode 100644 index 00000000..cf586962 --- /dev/null +++ b/i18n/de/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Seite nicht gefunden + +Wir konnten die Seite, nach der du gesucht hast, nicht finden! Vielleicht hast du nach einer dieser Seiten gesucht? + +- [Einführung in die Bedrohungsmodellierung](basics/threat-modeling.md) +- [Empfohlene DNS-Anbieter](dns.md) +- [Beste Desktop-Webbrowser](desktop-browsers.md) +- [Beste VPN-Anbieter](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Unser Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/CODE_OF_CONDUCT.md b/i18n/de/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/de/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/de/about/criteria.md b/i18n/de/about/criteria.md new file mode 100644 index 00000000..f27f1e2b --- /dev/null +++ b/i18n/de/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: Allgemeine Kriterien +--- + +!!! example "Work in Progress" + + Die folgende Seite ist in Arbeit und spiegelt zum aktuell noch nicht die vollständigen Kriterien für unsere Empfehlungen wider. Frühere Diskussion zu diesem Thema: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Nachfolgend sind einige Punkte aufgeführt, die für alle Einsendungen an Privacy Guides zutreffen müssen. Für jede Kategorie gelten zusätzliche Anforderungen für die Aufnahme. + +## Finanz-Offenlegung + +Wir verdienen kein Geld mit Empfehlungen bestimmter Produkte, wir verwenden keine Affiliate-Links, und wir gewähren keine besondere Gegenleistung für Projektspender. + +## Allgemeine Richtlinien + +Wir wenden diese Prioritäten beim Prüfen neuer Empfehlungen an: + +- **Sicher**: Tools sollten, wo möglich, bewährte Sicherheitspraktiken anwenden. +- **Verfügbarkeit der Quellen**: Open-Source-Projekte werden meist gegenüber gleichwertigen proprietären Alternativen bevorzugt. +- **Plattformübergreifend**: Wir bevorzugen Empfehlungen die plattformübergreifend sind, um eine Herstellerbindung zu vermeiden. +- **Aktive Entwicklung**: Die von uns empfohlenen Tools sollten aktiv weiterentwickelt werden, nicht gewartete Projekte werden in den meisten Fällen entfernt. +- **Benutzerfreundlichkeit**: Die Tools sollten für die meisten Computerbenutzer zugänglich sein, ein übermäßig technischer Hintergrund sollte nicht erforderlich sein. +- **Dokumentiert**: Die Werkzeuge sollten über eine klare und ausführliche Dokumentation zum Gebrauch verfügen. + +## Selbsteinreichungen von Entwicklern + +Wir haben diese Anforderungen an Entwickler, die eigene Projekt oder Software zur Prüfung einreichen möchten. + +- Muss die Zugehörigkeit offenlegen, d.h. deine Position innerhalb des eingereichten Projekts. + +- Muss ein Sicherheits-Whitepaper haben, wenn es sich um ein Projekt handelt, das den Umgang mit sensiblen Informationen beinhaltet, wie z. B. Messenger, Passwort-Manager, verschlüsselte Cloud-Speicherung usw. + - Status der Prüfung durch Dritte. Wir möchten wissen, ob eine vorhanden oder geplant ist. Wenn möglich, gib bitte an, wer die Prüfung durchführen wird. + +- Muss erklären, was das Projekt im Hinblick auf den Schutz der Privatsphäre bietet. + - Löst es ein neues Problem? + - Warum sollte jemand es den Alternativen vorziehen? + +- Must state what the exact threat model is with their project. + - Den potenziellen Nutzern sollte klar sein, was das Projekt bieten kann und was nicht. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/about/donate.md b/i18n/de/about/donate.md new file mode 100644 index 00000000..462e3730 --- /dev/null +++ b/i18n/de/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Uns unterstützen +--- + + +Es braucht eine Menge [Leute](https://github.com/privacyguides/privacyguides.org/graphs/contributors) und [Arbeit](https://github.com/privacyguides/privacyguides.org/pulse/monthly) um die Privacy Guides auf dem neuesten Stand zu halten und Wissen über Datenschutz und Massenüberwachung zu verbreiten. Wenn dir gefällt, was wir tun, kannst du dich beteiligen, indem du [die Website bearbeitest](https://github.com/privacyguides/privacyguides.org) oder [Übersetzungen](https://crowdin.com/project/privacyguides) beisteuerst. + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective akzeptiert Zahlungen per Kredit-/Debitkarte, PayPal und Banküberweisung. + +[Auf OpenCollective.com spenden](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Spenden, die direkt über Open Collective gemacht werden, sind in den USA in der Regel steuerlich absetzbar, da unser steuerlicher Träger (die Open Collective Foundation) eine eingetragene 501(c)3 Organisation ist. Nach deiner Spende erhältst du eine Spendenbescheinigung von der Open Collective Foundation. Privacy Guides bietet keine Finanzberatung an, und Sie sollten sich an Ihren Steuerberater wenden, um herauszufinden, ob dies auf Sie zutrifft. + +Wenn du bereits GitHub-Sponsoring verwendest, kannst du unsere Organisation auch dort unterstützen. + +[Sponsor uns auf GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Unterstützer/-innen + +Ein besonderer Dank geht an alle, die unsere Mission unterstützen! :heart: + +*Bitte beachten Sie: Dieser Abschnitt lädt ein Widget direkt von Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/about/index.md b/i18n/de/about/index.md new file mode 100644 index 00000000..7b21da87 --- /dev/null +++ b/i18n/de/about/index.md @@ -0,0 +1,63 @@ +--- +title: "Über Privacy Guides" +--- + +**Privacy Guides** ist ein sozial motivierte Website, die Informationen zum Schutz deiner Datensicherheit und Privatsphäre bereitstellt. Wir sind ein gemeinnütziges Kollektiv, welches ausschließlich von freiwilligen [Teammitgliedern](https://discuss.privacyguides.net/g/team) und Mitwirkenden betrieben wird. + +[:material-hand-coin-outline: Unterstütze das Projekts](donate.md ""){.md-button.md-button--primary} + +## Unser Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Webseite](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: E-Mail](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: E-Mail](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Webseite](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Webseite](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Darüber hinaus haben [viele Menschen](https://github.com/privacyguides/privacyguides.org/graphs/contributors) Beiträge zu dem Projekt geleistet. Du kannst das auch, wir sind Open Source auf GitHub! + +Unsere Teammitglieder überprüfen alle Änderungen, die an der Website vorgenommen werden, und kümmern sich um administrative Aufgaben wie Webhosting und Finanzen, allerdings profitieren sie nicht persönlich von den Beiträgen, die zu dieser Website geleistet werden. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/about/notices.md b/i18n/de/about/notices.md new file mode 100644 index 00000000..6b626371 --- /dev/null +++ b/i18n/de/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Notices and Disclaimers" +hide: + - toc +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licenses + +Unless otherwise noted, all content on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to this repository you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/about/privacy-policy.md b/i18n/de/about/privacy-policy.md new file mode 100644 index 00000000..27f28742 --- /dev/null +++ b/i18n/de/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/about/privacytools.md b/i18n/de/about/privacytools.md new file mode 100644 index 00000000..6161b3ef --- /dev/null +++ b/i18n/de/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/about/services.md b/i18n/de/about/services.md new file mode 100644 index 00000000..2eeca9fe --- /dev/null +++ b/i18n/de/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/about/statistics.md b/i18n/de/about/statistics.md new file mode 100644 index 00000000..c0ca4f91 --- /dev/null +++ b/i18n/de/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/advanced/communication-network-types.md b/i18n/de/advanced/communication-network-types.md new file mode 100644 index 00000000..bdac295f --- /dev/null +++ b/i18n/de/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/advanced/dns-overview.md b/i18n/de/advanced/dns-overview.md new file mode 100644 index 00000000..8b85b70f --- /dev/null +++ b/i18n/de/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/advanced/tor-overview.md b/i18n/de/advanced/tor-overview.md new file mode 100644 index 00000000..cf1311b1 --- /dev/null +++ b/i18n/de/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.de.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/de/android.md b/i18n/de/android.md new file mode 100644 index 00000000..dd54ed06 --- /dev/null +++ b/i18n/de/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/assets/img/account-deletion/exposed_passwords.png b/i18n/de/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/de/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/de/assets/img/android/rss-apk-dark.png b/i18n/de/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/de/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/de/assets/img/android/rss-apk-light.png b/i18n/de/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/de/assets/img/android/rss-apk-light.png differ diff --git a/i18n/de/assets/img/android/rss-changes-dark.png b/i18n/de/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/de/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/de/assets/img/android/rss-changes-light.png b/i18n/de/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/de/assets/img/android/rss-changes-light.png differ diff --git a/i18n/de/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/de/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/de/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/de/assets/img/how-tor-works/tor-encryption.svg b/i18n/de/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/de/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/de/assets/img/how-tor-works/tor-path-dark.svg b/i18n/de/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/de/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/de/assets/img/how-tor-works/tor-path.svg b/i18n/de/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/de/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/de/assets/img/multi-factor-authentication/fido.png b/i18n/de/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/de/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/de/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/de/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/de/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/de/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/de/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/de/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/de/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/de/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/de/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/de/basics/account-creation.md b/i18n/de/basics/account-creation.md new file mode 100644 index 00000000..7d353347 --- /dev/null +++ b/i18n/de/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Benutzerkontenerstellung" +icon: 'material/account-plus' +--- + +Oft melden sich Menschen für Dienste an, ohne nachzudenken. Vielleicht ist es ein Streaming-Dienst, mit dem du die neue Serie, über die alle reden, sehen kannst, oder ein Konto, mit dem du einen Rabatt für dein Lieblingsrestaurant bekommst. In jedem Fall solltest du die Auswirkungen auf Ihre Daten jetzt und in Zukunft beachten. + +Mit jedem neuen Dienst, den du nutzt, sind Risiken verbunden. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/basics/account-deletion.md b/i18n/de/basics/account-deletion.md new file mode 100644 index 00000000..d8f7cca2 --- /dev/null +++ b/i18n/de/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/basics/common-misconceptions.md b/i18n/de/basics/common-misconceptions.md new file mode 100644 index 00000000..e7a13f6a --- /dev/null +++ b/i18n/de/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.de.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/de/basics/common-threats.md b/i18n/de/basics/common-threats.md new file mode 100644 index 00000000..44b5add0 --- /dev/null +++ b/i18n/de/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.de.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/de/basics/email-security.md b/i18n/de/basics/email-security.md new file mode 100644 index 00000000..c3584818 --- /dev/null +++ b/i18n/de/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/basics/multi-factor-authentication.md b/i18n/de/basics/multi-factor-authentication.md new file mode 100644 index 00000000..5dc67b88 --- /dev/null +++ b/i18n/de/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/basics/passwords-overview.md b/i18n/de/basics/passwords-overview.md new file mode 100644 index 00000000..b6526803 --- /dev/null +++ b/i18n/de/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/basics/threat-modeling.md b/i18n/de/basics/threat-modeling.md new file mode 100644 index 00000000..0d7ff8cf --- /dev/null +++ b/i18n/de/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/basics/vpn-overview.md b/i18n/de/basics/vpn-overview.md new file mode 100644 index 00000000..c4f9bce1 --- /dev/null +++ b/i18n/de/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/calendar.md b/i18n/de/calendar.md new file mode 100644 index 00000000..f050b6a0 --- /dev/null +++ b/i18n/de/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/cloud.md b/i18n/de/cloud.md new file mode 100644 index 00000000..69137bdd --- /dev/null +++ b/i18n/de/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/data-redaction.md b/i18n/de/data-redaction.md new file mode 100644 index 00000000..fc71e3be --- /dev/null +++ b/i18n/de/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/desktop-browsers.md b/i18n/de/desktop-browsers.md new file mode 100644 index 00000000..7b992e5a --- /dev/null +++ b/i18n/de/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.de.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/de/desktop.md b/i18n/de/desktop.md new file mode 100644 index 00000000..f32584a2 --- /dev/null +++ b/i18n/de/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/dns.md b/i18n/de/dns.md new file mode 100644 index 00000000..2704f0ba --- /dev/null +++ b/i18n/de/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.de.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/de/email-clients.md b/i18n/de/email-clients.md new file mode 100644 index 00000000..4fe1374c --- /dev/null +++ b/i18n/de/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/email.md b/i18n/de/email.md new file mode 100644 index 00000000..123f70a1 --- /dev/null +++ b/i18n/de/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/encryption.md b/i18n/de/encryption.md new file mode 100644 index 00000000..03e5431c --- /dev/null +++ b/i18n/de/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Encryption Software" +icon: material/file-lock +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/file-sharing.md b/i18n/de/file-sharing.md new file mode 100644 index 00000000..bed93f5f --- /dev/null +++ b/i18n/de/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/frontends.md b/i18n/de/frontends.md new file mode 100644 index 00000000..9e68622b --- /dev/null +++ b/i18n/de/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/index.md b/i18n/de/index.md new file mode 100644 index 00000000..1ca23af1 --- /dev/null +++ b/i18n/de/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.de.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/kb-archive.md b/i18n/de/kb-archive.md new file mode 100644 index 00000000..f05d9780 --- /dev/null +++ b/i18n/de/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Einige Seiten, die früher in unserer Wissensdatenbank waren, sind jetzt in unserem Blog zu finden: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/meta/brand.md b/i18n/de/meta/brand.md new file mode 100644 index 00000000..48e84900 --- /dev/null +++ b/i18n/de/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/meta/git-recommendations.md b/i18n/de/meta/git-recommendations.md new file mode 100644 index 00000000..0837d554 --- /dev/null +++ b/i18n/de/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/meta/uploading-images.md b/i18n/de/meta/uploading-images.md new file mode 100644 index 00000000..c9edf212 --- /dev/null +++ b/i18n/de/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/meta/writing-style.md b/i18n/de/meta/writing-style.md new file mode 100644 index 00000000..6e387035 --- /dev/null +++ b/i18n/de/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/mobile-browsers.md b/i18n/de/mobile-browsers.md new file mode 100644 index 00000000..5e891156 --- /dev/null +++ b/i18n/de/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/multi-factor-authentication.md b/i18n/de/multi-factor-authentication.md new file mode 100644 index 00000000..1a0e3c6f --- /dev/null +++ b/i18n/de/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/news-aggregators.md b/i18n/de/news-aggregators.md new file mode 100644 index 00000000..0f608abb --- /dev/null +++ b/i18n/de/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/notebooks.md b/i18n/de/notebooks.md new file mode 100644 index 00000000..125d2616 --- /dev/null +++ b/i18n/de/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/os/android-overview.md b/i18n/de/os/android-overview.md new file mode 100644 index 00000000..36c303d3 --- /dev/null +++ b/i18n/de/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/os/linux-overview.md b/i18n/de/os/linux-overview.md new file mode 100644 index 00000000..8a7d874d --- /dev/null +++ b/i18n/de/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/os/qubes-overview.md b/i18n/de/os/qubes-overview.md new file mode 100644 index 00000000..c731f8a3 --- /dev/null +++ b/i18n/de/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/passwords.md b/i18n/de/passwords.md new file mode 100644 index 00000000..c927cdb0 --- /dev/null +++ b/i18n/de/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/productivity.md b/i18n/de/productivity.md new file mode 100644 index 00000000..bce9403a --- /dev/null +++ b/i18n/de/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/real-time-communication.md b/i18n/de/real-time-communication.md new file mode 100644 index 00000000..196ef5ab --- /dev/null +++ b/i18n/de/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/router.md b/i18n/de/router.md new file mode 100644 index 00000000..b14af0c7 --- /dev/null +++ b/i18n/de/router.md @@ -0,0 +1,51 @@ +--- +title: "Router-Firmware" +icon: material/router-wireless +--- + +Nachstehend sind ein paar alternative Betriebssysteme gelistet, die auf Routern, WLAN-Zugangspunkten usw. eingesetzt werden können. + +## OpenWrt + +!!! recommendation + + ![OpenWrt-Logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt-Logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt* ist ein auf Linux basierendes Betriebssystem; es wird primär auf eingebetteten Geräten zum Weiterleiten des Netzwerkverkehrs genutzt. Es enthält util-linux, uClib und BusyBox. Alle Komponenten sind für Heim-Router optimiert. + + [:octicons-home-16: Hauptseite](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Quellcode" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Mitwirken } + +Sie können in der [table of hardware](https://openwrt.org/toh/start) von OpenWrt nachsehen, ob Ihr Gerät unterstützt wird. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense* ist eine FreeBSD-basierte Open-Source-Firewall- und Routing-Plattform, die viele erweiterte Funktionen wie Traffic Shaping, Load Balancing und VPN-Funktionen enthält, wobei viele weitere Funktionen in Form von Plugins verfügbar sind. OPNsense wird in der Regel als Perimeter-Firewall, Router, Wireless Access Point, DHCP-Server, DNS-Server und VPN-Endpunkt eingesetzt. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense wurde ursprünglich als Fork von [pfSense](https://en.wikipedia.org/wiki/PfSense) entwickelt. Beide Projekte sind bekannt dafür, freie und zuverlässige Firewall-Distributionen zu sein, die Funktionen bieten, die oft nur in teuren kommerziellen Firewalls zu finden sind. Die Entwickler von OPNsense [zitierten](https://docs.opnsense.org/history/thefork.html) eine Reihe von Sicherheits- und Code-Qualitätsproblemen mit pfSense, die ihrer Meinung nach eine Abspaltung des Projekts erforderlich machten, sowie Bedenken hinsichtlich der Mehrheitsübernahme von pfSense durch Netgate und der zukünftigen Ausrichtung des pfSense-Projekts. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/search-engines.md b/i18n/de/search-engines.md new file mode 100644 index 00000000..ff48997d --- /dev/null +++ b/i18n/de/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/tools.md b/i18n/de/tools.md new file mode 100644 index 00000000..46ddd66b --- /dev/null +++ b/i18n/de/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router-Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/tor.md b/i18n/de/tor.md new file mode 100644 index 00000000..8352feb5 --- /dev/null +++ b/i18n/de/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/video-streaming.md b/i18n/de/video-streaming.md new file mode 100644 index 00000000..e42141dc --- /dev/null +++ b/i18n/de/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/de/vpn.md b/i18n/de/vpn.md new file mode 100644 index 00000000..b1576bda --- /dev/null +++ b/i18n/de/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN Services" +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.de.txt" diff --git a/i18n/el/404.md b/i18n/el/404.md new file mode 100644 index 00000000..c25b06d1 --- /dev/null +++ b/i18n/el/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Δε βρέθηκε + +Δεν μπορέσαμε να βρούμε τη σελίδα που ψάχνατε! Ίσως ψάχνατε για ένα από αυτά; + +- [Εισαγωγή στα Μοντέλα Απειλών](basics/threat-modeling.md) +- [Προτεινόμενοι Πάροχοι DNS](dns.md) +- [Τα Καλύτερα Προγράμματα Περιήγησης Ιστού για Υπολογιστές](desktop-browsers.md) +- [Οι καλύτεροι πάροχοι VPN](vpn.md) +- [Φόρουμ Οδηγών Απορρήτου](https://discuss.privacyguides.net) +- [Το Blog μας](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/CODE_OF_CONDUCT.md b/i18n/el/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/el/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/el/about/criteria.md b/i18n/el/about/criteria.md new file mode 100644 index 00000000..2f6e0138 --- /dev/null +++ b/i18n/el/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/about/donate.md b/i18n/el/about/donate.md new file mode 100644 index 00000000..ce55e01c --- /dev/null +++ b/i18n/el/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/about/index.md b/i18n/el/about/index.md new file mode 100644 index 00000000..2ba94952 --- /dev/null +++ b/i18n/el/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/about/notices.md b/i18n/el/about/notices.md new file mode 100644 index 00000000..0d4aca09 --- /dev/null +++ b/i18n/el/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Notices and Disclaimers" +hide: + - toc +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licenses + +Unless otherwise noted, all content on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to this repository you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/about/privacy-policy.md b/i18n/el/about/privacy-policy.md new file mode 100644 index 00000000..5e6c805f --- /dev/null +++ b/i18n/el/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/about/privacytools.md b/i18n/el/about/privacytools.md new file mode 100644 index 00000000..c8e9878a --- /dev/null +++ b/i18n/el/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/about/services.md b/i18n/el/about/services.md new file mode 100644 index 00000000..7a8088af --- /dev/null +++ b/i18n/el/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/about/statistics.md b/i18n/el/about/statistics.md new file mode 100644 index 00000000..e00eda7c --- /dev/null +++ b/i18n/el/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/advanced/communication-network-types.md b/i18n/el/advanced/communication-network-types.md new file mode 100644 index 00000000..9e6d87cc --- /dev/null +++ b/i18n/el/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/advanced/dns-overview.md b/i18n/el/advanced/dns-overview.md new file mode 100644 index 00000000..a76c682f --- /dev/null +++ b/i18n/el/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/advanced/tor-overview.md b/i18n/el/advanced/tor-overview.md new file mode 100644 index 00000000..1a7f7c41 --- /dev/null +++ b/i18n/el/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.el.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/el/android.md b/i18n/el/android.md new file mode 100644 index 00000000..24c1c3d8 --- /dev/null +++ b/i18n/el/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/assets/img/account-deletion/exposed_passwords.png b/i18n/el/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/el/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/el/assets/img/android/rss-apk-dark.png b/i18n/el/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/el/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/el/assets/img/android/rss-apk-light.png b/i18n/el/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/el/assets/img/android/rss-apk-light.png differ diff --git a/i18n/el/assets/img/android/rss-changes-dark.png b/i18n/el/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/el/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/el/assets/img/android/rss-changes-light.png b/i18n/el/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/el/assets/img/android/rss-changes-light.png differ diff --git a/i18n/el/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/el/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/el/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/el/assets/img/how-tor-works/tor-encryption.svg b/i18n/el/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/el/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/el/assets/img/how-tor-works/tor-path-dark.svg b/i18n/el/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/el/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/el/assets/img/how-tor-works/tor-path.svg b/i18n/el/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/el/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/el/assets/img/multi-factor-authentication/fido.png b/i18n/el/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/el/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/el/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/el/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/el/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/el/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/el/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/el/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/el/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/el/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/el/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/el/basics/account-creation.md b/i18n/el/basics/account-creation.md new file mode 100644 index 00000000..cd9942b2 --- /dev/null +++ b/i18n/el/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/basics/account-deletion.md b/i18n/el/basics/account-deletion.md new file mode 100644 index 00000000..f0a0f099 --- /dev/null +++ b/i18n/el/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/basics/common-misconceptions.md b/i18n/el/basics/common-misconceptions.md new file mode 100644 index 00000000..8bdda952 --- /dev/null +++ b/i18n/el/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.el.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/el/basics/common-threats.md b/i18n/el/basics/common-threats.md new file mode 100644 index 00000000..93c32a77 --- /dev/null +++ b/i18n/el/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.el.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/el/basics/email-security.md b/i18n/el/basics/email-security.md new file mode 100644 index 00000000..76839778 --- /dev/null +++ b/i18n/el/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/basics/multi-factor-authentication.md b/i18n/el/basics/multi-factor-authentication.md new file mode 100644 index 00000000..851c8791 --- /dev/null +++ b/i18n/el/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/basics/passwords-overview.md b/i18n/el/basics/passwords-overview.md new file mode 100644 index 00000000..f60aaf5a --- /dev/null +++ b/i18n/el/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/basics/threat-modeling.md b/i18n/el/basics/threat-modeling.md new file mode 100644 index 00000000..3be5e402 --- /dev/null +++ b/i18n/el/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/basics/vpn-overview.md b/i18n/el/basics/vpn-overview.md new file mode 100644 index 00000000..7ac0e668 --- /dev/null +++ b/i18n/el/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/calendar.md b/i18n/el/calendar.md new file mode 100644 index 00000000..8f1795ca --- /dev/null +++ b/i18n/el/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/cloud.md b/i18n/el/cloud.md new file mode 100644 index 00000000..7c4c524a --- /dev/null +++ b/i18n/el/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/data-redaction.md b/i18n/el/data-redaction.md new file mode 100644 index 00000000..ebb66770 --- /dev/null +++ b/i18n/el/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/desktop-browsers.md b/i18n/el/desktop-browsers.md new file mode 100644 index 00000000..a29e6ffa --- /dev/null +++ b/i18n/el/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.el.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/el/desktop.md b/i18n/el/desktop.md new file mode 100644 index 00000000..492ef3a1 --- /dev/null +++ b/i18n/el/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/dns.md b/i18n/el/dns.md new file mode 100644 index 00000000..abb7c79a --- /dev/null +++ b/i18n/el/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.el.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/el/email-clients.md b/i18n/el/email-clients.md new file mode 100644 index 00000000..676e252b --- /dev/null +++ b/i18n/el/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/email.md b/i18n/el/email.md new file mode 100644 index 00000000..d039b722 --- /dev/null +++ b/i18n/el/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/encryption.md b/i18n/el/encryption.md new file mode 100644 index 00000000..f680e0ad --- /dev/null +++ b/i18n/el/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Encryption Software" +icon: material/file-lock +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/file-sharing.md b/i18n/el/file-sharing.md new file mode 100644 index 00000000..f499954b --- /dev/null +++ b/i18n/el/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/frontends.md b/i18n/el/frontends.md new file mode 100644 index 00000000..c1c22761 --- /dev/null +++ b/i18n/el/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/index.md b/i18n/el/index.md new file mode 100644 index 00000000..476ba4a0 --- /dev/null +++ b/i18n/el/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.el.html +hide: + - navigation + - toc + - feedback +--- + + +## Γιατί πρέπει να με νοιάζει; + +##### "Δεν έχω κάτι να κρύψω. Γιατί πρέπει να με νοιάζει η ιδιωτικότητα μου;" + +Όπως το δικαίωμα για τον διαφυλετικό γάμο, το δικαίωμα ψήφου για τις γυναικών, η ελευθερία του λόγου και πολλά άλλα, έτσι και το δικαίωμά για την ιδιωτικότητα μας δεν έχει πάντα υποστηριχθεί. Σε πολλές δικτατορίες, αυτό δεν ισχύει. Γενιές πριν από τη δική μας αγωνίστηκαν για το δικαίωμα της ιδιωτικότητας μας. ==Η ιδιωτικότητα είναι ένα ανθρώπινο δικαίωμα, εγγενές σε όλους μας,== το οποίο δικαιούμαστε (χωρίς διακρίσεις). + +Δεν πρέπει να μπερδεύεις την ιδιωτικότητα με τη μυστικότητα. Ξέρουμε τι συμβαίνει όσο είσαι στο μπάνιο, αλλά εξακολουθείς να κλείνεις την πόρτα. Αυτό συμβαίνει επειδή θέλεις ιδιωτικότητα, όχι μυστικότητα. **Όλοι** έχουν κάτι να προστατεύσουν. Η ιδιωτικότητα είναι κάτι που μας κάνει ανθρώπους. + +[:material-target-account: Συχνές Απειλές Στο Διαδίκτυο](basics/common-threats.md ""){.md-button.md-button--primary} + +## Τι πρέπει να κάνω; + +##### Πρώτα απ 'όλα, πρέπει να φτιάξεις ένα σχέδιο + +Το να προσπαθείς να προστατεύσεις συνέχεια όλα τα δεδομένα σου από όλους είναι ανέφικτο, δαπανηρό και εξαντλητικό. Αλλά μην ανησυχείς! Η ασφάλεια είναι μια διαδικασία και, αν σκέφτεσαι εκ των προτέρων, μπορείς να δημιουργήσεις ένα σχέδιο που είναι κατάλληλο για εσένα. Η ασφάλεια δεν αφορά μόνο τα εργαλεία που χρησιμοποιείς ή το λογισμικό που κατεβάζεις. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/kb-archive.md b/i18n/el/kb-archive.md new file mode 100644 index 00000000..b5680249 --- /dev/null +++ b/i18n/el/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/meta/brand.md b/i18n/el/meta/brand.md new file mode 100644 index 00000000..69575141 --- /dev/null +++ b/i18n/el/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/meta/git-recommendations.md b/i18n/el/meta/git-recommendations.md new file mode 100644 index 00000000..e9b9a719 --- /dev/null +++ b/i18n/el/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/meta/uploading-images.md b/i18n/el/meta/uploading-images.md new file mode 100644 index 00000000..69102f6d --- /dev/null +++ b/i18n/el/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/meta/writing-style.md b/i18n/el/meta/writing-style.md new file mode 100644 index 00000000..9a1019ea --- /dev/null +++ b/i18n/el/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/mobile-browsers.md b/i18n/el/mobile-browsers.md new file mode 100644 index 00000000..d13bfb6a --- /dev/null +++ b/i18n/el/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/multi-factor-authentication.md b/i18n/el/multi-factor-authentication.md new file mode 100644 index 00000000..045a019b --- /dev/null +++ b/i18n/el/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/news-aggregators.md b/i18n/el/news-aggregators.md new file mode 100644 index 00000000..e6ca3a16 --- /dev/null +++ b/i18n/el/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/notebooks.md b/i18n/el/notebooks.md new file mode 100644 index 00000000..3e9f8fbe --- /dev/null +++ b/i18n/el/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/os/android-overview.md b/i18n/el/os/android-overview.md new file mode 100644 index 00000000..30ae41da --- /dev/null +++ b/i18n/el/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/os/linux-overview.md b/i18n/el/os/linux-overview.md new file mode 100644 index 00000000..1c2376e6 --- /dev/null +++ b/i18n/el/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/os/qubes-overview.md b/i18n/el/os/qubes-overview.md new file mode 100644 index 00000000..590c2639 --- /dev/null +++ b/i18n/el/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/passwords.md b/i18n/el/passwords.md new file mode 100644 index 00000000..ee998008 --- /dev/null +++ b/i18n/el/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/productivity.md b/i18n/el/productivity.md new file mode 100644 index 00000000..c53e341c --- /dev/null +++ b/i18n/el/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/real-time-communication.md b/i18n/el/real-time-communication.md new file mode 100644 index 00000000..424b6c62 --- /dev/null +++ b/i18n/el/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/router.md b/i18n/el/router.md new file mode 100644 index 00000000..19734e7b --- /dev/null +++ b/i18n/el/router.md @@ -0,0 +1,51 @@ +--- +title: "Υλικολογισμικό Δρομολογητή" +icon: material/router-wireless +--- + +Παρακάτω είναι μερικά εναλλακτικά λειτουργικά συστήματα τα οποία μπορούν να χρησιμοποιηθούν σε δρομολογητές, σημεία πρόσβασης Wi-Fi, κλπ. + +## OpenWrt + +!!! recommendation + + ![Λογότυπο OpenWrt](assets/img/router/openwrt.svg#only-light){ align=right } + ![Λογότυπο OpenWrt](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + Το **OpenWrt** είναι ένα λειτουργικό σύστημα βασισμένο στο Linux, χρησιμοποιείται κυρίως σε ενσωματωμένες συσκευές για τη δρομολόγηση της δικτυακής κίνησης. Περιλαμβάνει το util-linux, το uClibc και το BusyBox. Όλα τα εξαρτήματα έχουν βελτιστοποιηθεί για οικιακούς δρομολογητές. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/search-engines.md b/i18n/el/search-engines.md new file mode 100644 index 00000000..5f03536a --- /dev/null +++ b/i18n/el/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/tools.md b/i18n/el/tools.md new file mode 100644 index 00000000..3816fef5 --- /dev/null +++ b/i18n/el/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Υλικολογισμικό Δρομολογητή + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? κίνδυνος "Τα VPN δεν παρέχουν ανωνυμία" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/tor.md b/i18n/el/tor.md new file mode 100644 index 00000000..8129b319 --- /dev/null +++ b/i18n/el/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/video-streaming.md b/i18n/el/video-streaming.md new file mode 100644 index 00000000..3d579fc2 --- /dev/null +++ b/i18n/el/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/el/vpn.md b/i18n/el/vpn.md new file mode 100644 index 00000000..625d3623 --- /dev/null +++ b/i18n/el/vpn.md @@ -0,0 +1,323 @@ +--- +title: "Υπηρεσίες VPN" +icon: material/vpn +--- + +Βρείτε έναν πάροχο VPN χωρίς καταγραφή που δεν έχει σκοπό να πουλήσει ή να διαβάσει την κυκλοφορία σας στο διαδίκτυο. + +??? κίνδυνος "Τα VPN δεν παρέχουν ανωνυμία" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.el.txt" diff --git a/i18n/eo/404.md b/i18n/eo/404.md new file mode 100644 index 00000000..846e41b2 --- /dev/null +++ b/i18n/eo/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/CODE_OF_CONDUCT.md b/i18n/eo/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/eo/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/eo/about/criteria.md b/i18n/eo/about/criteria.md new file mode 100644 index 00000000..edd3f3d9 --- /dev/null +++ b/i18n/eo/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/about/donate.md b/i18n/eo/about/donate.md new file mode 100644 index 00000000..2f51128c --- /dev/null +++ b/i18n/eo/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/about/index.md b/i18n/eo/about/index.md new file mode 100644 index 00000000..f8c7ce84 --- /dev/null +++ b/i18n/eo/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/about/notices.md b/i18n/eo/about/notices.md new file mode 100644 index 00000000..7f22b4b2 --- /dev/null +++ b/i18n/eo/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Notices and Disclaimers" +hide: + - toc +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licenses + +Unless otherwise noted, all content on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to this repository you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/about/privacy-policy.md b/i18n/eo/about/privacy-policy.md new file mode 100644 index 00000000..8c2e3dc7 --- /dev/null +++ b/i18n/eo/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/about/privacytools.md b/i18n/eo/about/privacytools.md new file mode 100644 index 00000000..7f1de598 --- /dev/null +++ b/i18n/eo/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/about/services.md b/i18n/eo/about/services.md new file mode 100644 index 00000000..aa4c6f2e --- /dev/null +++ b/i18n/eo/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/about/statistics.md b/i18n/eo/about/statistics.md new file mode 100644 index 00000000..2636d7b9 --- /dev/null +++ b/i18n/eo/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/advanced/communication-network-types.md b/i18n/eo/advanced/communication-network-types.md new file mode 100644 index 00000000..f46da32d --- /dev/null +++ b/i18n/eo/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/advanced/dns-overview.md b/i18n/eo/advanced/dns-overview.md new file mode 100644 index 00000000..ab70aabd --- /dev/null +++ b/i18n/eo/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/advanced/tor-overview.md b/i18n/eo/advanced/tor-overview.md new file mode 100644 index 00000000..c78d220b --- /dev/null +++ b/i18n/eo/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.eo.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/eo/android.md b/i18n/eo/android.md new file mode 100644 index 00000000..11fc0ea1 --- /dev/null +++ b/i18n/eo/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/assets/img/account-deletion/exposed_passwords.png b/i18n/eo/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/eo/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/eo/assets/img/android/rss-apk-dark.png b/i18n/eo/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/eo/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/eo/assets/img/android/rss-apk-light.png b/i18n/eo/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/eo/assets/img/android/rss-apk-light.png differ diff --git a/i18n/eo/assets/img/android/rss-changes-dark.png b/i18n/eo/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/eo/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/eo/assets/img/android/rss-changes-light.png b/i18n/eo/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/eo/assets/img/android/rss-changes-light.png differ diff --git a/i18n/eo/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/eo/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/eo/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/eo/assets/img/how-tor-works/tor-encryption.svg b/i18n/eo/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/eo/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/eo/assets/img/how-tor-works/tor-path-dark.svg b/i18n/eo/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/eo/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/eo/assets/img/how-tor-works/tor-path.svg b/i18n/eo/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/eo/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/eo/assets/img/multi-factor-authentication/fido.png b/i18n/eo/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/eo/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/eo/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/eo/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/eo/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/eo/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/eo/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/eo/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/eo/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/eo/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/eo/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/eo/basics/account-creation.md b/i18n/eo/basics/account-creation.md new file mode 100644 index 00000000..3c8b01ee --- /dev/null +++ b/i18n/eo/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/basics/account-deletion.md b/i18n/eo/basics/account-deletion.md new file mode 100644 index 00000000..bd6c07fb --- /dev/null +++ b/i18n/eo/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/basics/common-misconceptions.md b/i18n/eo/basics/common-misconceptions.md new file mode 100644 index 00000000..db6ea35d --- /dev/null +++ b/i18n/eo/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.eo.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/eo/basics/common-threats.md b/i18n/eo/basics/common-threats.md new file mode 100644 index 00000000..b325bdcb --- /dev/null +++ b/i18n/eo/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.eo.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/eo/basics/email-security.md b/i18n/eo/basics/email-security.md new file mode 100644 index 00000000..c9391a1a --- /dev/null +++ b/i18n/eo/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/basics/multi-factor-authentication.md b/i18n/eo/basics/multi-factor-authentication.md new file mode 100644 index 00000000..11db5159 --- /dev/null +++ b/i18n/eo/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/basics/passwords-overview.md b/i18n/eo/basics/passwords-overview.md new file mode 100644 index 00000000..f464ddac --- /dev/null +++ b/i18n/eo/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/basics/threat-modeling.md b/i18n/eo/basics/threat-modeling.md new file mode 100644 index 00000000..4cee1776 --- /dev/null +++ b/i18n/eo/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/basics/vpn-overview.md b/i18n/eo/basics/vpn-overview.md new file mode 100644 index 00000000..a0727def --- /dev/null +++ b/i18n/eo/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/calendar.md b/i18n/eo/calendar.md new file mode 100644 index 00000000..451b4ca5 --- /dev/null +++ b/i18n/eo/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/cloud.md b/i18n/eo/cloud.md new file mode 100644 index 00000000..53133b8b --- /dev/null +++ b/i18n/eo/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/data-redaction.md b/i18n/eo/data-redaction.md new file mode 100644 index 00000000..16afe85d --- /dev/null +++ b/i18n/eo/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/desktop-browsers.md b/i18n/eo/desktop-browsers.md new file mode 100644 index 00000000..210429ed --- /dev/null +++ b/i18n/eo/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.eo.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/eo/desktop.md b/i18n/eo/desktop.md new file mode 100644 index 00000000..d938506d --- /dev/null +++ b/i18n/eo/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/dns.md b/i18n/eo/dns.md new file mode 100644 index 00000000..fdc95002 --- /dev/null +++ b/i18n/eo/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.eo.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/eo/email-clients.md b/i18n/eo/email-clients.md new file mode 100644 index 00000000..9239238d --- /dev/null +++ b/i18n/eo/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/email.md b/i18n/eo/email.md new file mode 100644 index 00000000..3a6847ca --- /dev/null +++ b/i18n/eo/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/encryption.md b/i18n/eo/encryption.md new file mode 100644 index 00000000..3268a8a5 --- /dev/null +++ b/i18n/eo/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Encryption Software" +icon: material/file-lock +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/file-sharing.md b/i18n/eo/file-sharing.md new file mode 100644 index 00000000..7039a986 --- /dev/null +++ b/i18n/eo/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/frontends.md b/i18n/eo/frontends.md new file mode 100644 index 00000000..12162dc9 --- /dev/null +++ b/i18n/eo/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/index.md b/i18n/eo/index.md new file mode 100644 index 00000000..4cb10510 --- /dev/null +++ b/i18n/eo/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.eo.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/kb-archive.md b/i18n/eo/kb-archive.md new file mode 100644 index 00000000..514697e3 --- /dev/null +++ b/i18n/eo/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/meta/brand.md b/i18n/eo/meta/brand.md new file mode 100644 index 00000000..bb778841 --- /dev/null +++ b/i18n/eo/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/meta/git-recommendations.md b/i18n/eo/meta/git-recommendations.md new file mode 100644 index 00000000..6159e50d --- /dev/null +++ b/i18n/eo/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/meta/uploading-images.md b/i18n/eo/meta/uploading-images.md new file mode 100644 index 00000000..20b8a71f --- /dev/null +++ b/i18n/eo/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/meta/writing-style.md b/i18n/eo/meta/writing-style.md new file mode 100644 index 00000000..43c8df7f --- /dev/null +++ b/i18n/eo/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/mobile-browsers.md b/i18n/eo/mobile-browsers.md new file mode 100644 index 00000000..c427f011 --- /dev/null +++ b/i18n/eo/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/multi-factor-authentication.md b/i18n/eo/multi-factor-authentication.md new file mode 100644 index 00000000..f30f3a36 --- /dev/null +++ b/i18n/eo/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/news-aggregators.md b/i18n/eo/news-aggregators.md new file mode 100644 index 00000000..4c609d2e --- /dev/null +++ b/i18n/eo/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/notebooks.md b/i18n/eo/notebooks.md new file mode 100644 index 00000000..7188f15e --- /dev/null +++ b/i18n/eo/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/os/android-overview.md b/i18n/eo/os/android-overview.md new file mode 100644 index 00000000..a7eb6b06 --- /dev/null +++ b/i18n/eo/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/os/linux-overview.md b/i18n/eo/os/linux-overview.md new file mode 100644 index 00000000..0ba653e0 --- /dev/null +++ b/i18n/eo/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/os/qubes-overview.md b/i18n/eo/os/qubes-overview.md new file mode 100644 index 00000000..e706713d --- /dev/null +++ b/i18n/eo/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/passwords.md b/i18n/eo/passwords.md new file mode 100644 index 00000000..9b09e848 --- /dev/null +++ b/i18n/eo/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/productivity.md b/i18n/eo/productivity.md new file mode 100644 index 00000000..cb5d4e32 --- /dev/null +++ b/i18n/eo/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/real-time-communication.md b/i18n/eo/real-time-communication.md new file mode 100644 index 00000000..f2bcd2fc --- /dev/null +++ b/i18n/eo/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/router.md b/i18n/eo/router.md new file mode 100644 index 00000000..60026939 --- /dev/null +++ b/i18n/eo/router.md @@ -0,0 +1,51 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/search-engines.md b/i18n/eo/search-engines.md new file mode 100644 index 00000000..8a0ed19a --- /dev/null +++ b/i18n/eo/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/tools.md b/i18n/eo/tools.md new file mode 100644 index 00000000..d523143c --- /dev/null +++ b/i18n/eo/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/tor.md b/i18n/eo/tor.md new file mode 100644 index 00000000..d7df32e9 --- /dev/null +++ b/i18n/eo/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/video-streaming.md b/i18n/eo/video-streaming.md new file mode 100644 index 00000000..b2bcf05b --- /dev/null +++ b/i18n/eo/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/eo/vpn.md b/i18n/eo/vpn.md new file mode 100644 index 00000000..598bef03 --- /dev/null +++ b/i18n/eo/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN Services" +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.eo.txt" diff --git a/i18n/es/404.md b/i18n/es/404.md new file mode 100644 index 00000000..57697cde --- /dev/null +++ b/i18n/es/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - No encontrado + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introducción a la creación de un modelo de amenazas](basics/threat-modeling.md) +- [Proveedores de DNS recomendados](dns.md) +- [Mejores navegadores de escritorio](desktop-browsers.md) +- [Mejores proveedores de VPN](vpn.md) +- [Foro de Privacy Guides](https://discuss.privacyguides.net) +- [Nuestro blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/CODE_OF_CONDUCT.md b/i18n/es/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/es/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/es/about/criteria.md b/i18n/es/about/criteria.md new file mode 100644 index 00000000..c5acf096 --- /dev/null +++ b/i18n/es/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: Criterios generales +--- + +!!! example "Trabajo en Progreso" + + La siguiente página se encuentra en construcción, y no refleja todos los criterios para nuestras recomendaciones en este momento. Discusión anterior sobre este tema: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Abajo se encuentran algunos aspectos que deben cumplir todos los envíos a Privacy Guides. Cada categoría puede tener requisitos adicionales. + +## Información financiera + +No obtenemos dinero al recomendar ciertos productos, nosotros no utilizamos enlaces de afiliados, y no realizamos alguna consideración especial a los patrocinadores del proyecto. + +## Lineamientos generales + +Aplicamos estas prioridades al considerar nuevas recomendaciones: + +- Herramientas **seguras**: Las herramientas deben seguir las mejores prácticas de seguridad cuando sea necesario. +- **Disponibilidad del código**: Proyectos de código abierto son preferidos sobre alternativas similares de código cerrado. +- **Multiplataforma**: Preferimos que las recomendaciones sean multiplataforma para evitar la dependencia de un sistema. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/about/donate.md b/i18n/es/about/donate.md new file mode 100644 index 00000000..d56cd8f6 --- /dev/null +++ b/i18n/es/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Apoyándonos +--- + + +Se necesita a un montón de [personas](https://github.com/privacyguides/privacyguides.org/graphs/contributors) y [trabajo](https://github.com/privacyguides/privacyguides.org/pulse/monthly) para mantener Privacy Guides actualizado y difundiendo la palabra sobre la privacidad y la vigilancia masiva. Si te gusta lo que hacemos, considera formar parte [editando el sitio web](https://github.com/privacyguides/privacyguides.org) o [contribuyendo a las traducciones](https://crowdin.com/project/privacyguides). + +Si nos quieres ayudar financialmente, el método más conveniente para nosotros es que contribuyas vía Open Collective, un sitio web operado por nuestro anfitrión fiscal. Open Collective acepta pagos vía tarjeta de crédito o débito, PayPal, y transferencias bancarias. + +[Dona en OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Las donaciones hechas directamente a Open Collective son generalmente deducibles de impuestos en los Estados Unidos, porque nuestro anfitrión fiscal (la Fundación Open Collective) es una organización registrada 501(c)3. Recibirás un recibo de Open Collective Foundation después de donar. Privacy Guides no ofrece asesoramiento financiero, por lo que debe ponerse en contacto con su asesor fiscal para saber si esto es aplicable en su caso. + +Si ya haces uso de los patrocinios de GitHub, también puedes patrocinar a nuestra organización allí. + +[Patrocínanos en GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Patrocinadores + +¡Un agradecimiento especial a todos los que apoyan nuestra misión! :heart: + +*Tenga en cuenta: Esta sección carga un widget directamente desde Open Collective. Esta sección no refleja las donaciones realizadas fuera de Open Collective, y no tenemos ningún control sobre los donantes específicos que aparecen en esta sección.* + + + +## Como usamos las donaciones + +Privacy Guides es una organización **sin ánimos de lucro**. Utilizamos las donaciones para diversos fines, entre ellos: + +**Registro del dominio** +: + +Tenemos algunos nombres de dominio como `privacyguides.org` los cuales nos cuestan alrededor de 10 dólares al año para mantener su registro. + +**Alojamiento web** +: + +El tráfico de este sitio web utiliza cientos de gigabytes de datos al mes, utilizamos una variedad de proveedores de servicios para mantener este tráfico. + +**Servicios en línea** +: + +Alojamos [servicios de internet](https://privacyguides.net) para probar y mostrar diferentes productos de privacidad que nos gustan y [recomendamos](../tools.md). Algunos de ellos están disponibles públicamente para el uso de nuestra comunidad (SearXNG, Tor, etc.), y otros se proporcionan a los miembros de nuestro equipo (correo electrónico, etc.). + +**Compras de productos** +: + +Ocasionalmente compramos productos y servicios con el fin de probar nuestras [herramientas recomendadas](../tools.md). + +Seguimos trabajando con nuestro anfitrión fiscal (la Open Collective Foundation) para recibir donaciones de criptomonedas, por el momento la contabilidad es inviable para muchas transacciones más pequeñas, pero esto debería cambiar en el futuro. Mientras tanto, si desea hacer una donación considerable (> 100 dólares) en criptomoneda, por favor, póngase en contacto con [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/about/index.md b/i18n/es/about/index.md new file mode 100644 index 00000000..322ca826 --- /dev/null +++ b/i18n/es/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. Usted **no puede** utilizar la marca de Privacy Guides en su propio proyecto sin la aprobación expresa de este proyecto. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/about/notices.md b/i18n/es/about/notices.md new file mode 100644 index 00000000..3c02db33 --- /dev/null +++ b/i18n/es/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Avisos y descargos de responsabilidad" +hide: + - toc +--- + +## Aviso legal + +Privacy Guides no es un bufete de abogados. Como tal, el sitio web de Privacy Guides y sus colaboradores no están proporcionando asesoría legal. El material y las recomendaciones de nuestro sitio web y de las guías no constituyen asesoramiento jurídico. Contribuir al sitio web o comunicarse con Privacy Guides u otros colaboradores sobre nuestro sitio web no crea una relación abogado-cliente. + +Dirigir este sitio web, como cualquier empresa humana, implica incertidumbre y compromisos. Esperamos que este sitio web ayude, pero puede incluir errores y no puede abordar todas las situaciones. Si tiene alguna duda sobre su situación, le animamos a que investigue por su cuenta, busque a otros expertos y participe en debates con la comunidad de Privacy Guides. Si tiene alguna pregunta legal, debe consultar con su propio abogado antes de seguir adelante. + +Privacy Guides es un proyecto de código abierto al que se ha contribuido bajo licencias que incluyen términos que, para la protección del sitio web y sus contribuyentes, dejan claro que el proyecto Privacy Guides y el sitio web se ofrece "tal cual", sin garantía, y renunciando a la responsabilidad por los daños resultantes del uso del sitio web o de cualquier recomendación contenida en él. Privacy Guides no garantiza ni hace ninguna declaración sobre la exactitud, los resultados probables o la fiabilidad del uso de los materiales en el sitio web o de cualquier otro modo relacionado con dichos materiales en el sitio web o en cualquier sitio de terceros vinculado en este sitio. + +Además, Privacy Guides no garantiza que este sitio web esté disponible, de forma constante o en absoluto. + +## Licencias + +A menos que se indique lo contrario, todo el contenido de este sitio web está disponible de forma gratuita bajo los términos de la [Creative Commons CC0 1.0 Universal](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +Esto no incluye el código de terceros incrustado en este repositorio, o el código en el que se indique una licencia superior. Los siguientes son ejemplos notables, pero esta lista puede no ser exhaustiva: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/mathjax.js) tiene licencia [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/LICENSE.mathjax.txt). + +Algunas partes de este aviso fueron adoptadas de [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) en GitHub. Ese recurso y esta página están publicados bajo la licencia [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +Esto significa que puedes utilizar el texto de privacyguides.org para su propio proyecto, de acuerdo con los términos indicados en [esta licencia](https://github. com/privacyguides/privacyguides. org/blob/main/LICENSE). Usted **no puede** utilizar la marca de Privacy Guides en su propio proyecto sin la aprobación expresa de este proyecto. Las marcas comerciales de Privacy Guides incluyen el logotipo de "Privacy Guides" y el logotipo del escudo. Las marcas comerciales de Privacy Guides incluyen el logotipo de "Privacy Guides" y el logotipo del escudo. + +Creemos que los logotipos y otras imágenes en `assets` obtenidos de terceros proveedores son de dominio público o **de uso leal**. En pocas palabras, la doctrina legal de [uso justo](https://es.wikipedia.org/wiki/Uso_justo) permite el uso de imágenes con derechos de autor con el propósito de identificar el tema para fines de comentario público. Sin embargo, estos logotipos y otras imágenes pueden estar sujetos a la legislación sobre marcas en una o más jurisdicciones. Antes de utilizar este contenido, asegúrese de que se utiliza para identificar a la entidad u organización propietaria de la marca comercial y de que usted tiene derecho a utilizarla según las leyes que se aplican en las circunstancias de tu uso previsto. *Al copiar el contenido de este sitio web, usted es el único responsable de asegurarse de no infringir la marca comercial o los derechos de autor de otra persona.* + +Cuando usted contribuye a este repositorio lo hace bajo las licencias mencionadas. + +## Uso aceptable + +Usted no puedes utilizar este sitio web de ninguna manera que cause o pueda causar daños al sitio web o que afecte a la disponibilidad o accesibilidad de Privacy Guides, ni de ninguna manera que sea ilegal, ilícita, fraudulenta o perjudicial, o que esté relacionada con cualquier propósito o actividad ilícita, ilegal, fraudulenta o perjudicial. + +No debe llevar a cabo ninguna actividad de recopilación de datos sistemática o automatizada en este sitio web o en relación con él sin el consentimiento expreso por escrito de Aragon Ventures LLC, incluyendo: + +* Exceso de Escaneos Automáticos +* Ataque de Denegación de Servicio +* Scraping +* Minería de Datos +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/about/privacy-policy.md b/i18n/es/about/privacy-policy.md new file mode 100644 index 00000000..fb78970a --- /dev/null +++ b/i18n/es/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Política de Privacidad" +--- + +Privacy Guides es un proyecto comunitario gestionado por una serie de colaboradores voluntarios. La lista pública de los miembros del equipo [se puede encontrar en GitHub](https://github.com/orgs/privacyguides/people). + +## Datos que recopilamos de los visitantes + +La privacidad de los visitantes de nuestro sitio web es importante para nosotros, por lo que no rastreamos a ninguna persona en particular. Como visitante de nuestro sitio web: + +- No se recopila información personal +- Ninguna información tal como las cookies se almacena en el navegador +- No se comparte, envía o vende información a terceros +- No se comparte ninguna información con empresas de publicidad +- No se extrae información ni se recolecta para obtener tendencias personales y de comportamiento +- No se monetiza ninguna información + +Puede consultar los datos que recopilamos en nuestra página [statistics](statistics.md) . + +Ejecutamos una instalación propia de [Plausible Analytics](https://plausible.io) para recopilar algunos datos de uso anónimos con fines estadísticos. El objetivo es hacer un seguimiento de las tendencias generales del tráfico de nuestro sitio web, no de los visitantes individuales. Todos los datos están en solo agregar. No se recopila información personal. + +Los datos recopilados incluyen fuentes de referencia, páginas principales, duración de la visita, información de los dispositivos (tipo de dispositivo, sistema operativo, país y navegador) utilizados durante la visita y más. Puedes aprender más acerca sobre como Plausible funciona y recopila información de una manera que respeta la privacidad [aquí](https://plausible.io/data-policy). + +## Datos que recopilamos de los titulares de cuentas + +En algunos sitios web y servicios que ofrecemos, muchas funciones pueden requerir una cuenta. Por ejemplo, puede ser necesaria una cuenta para publicar y responder a temas en una plataforma de foros. + +Para registrarse en la mayoría de las cuentas, recopilaremos un nombre, nombre de usuario, correo electrónico y contraseña. En el caso de que un sitio web requiera más información que esos datos, se indicará claramente y se señalará en una declaración de privacidad separada por sitio. + +Utilizamos los datos de su cuenta para identificarle en el sitio web y para crear páginas específicas para usted, como su página de perfil. También utilizaremos los datos de su cuenta para publicar un perfil público para usted en nuestros servicios. + +Utilizamos su correo electrónico para: + +- Notificarle sobre publicaciones y otras actividades en los sitios web o servicios. +- Restablecer su contraseña y ayudar a mantener su cuenta segura. +- Contactarle en circunstancias especiales relacionadas con su cuenta. +- Contactarle en relación con solicitudes legales, como las solicitudes de eliminación de datos de la DMCA. + +En algunos sitios web y servicios puede proporcionar información adicional para su cuenta, como una breve biografía, un avatar, su ubicación o su cumpleaños. Ponemos esa información a disposición de todos los que pueden acceder al sitio web o al servicio en cuestión. Esta información no es necesaria para utilizar ninguno de nuestros servicios y puede borrarse en cualquier momento. + +Almacenaremos los datos de su cuenta mientras su cuenta permanezca abierta. Después de cerrar una cuenta, podemos conservar algunos o todos los datos de su cuenta en forma de copias de seguridad o archivos durante un máximo de 90 días. + +## Contacto + +El equipo de Privacy Guides generalmente no tiene acceso a datos personales fuera del acceso limitado otorgado a través de algunos paneles de moderación. Las consultas sobre su información personal deben enviarse directamente a: + +```text +Jonah Aragon +Administrador de servicios +jonah@privacyguides.org +``` + +Para cualquier otra consulta, puede contactar a cualquier miembro de nuestro equipo. + +Puede presentar reclamaciones acerca del RGPD ante sus autoridades locales de supervisión de protección de datos. En Francia es la "Commission Nationale de l'Informatique et des Libertés" la que se ocupa y tramita las denuncias. Ellos proporcionan una [carta de reclamaciones](https://www.cnil.fr/en/plaintes) para utilizar. + +## Acerca de esta política + +Publicaremos cualquier versión nueva de esta declaración [aquí](privacy-policy.md). Es posible que cambiemos la forma de anunciar los cambios en futuras versiones de este documento. Mientras tanto, podemos actualizar nuestra información de contacto en cualquier momento sin anunciar ningún cambio. Consulte la [Política de privacidad](privacy-policy.md) para obtener la última información de contacto. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/about/privacytools.md b/i18n/es/about/privacytools.md new file mode 100644 index 00000000..e5e84ecb --- /dev/null +++ b/i18n/es/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "Preguntas frecuentes de PrivacyTools" +--- + +# Por qué dejamos de usar PrivacyTools + +En septiembre de 2021, todos los colaboradores activos acordaron por unanimidad pasar de PrivacyTools a trabajar en este sitio: Privacy Guides. Esta decisión se tomó porque el fundador de PrivacyTools y controlador del nombre de dominio había desaparecido durante un largo periodo de tiempo y no se pudo contactar con él. + +Habiendo construido un sitio y un conjunto de servicios de buena reputación en PrivacyTools.io, esto causó graves preocupaciones por el futuro de PrivacyTools, ya que cualquier interrupción futura podría acabar con toda la organización sin ningún método de recuperación. Esta transición se comunicó a la comunidad de PrivacyTools con muchos meses de antelación a través de diversos canales, como su blog, Twitter, Reddit y Mastodon, para garantizar que todo el proceso se desarrollara con la mayor fluidez posible. Lo hicimos para asegurarnos de que nadie se quedara en la oscuridad, que ha sido nuestro modus operandi desde que se creó nuestro equipo, y para asegurarnos de que Privacy Guides fuera reconocida como la misma organización fiable que era PrivacyTools antes de la transición. + +Una vez finalizado el traslado organizativo, el fundador de PrivacyTools regresó y comenzó a difundir información errónea sobre el proyecto de Privacy Guides. Siguen difundiendo información errónea además de operar una granja de enlaces pagados en el dominio de PrivacyTools. Estamos creando esta página para aclarar cualquier malentendido. + +## ¿Qué es PrivacyTools? + +PrivacyTools fue creado en 2015 por "BurungHantu", que quería hacer un recurso de información de privacidad - herramientas útiles después de las revelaciones de Snowden. El sitio creció hasta convertirse en un floreciente proyecto de código abierto con [muchos colaboradores](https://github.com/privacytools/privacytools.io/graphs/contributors), algunos de los cuales acabaron asumiendo diversas responsabilidades organizativas, como el funcionamiento de servicios en línea como Matrix y Mastodon, la gestión y revisión de los cambios en el sitio en GitHub, la búsqueda de patrocinadores para el proyecto, la redacción de publicaciones en el blog y el funcionamiento de plataformas de difusión en los medios sociales como Twitter, etc. + +A partir de 2019, BurungHantu se alejó cada vez más del desarrollo activo del sitio web y las comunidades, y comenzó a retrasar los pagos de los que era responsable en relación con los servidores que operábamos. Para evitar que nuestro administrador del sistema pague los costos del servidor de su propio bolsillo, cambiamos los métodos de donación enumerados en el sitio de las cuentas personales de PayPal y criptomonedas de BurungHantu a una nueva página de OpenCollective el [31 de octubre de 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). Esto tenía la ventaja añadida de hacer nuestras finanzas completamente transparentes, un valor en el que creemos firmemente, y deducibles de impuestos en los Estados Unidos, porque estaban en manos de la Open Collective Foundation 501(c)3. Este cambio fue acordado unánimemente por el equipo y no fue impugnado. + +## Por qué nos mudamos + +En 2020, la ausencia de BurungHantu se hizo mucho más notoria. En un momento dado, requerimos que los servidores de nombres del dominio se cambiaran a servidores de nombres controlados por nuestro administrador del sistema para evitar interrupciones futuras, y este cambio no se completó hasta más de un mes después de la solicitud inicial. Desaparecía del chat público y de las salas de chat privadas del equipo en Matrix durante meses, apareciendo de vez en cuando para dar algún pequeño comentario o prometer ser más activo antes de volver a desaparecer. + +En octubre de 2020, el administrador del sistema de PrivacyTools (Jonah) [dejó](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) el proyecto debido a estas dificultades, cediendo el control a otro colaborador de larga data. Jonah había estado operando casi todos los servicios de PrivacyTools y actuando como el líder del proyecto *de facto* para el desarrollo del sitio web en ausencia de BurungHantu, por lo que su partida fue un cambio significativo para la organización. En aquel momento, debido a estos importantes cambios organizativos, BurungHantu prometió al equipo restante que volvería para tomar el control del proyecto en adelante. ==El equipo de PrivacyTools se puso en contacto a través de varios métodos de comunicación durante los meses siguientes, pero no recibió ninguna respuesta.== + +## Dependencia del nombre de dominio + +A principios de 2021, el equipo de PrivacyTools se preocupó por el futuro del proyecto, ya que el nombre de dominio iba a expirar el 1 de marzo de 2021. El dominio fue finalmente renovado por BurungHantu sin ningún comentario. + +Las preocupaciones del equipo no fueron atendidas, y nos dimos cuenta de que esto sería un problema cada año: Si el dominio caducaba habría permitido que lo robaran ocupantes ilegales o spammers, arruinando así la reputación de la organización. También habríamos tenido problemas para llegar a la comunidad para informarles de lo ocurrido. + +Sin estar en contacto con BurungHantu, decidimos que el mejor curso de acción sería pasar a un nuevo nombre de dominio mientras tuviéramos garantizado el control sobre el antiguo nombre de dominio, en algún momento antes de marzo de 2022. De esta manera, podríamos redirigir limpiamente todos los recursos de PrivacyTools al nuevo sitio sin ninguna interrupción del servicio. Esta decisión se tomó con muchos meses de antelación y se comunicó a todo el equipo con la esperanza de que BurungHantu se pusiera en contacto y asegurara su apoyo continuo al proyecto, porque con una marca reconocible y grandes comunidades en línea, alejarse de "PrivacyTools" era el resultado menos deseable posible. + +A mediados de 2021, el equipo de PrivacyTools se puso en contacto con Jonah, que aceptó reincorporarse al equipo para ayudar en la transición. + +## Llamada a la acción comunitaria + +A finales de julio de 2021 [informamos](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) a la comunidad PrivacyTools de nuestra intención de elegir un nuevo nombre y continuar el proyecto en un nuevo dominio, para ser [elegido](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) el 2 de agosto de 2022. Al final, se eligió "Privacy Guides", con el dominio `privacyguides.org` que ya poseía Jonah para un proyecto paralelo de 2020 que quedó sin desarrollar. + +## Control de r/privacytoolsIO + +Simultáneamente con los problemas del sitio web en privacytools.io, el equipo de moderación de r/privacytoolsIO se enfrentaba a retos en la gestión del subreddit. El subreddit siempre había sido operado en su mayor parte independientemente del desarrollo del sitio web, pero BurungHantu era el principal moderador del subreddit también, y era el único moderador al que se le habían concedido privilegios de "Control total". u/trai_dep era el único moderador activo en ese momento, y [publicó](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) una solicitud a los administradores de Reddit el 28 de junio de 2021, en la que pedía que se le concediera el puesto de moderador principal y privilegios de control total, con el fin de realizar los cambios necesarios en el subreddit. + +Reddit requiere que los subreddits tengan moderadores activos. Si el moderador principal está inactivo durante un largo periodo de tiempo (como un año), el puesto de moderador principal puede volver a asignarse al siguiente moderador en la lista. Para que se le concediera esta petición, BurungHantu tenía que haber estado completamente ausente de toda actividad de Reddit durante un largo periodo de tiempo, lo que era coherente con sus comportamientos en otras plataformas. + +> Si fuiste removido como moderador de un subreddit a través de una solicitud de Reddit es porque tu falta de respuesta y tu falta de actividad calificaron al subreddit para una transferencia de r/redditrequest. +> +> r/redditrequest es la forma de Reddit de asegurarse de que las comunidades tengan moderadores activos y forma parte del [Código de Conducta de Moderador](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Inicio de la transición + +El 14 de septiembre de 2021, [anunciamos](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) el inicio de nuestra migración a este nuevo dominio: + +> [...] nos pareció necesario hacer este cambio más pronto que tarde para que la gente se enterara de esta transición lo antes posible. Esto nos da el tiempo adecuado para la transición del nombre de dominio, que actualmente se está redirigiendo a www.privacyguides.org, y esperamos que dé a todos el tiempo suficiente para notar el cambio, actualizar los marcadores y los sitios web, etc. + +Este cambio [implicó:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirigiendo www.privacytools.io a [www.privacyguides.org](https://www.privacyguides.org). +- Archivar el código fuente en GitHub para preservar nuestro trabajo anterior y el rastreador de problemas, que seguimos utilizando durante meses para el desarrollo futuro de este sitio. +- Publicar anuncios en nuestro subreddit y en varias otras comunidades informando a la gente del cambio oficial. +- Cerrar formalmente los servicios de privacytools.io, como Matrix y Mastodon, y animar a los usuarios existentes a migrar lo antes posible. + +Las cosas parecían ir bien, y la mayoría de nuestra comunidad activa hizo el cambio a nuestro nuevo proyecto exactamente como esperábamos. + +## Eventos siguientes + +Aproximadamente una semana después de la transición, BurungHantu volvió a estar en línea por primera vez en casi un año, sin embargo nadie de nuestro equipo estaba dispuesto a volver a PrivacyTools debido a su histórica falta de fiabilidad. En lugar de disculparse por su prolongada ausencia, pasó inmediatamente a la ofensiva y situó la transición a Privacy Guides como un ataque contra él y su proyecto. Posteriormente, [borró](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) muchos de estos mensajes cuando la comunidad le señaló que había estado ausente y abandonado el proyecto. + +En este punto, BurungHantu afirmó que quería seguir trabajando en privacytools.io por su cuenta y solicitó que elimináramos la redirección de www.privacytools.io a [www.privacyguides.org](https://www.privacyguides.org). Le obligamos y le pedimos que mantuviera activos los subdominios de Matrix, Mastodon y PeerTube para que funcionaran como servicio público para nuestra comunidad durante al menos unos meses, con el fin de que los usuarios de esas plataformas pudieran migrar fácilmente a otras cuentas. Debido a la naturaleza federada de los servicios que prestábamos, estaban vinculados a nombres de dominio específicos, lo que hacía muy difícil la migración (y en algunos casos imposible). + +Desafortunadamente, debido a que el control del subreddit r/privacytoolsIO no fue devuelto a BurungHantu a su demanda (más información abajo), esos subdominios fueron [cortados](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) a principios de octubre, acabando con cualquier posibilidad de migración para cualquier usuario que aún usara esos servicios. + +Tras esto, BurungHantu hizo falsas acusaciones sobre el robo de donaciones del proyecto por parte de Jonah. BurungHantu tenía más de un año desde que ocurrió el presunto incidente y, sin embargo, no lo puso en conocimiento de nadie hasta después de la migración de Privacy Guides. El equipo [y la comunidad](https://twitter.com/TommyTran732/status/1526153536962281474) han pedido repetidamente a BurungHantu que aporte pruebas y comente el motivo de su silencio, y no lo ha hecho. + +BurungHantu también hizo una [publicación en Twitter](https://twitter.com/privacytoolsIO/status/1510560676967710728) alegando que un "abogado" se había puesto en contacto con él en Twitter y le estaba dando consejos, en otro intento de intimidarnos para darle el control de nuestro subreddit, y como parte de su campaña de difamación para enturbiar las aguas que rodean el lanzamiento de Privacy Guides mientras fingía ser una víctima. + +## PrivacyTools.io Ahora + +A partir del 25 de septiembre de 2022 estamos viendo cómo los planes generales de BurungHantu se hacen realidad en privacytools.io, y esta es la razón por la que hemos decidido crear esta página explicativa hoy. El sitio web que está operando parece ser una versión altamente optimizada para SEO del sitio que recomienda herramientas a cambio de una compensación financiera. Recientemente, IVPN y Mullvad, dos proveedores de VPN [recomendados](../vpn.md) casi universalmente por la comunidad de la privacidad y notables por su postura contra los programas de afiliación, fueron eliminados de PrivacyTools. ¿En su lugar? NordVPN, Surfshark, ExpressVPN y hide.me; gigantescas corporaciones de VPN con plataformas y prácticas comerciales poco fiables, famosas por sus agresivos programas de marketing y afiliación. + +==**PrivacyTools se ha convertido exactamente en el tipo de sitio que [advertimos](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) en el blog de PrivacyTools en 2019.**== Hemos intentado mantener las distancias con PrivacyTools desde la transición, pero su continuo acoso hacia nuestro proyecto y ahora su absurdo abuso de la credibilidad que su marca ha ganado a lo largo de 6 años de contribuciones de código abierto es extremadamente preocupante para nosotros. Los que realmente luchamos por la privacidad no estamos luchando entre nosotros, y no estamos recibiendo nuestro consejo del mejor postor. + +## r/privacytoolsIO Ahora + +Después del lanzamiento de [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), era poco práctico para u/trai_dep continuar moderando ambos subreddits, y con la comunidad a bordo con la transición, r/privacytoolsIO se [hizo](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) un sub restringido en un post el 1 de noviembre de 2021: + +> [...] El crecimiento de este Sub fue el resultado de un gran esfuerzo, a lo largo de varios años, del equipo de PrivacyGuides.org. Y por cada uno de ustedes. +> +> Un Subreddit es una gran cantidad de trabajo para administrar y moderar. Al igual que un jardín, requiere una atención paciente y un cuidado diario. No es una tarea para diletantes o personas con problemas de compromiso. No puede prosperar bajo un jardinero que la abandona durante varios años y luego aparece exigiendo la cosecha de este año como su tributo. Es injusto para el equipo formado hace años. Es injusto para ti. [...] + +Los subreddits no pertenecen a nadie, y especialmente no pertenecen a los titulares de las marcas. Pertenecen a sus comunidades, y la comunidad y sus moderadores tomaron la decisión de apoyar el traslado a r/PrivacyGuides. + +En los meses posteriores, BurungHantu ha amenazado y rogado para que le devuelvan el control del subreddit a su cuenta en [violación](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) de las normas de Reddit: + +> No se permiten las represalias por parte de ningún moderador con respecto a las solicitudes de eliminación. + +Para una comunidad con muchos miles de suscriptores restantes, creemos que sería increíblemente irrespetuoso devolver el control de esa plataforma masiva a la persona que la abandonó durante más de un año, y que ahora gestiona un sitio web que, en nuestra opinión, proporciona información de muy baja calidad. Preservar los años de discusiones pasadas en esa comunidad es más importante para nosotros, y por lo tanto u/trai_dep y el resto del equipo de moderación del subreddit ha tomado la decisión de mantener r/privacytoolsIO como está. + +## OpenCollective Ahora + +Nuestra plataforma de recaudación de fondos, OpenCollective, es otra fuente de controversia. Nuestra posición es que OpenCollective fue puesto en marcha por nuestro equipo y gestionado por nuestro equipo para financiar los servicios que actualmente operamos y que PrivacyTools ya no hace. Nosotros [nos pusimos en contacto](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) con todos nuestros donantes con respecto a nuestro traslado a Privacy Guides y fuimos apoyados unánimemente por nuestros patrocinadores y la comunidad. + +Por lo tanto, los fondos de OpenCollective pertenecen a Privacy Guides, fueron entregados a nuestro proyecto, y no al propietario de un nombre de dominio muy conocido. En el anuncio hecho a los donantes el 17 de septiembre de 2021, ofrecimos reembolsos a cualquier donante que no estuviera de acuerdo con la postura que adoptamos, pero nadie ha aceptado esta oferta: + +> Si algún patrocinador no está de acuerdo o se siente engañado por estos recientes acontecimientos y quiere solicitar un reembolso dadas estas circunstancias tan inusuales, por favor póngase en contacto con nuestro administrador del proyecto enviando un correo electrónico a jonah@triplebit.net. + +## Further Reading + +Este tema se ha debatido ampliamente en nuestras comunidades en varios lugares, y parece probable que la mayoría de las personas que lean esta página ya estén familiarizadas con los acontecimientos que condujeron al cambio a Privacy Guides. Algunas de nuestras publicaciones anteriores sobre el tema pueden tener detalles adicionales que omitimos aquí por razones de brevedad. Se han enlazado a continuación para completarlo. + +- [28 de junio de 2021: solicitud de control de r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [27 de julio de 2021: anuncio de nuestras intenciones de mudanza en el blog de PrivacyTools, escrito por el equipo](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [13 de septiembre de 2021: anuncio del inicio de nuestra transición a las Guías de Privacidad en r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [17 de septiembre, 2021: anuncio en OpenCollective de Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [30 de septiembre de 2021: Hilo de Twitter en el que se detallan la mayoría de los acontecimientos que ahora se describen en esta página](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021: post de u/dng99 observando fallo de subdominio](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [2 de abril de 2022: respuesta de u/dng99 a la publicación acusatoria en el blog de PrivacyTools](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [16 de mayo de 2022: respuesta de @TommyTran732 en Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [3 de septiembre de 2022: post en el foro de Techlore por @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/about/services.md b/i18n/es/about/services.md new file mode 100644 index 00000000..bf426bf8 --- /dev/null +++ b/i18n/es/about/services.md @@ -0,0 +1,40 @@ +# Servicios de Privacy Guides + +Ejecutamos una serie de servicios web para probar las características y promover proyectos descentralizados, federados y/o de código abierto. Muchos de estos servicios están disponibles al público y están detallados a continuación. + +[:material-comment-alert: Reportar un problema](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Enlace: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Disponibilidad: Pública +- Código fuente: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Enlace: [code.privacyguides.dev](https://code.privacyguides.dev) +- Disponibilidad: Sólo por invitación + El acceso puede otorgarse a solicitud de cualquier equipo trabajando en el desarrollo o contenido relacionado a *Privacy Guides*. +- Código fuente: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Enlace: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Disponibilidad: Sólo por invitación + El acceso puede otorgarse a solicitud de los miembros del equipo de Privacy Guides, los moderadores de Matrix, terceras partes administradoras de la comunidad Matrix, los operatores de bots de Matrix, y otros individuos en la necesidad de una presencia confiable de Matrix. +- Código fuente: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Enlace: [search.privacyguides.net](https://search.privacyguides.net) +- Disponibilidad: Pública +- Código fuente: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Enlace: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Disponibilidad: Semipública + Alojamos Indivious principalmente para servir videos de YouTube incrustados en nuestra página. Esta instancia no está destinada al público general y puede ser limitada en cualquier momento. +- Código fuente: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/about/statistics.md b/i18n/es/about/statistics.md new file mode 100644 index 00000000..d528e333 --- /dev/null +++ b/i18n/es/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Estadísticas de tráfico +--- + +## Estadísticas de la página + + +
Estadísticas generadas por Plausible Analytics
+ + + + +## Estadísticas del blog + + +
Estadísticas generadas por Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/advanced/communication-network-types.md b/i18n/es/advanced/communication-network-types.md new file mode 100644 index 00000000..f5cb21a0 --- /dev/null +++ b/i18n/es/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Tipos de redes de comunicación" +icon: 'material/transit-connection-variant' +--- + +Existen varias arquitecturas de red utilizadas habitualmente para transmitir mensajes entre personas. Estas redes pueden ofrecer diferentes garantías de privacidad, por lo que conviene tener en cuenta tu [modelo de amenaza](../basics/threat-modeling.md) a la hora de decidir qué aplicación utilizar. + +[Servicios de mensajería instantánea recomendados](../real-time-communication.md ""){.md-button} + +## Redes centralizadas + +![Diagrama de redes centralizadas](../assets/img/layout/network-centralized.svg){ align=left } + +Los mensajeros centralizados son aquellos en los que todos los participantes están en el mismo servidor o red de servidores controlados por la misma organización. + +Algunos servicios de mensajería autoalojados te permiten configurar tu propio servidor. El autoalojamiento puede ofrecer garantías adicionales de privacidad, como la ausencia de registros de uso o el acceso limitado a los metadatos (datos sobre quién habla con quién). Los servicios de mensajería centralizados autoalojados están aislados y todos deben estar en el mismo servidor para comunicarse. + +**Ventajas:** + +- Las nuevas funciones y cambios pueden aplicarse más rápidamente. +- Es más fácil empezar y encontrar contactos. +- Ecosistemas de características más maduras y estables, ya que son más fáciles de programar en un software centralizado. +- Los problemas de privacidad pueden reducirse cuando se confía en un servidor que está autoalojando. + +**Desventajas:** + +- Puede incluir [control o acceso restringido](https://drewdevault.com/2018/08/08/Signal.html). Esto puede incluir cosas como: +- Estar [prohibido conectar clientes de terceros](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) a la red centralizada que podría proporcionar una mayor personalización o una mejor experiencia. A menudo se define en los Términos y condiciones de uso. +- Documentación pobre o nula para desarrolladores de terceros. +- La [propiedad](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), la política de privacidad y las operaciones del servicio pueden cambiar fácilmente cuando una sola entidad lo controla, pudiendo comprometer el servicio más adelante. +- El autoalojamiento requiere esfuerzo y conocimiento de cómo configurar un servicio. + +## Redes federadas + +![Diagrama de redes federadas](../assets/img/layout/network-decentralized.svg){ align=left } + +Los servicios de mensajería federados utilizan varios servidores independientes y descentralizados que pueden comunicarse entre sí (el correo electrónico es un ejemplo de servicio federado). La federación permite a los administradores de sistemas controlar su propio servidor y seguir formando parte de la red de comunicaciones más amplia. + +Cuando se autoaloja, los miembros de un servidor federado pueden descubrir y comunicarse con los miembros de otros servidores, aunque algunos servidores pueden optar por permanecer privados al no estar federados (por ejemplo, el servidor del equipo de trabajo). + +**Ventajas:** + +- Permite un mayor control sobre tus propios datos cuando administras tu propio servidor. +- Te permite elegir en quién confiar tus datos eligiendo entre varios servidores "públicos". +- A menudo permite los clientes de terceros que pueden ofrecer una experiencia más nativa, personalizada o accesible. +- Se puede verificar que el software del servidor coincide con el código fuente público, suponiendo que se tiene acceso al servidor o se confía en la persona que lo tiene (por ejemplo, un familiar). + +**Desventajas:** + +- Añadir nuevas funcionalidades es más complejo porque estas funcionalidades tienen que ser estandarizadas y probadas para asegurar que funcionan con todos los servidores de la red. +- Debido al punto anterior, pueden faltar funciones, o estar incompletas o funcionar de forma inesperada en comparación con las plataformas centralizadas, como la retransmisión de mensajes cuando se está desconectado o la eliminación de mensajes. +- Algunos metadatos pueden estar disponibles (por ejemplo, información como "quién habla con quién", pero no el contenido real del mensaje si se utiliza E2EE). +- Los servidores federados generalmente requieren confiar en el administrador de tu servidor. Puede que sean aficionados o que no sean "profesionales de la seguridad", y puede que no sirvan documentos estándar como una política de privacidad o unas condiciones de servicio que detallen cómo se utilizan tus datos. +- Los administradores de los servidores a veces deciden bloquear otros servidores que son fuente de abusos no moderados o que rompen las normas generales de comportamiento aceptadas. Esto dificultará tu capacidad de comunicación con los miembros de esos servidores. + +## Redes par a par (P2P) + +![Diagrama P2P](../assets/img/layout/network-distributed.svg){ align=left } + +Los servicios de mensajería P2P se conectan a una [red distribuida](https://es.wikipedia.org/wiki/Red_distribuida) de nodos para transmitir un mensaje al destinatario sin necesidad de un servidor externo. + +Los clientes (pares) suelen encontrarse entre sí mediante el uso de una red de [computación distribuida](https://es.wikipedia.org/wiki/Computación_distribuida). Ejemplos de esto incluyen la [Tabla de hash distribuida](https://es.wikipedia.org/wiki/Tabla_de_hash_distribuida) (DHT), usada por [torrents](https://es.wikipedia.org/wiki/BitTorrent) y [IPFS](https://es.wikipedia.org/wiki/Sistema_de_archivos_interplanetario) por ejemplo. Otro enfoque son las redes basadas en la proximidad, en las que se establece una conexión a través de WiFi o Bluetooth (por ejemplo, Briar o el protocolo de red social [Scuttlebutt](https://www.scuttlebutt.nz)). + +Una vez que un par ha encontrado una ruta a su contacto a través de cualquiera de estos métodos, se establece una conexión directa entre ellos. Aunque los mensajes suelen estar encriptados, un observador puede deducir la ubicación y la identidad del remitente y del destinatario. + +Las redes P2P no utilizan servidores, ya que los pares se comunican directamente entre sí y, por tanto, no pueden ser autoalojadas. Sin embargo, algunos servicios adicionales pueden depender de servidores centralizados, como el descubrimiento de usuarios o la retransmisión de mensajes sin conexión, que pueden beneficiarse del autoalojamiento. + +**Ventajas:** + +- La información que se expone a terceros es mínima. +- Las plataformas P2P modernas implementan E2EE por defecto. No hay servidores que puedan interceptar y descifrar tus transmisiones, a diferencia de los modelos centralizados y federados. + +**Desventajas:** + +- Conjunto de funciones reducido: +- Los mensajes solo pueden enviarse cuando ambos pares están en línea, sin embargo, tu cliente puede almacenar los mensajes localmente para esperar a que el contacto vuelva a estar en línea. +- Por lo general, aumenta el uso de la batería en los dispositivos móviles, ya que el cliente debe permanecer conectado a la red distribuida para saber quién está conectado. +- Es posible que algunas funciones comunes de mensajería no se implementen o sean incompletas, como la eliminación de mensajes. +- Tu dirección IP y la de los contactos con los que te comunicas puede quedar expuesta si no utilizas el software junto con una [VPN](../vpn.md) o [Tor](../tor.md). Muchos países tienen alguna forma de vigilancia masiva y/o retención de metadatos. + +## Enrutamiento anónimo + +![Diagrama de enrutamiento anónimo](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +Un servicio de mensajería que utilice [enrutamiento anónimo](https://doi.org/10.1007/978-1-4419-5906-5_628) oculta la identidad del emisor, del receptor o la evidencia de que se han comunicado. Idealmente, un servicio de mensajería debería ocultar los tres. + +Hay [muchas](https://doi.org/10.1145/3182658) formas diferentes de implementar el enrutamiento anónimo. Una de las más famosas es el [enrutamiento cebolla](https://es.wikipedia.org/wiki/Encaminamiento_cebolla) (es decir, [Tor](tor-overview.md)), que comunica mensajes cifrados a través de una red [superpuesta virtual](https://es.wikipedia.org/wiki/Red_superpuesta) que oculta la ubicación de cada nodo, así como el destinatario y el remitente de cada mensaje. El remitente y el destinatario nunca interactúan directamente y solo se reúnen a través de un nodo de encuentro secreto para que no haya filtración de direcciones IP ni de la ubicación física. Los nodos no pueden descifrar los mensajes, ni el destino final; solo el destinatario puede hacerlo. Cada nodo intermediario solo puede desencriptar una parte que indica a dónde enviar el mensaje aún encriptado a continuación, hasta que llega al destinatario que puede desencriptarlo completamente, de ahí las "capas de cebolla." + +El autoalojamiento de un nodo en una red de enrutamiento anónimo no proporciona al anfitrión beneficios adicionales de privacidad, sino que contribuye a la resistencia de toda la red contra los ataques de identificación en beneficio de todos. + +**Ventajas:** + +- La información que se expone a otras partes es mínima o nula. +- Los mensajes pueden transmitirse de forma descentralizada incluso si una de las partes está desconectada. + +**Desventajas:** + +- Lenta propagación de mensajes. +- A menudo se limita a menos tipos de medios, sobre todo de texto, ya que la red es lenta. +- Menos fiable si los nodos se seleccionan mediante enrutamiento aleatorio, algunos nodos pueden estar muy lejos del emisor y del receptor, añadiendo latencia o incluso dejando de transmitir mensajes si uno de los nodos se desconecta. +- Más complejo para empezar, ya que se requiere la creación y el respaldo seguro de una clave privada criptográfica. +- Al igual que en otras plataformas descentralizadas, añadir funciones es más complejo para los desarrolladores que en una plataforma centralizada. Por lo tanto, pueden faltar funciones o estar implementadas de forma incompleta, como la retransmisión de mensajes fuera de línea o la eliminación de mensajes. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/advanced/dns-overview.md b/i18n/es/advanced/dns-overview.md new file mode 100644 index 00000000..35097c1f --- /dev/null +++ b/i18n/es/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "Resumen DNS" +icon: material/dns +--- + +El [Sistema de Nombres de Dominio](https://es.wikipedia.org/wiki/Sistema_de_nombres_de_dominio) es el 'directorio telefónico del Internet'. El DNS traduce los nombres de dominio a direcciones IP para que los navegadores y otros servicios puedan cargar los recursos de Internet, a través de una red descentralizada de servidores. + +## ¿Qué es el DNS? + +Cuando visitas un sitio web, se devuelve una dirección numérica. Por ejemplo, cuando visitas `privacyguides.org`, la dirección `192.98.54.105` es devuelta. + +DNS ha existido desde los [primeros días](https://es.wikipedia.org/wiki/Sistema_de_nombres_de_dominio#Historia) de Internet. Las solicitudes DNS realizadas desde y hacia servidores DNS **no** son generalmente cifradas. En un entorno residencial, el cliente recibe servidores del ISP a través de [DHCP](https://es.wikipedia.org/wiki/Protocolo_de_configuraci%C3%B3n_din%C3%A1mica_de_host). + +Las solicitudes de DNS sin cifrar pueden ser fácilmente **vigiladas** y **modificadas** en tránsito. En algunas partes del mundo, a los ISP se les ordena que hagan un [filtrado de DNS](https://en.wikipedia.org/wiki/DNS_blocking) primitivo. Cuando se solicita la dirección IP de un dominio que está bloqueado, es posible que el servidor no responda o lo haga con una dirección IP diferente. Como el protocolo DNS no está encriptado, el ISP (o cualquier operador de red) puede utilizar [DPI](https://es.wikipedia.org/wiki/Inspecci%C3%B3n_profunda_de_paquete) para controlar las solicitudes. Los ISP también pueden bloquear las solicitudes en función de características comunes, independientemente del servidor DNS que se utilice. El DNS no cifrado siempre utiliza el [puerto](https://es.wikipedia.org/wiki/Puerto_de_red) 53 y siempre utiliza UDP. + +A continuación, discutimos y proporcionamos un tutorial para probar lo que un observador externo puede ver usando DNS regulares sin encriptar y [DNS encriptado](#what-is-encrypted-dns). + +### DNS sin cifrado + +1. Usando [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (parte del proyecto [Wireshark](https://es.wikipedia.org/wiki/Wireshark)) podemos monitorear y registrar el flujo de paquetes de Internet. Este comando registra los paquetes que cumplen las reglas especificadas: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. Entonces podemos usar [`dig`](https://es.wikipedia.org/wiki/Dig_(comando)) (Linux, macOS, etc) o [`nslookup`](https://es.wikipedia.org/wiki/Nslookup) (Windows) para enviar la búsqueda DNS a ambos servidores. Software como los navegadores web hacen estas búsquedas automáticamente, a menos que estén configurados para usar DNS cifrado. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. A continuación, queremos [analizar](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) los resultados: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +Si ejecutas el comando Wireshark anterior, el panel superior muestra los "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", y el panel inferior muestra todos los datos sobre el frame seleccionado. Las soluciones empresariales de filtrado y monitorización (como las adquiridas por los gobiernos) pueden realizar el proceso de forma automática, sin interacción humana, y pueden agregar esas tramas para producir datos estadísticos útiles para el observador de la red. + +| No. | Tiempo | Fuente | Destino | Protocolo | Duración | Información | +| --- | -------- | --------- | --------- | ------------------------- | -------- | ----------------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | Almacenamiento en la Nube | 104 | Consulta estándar 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | Almacenamiento en la Nube | 108 | Respuesta de consulta estándar 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | Almacenamiento en la Nube | 104 | Consulta estándar 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | Almacenamiento en la Nube | 108 | Respuesta de consulta estándar 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +Un observador podría modificar cualquiera de estos paquetes. + +## ¿Qué es "DNS cifrado"? + +DNS cifrado puede referirse a uno de un número de protocolos, siendo los más comunes: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) fue uno de los primeros métodos de encriptación de consultas DNS. DNSCrypt opera en el puerto 443 y funciona con los protocolos de transporte TCP o UDP. DNSCrypt nunca ha sido enviado al [Grupo de Trabajo de Ingeniería en Internet (IETF)](https://es.wikipedia.org/wiki/Grupo_de_Trabajo_de_Ingenier%C3%ADa_de_Internet) ni ha pasado por el proceso de ["Request for Comments" (RFC)](https://es.wikipedia.org/wiki/Request_for_Comments) por lo que no ha sido utilizado ampliamente fuera de unas pocas [implementaciones](https://dnscrypt.info/implementations). Como resultado, ha sido sustituido en gran medida por el más popular [DNS sobre HTTPS](#dns-over-https-doh). + +### DNS sobre TLS (DoT) + +[**DNS sobre TLS**](https://es.wikipedia.org/wiki/DNS_mediante_TLS) es otro método para cifrar la comunicación DNS que se define en [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). La compatibilidad se implementó por primera vez en Android 9, iOS 14 y en Linux en [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) en la versión 237. La preferencia en la industria se ha estado alejando del DoT al DoH en los últimos años, ya que el DoT es un [protocolo complejo](https://dnscrypt.info/faq/) y tiene un cumplimiento variable del RFC en todas las implementaciones que existen. DoT también opera en un puerto dedicado 853 que puede ser bloqueado fácilmente por cortafuegos restrictivos. + +### DNS sobre HTTPS (DoH) + +[**DNS sobre HTTPS**](https://es.wikipedia.org/wiki/DNS_mediante_HTTPS) como se define en [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) empaqueta las consultas en el protocolo [HTTP/2](https://es.wikipedia.org/wiki/HTTP/2) y proporciona seguridad con HTTPS. La compatibilidad se añadió por primera vez en navegadores web como Firefox 60 y Chrome 83. + +La implementación nativa de DoH apareció en iOS 14, macOS 11, Microsoft Windows y Android 13 (sin embargo, no estará habilitada [por defecto](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). El soporte general de los escritorios de Linux está a la espera de la [implementación](https://github.com/systemd/systemd/issues/8639) de systemd por lo que [la instalación de software de terceros sigue siendo necesaria](../dns.md#linux). + +## ¿Qué puede ver un tercero? + +En este ejemplo registraremos lo que sucede cuando hacemos una solicitud de DoH: + +1. En primer lugar, inicia `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. En segundo lugar, hace una petición con `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. Después de hacer la solicitud, podemos detener la captura de paquetes con CTRL + C. + +4. Analiza los resultados en Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +Podemos ver el [establecimiento de la conexión](https://es.wikipedia.org/wiki/Protocolo_de_control_de_transmisi%C3%B3n#Establecimiento_de_la_conexi%C3%B3n_(negociaci%C3%B3n_en_tres_pasos)) y [enlace TLS](https://www.cloudflare.com/es-es/learning/ssl/what-happens-in-a-tls-handshake/) que ocurre con cualquier conexión encriptada. Al mirar los paquetes de "datos de aplicación" que siguen, ninguno de ellos contiene el dominio que solicitamos ni la dirección IP devuelta. + +## ¿Por qué **no debería** utilizar un DNS cifrado? + +En los lugares en los que existe el filtrado de Internet (o la censura), visitar recursos prohibidos puede tener sus propias consecuencias, que deberás tener en cuenta en tu [modelo de amenazas](../basics/threat-modeling.md). Nosotros **no** sugerimos el uso de DNS encriptados para este propósito. Usa [Tor](https://torproject.org) o una [VPN](../vpn.md) en su lugar. Si estás usando una VPN, deberías usar los servidores DNS de tu VPN. Al utilizar una VPN, ya les estás confiando toda tu actividad en la red. + +Cuando hacemos una búsqueda en el DNS, generalmente es porque queremos acceder a un recurso. A continuación, hablaremos de algunos de los métodos que pueden revelar tus actividades de navegación incluso cuando se utiliza un DNS cifrado: + +### Dirección IP + +La forma más sencilla de determinar la actividad de navegación podría ser mirar las direcciones IP a las que acceden sus dispositivos. Por ejemplo, si el observador sabe que `privacyguides.org` está en `198.98.54.105`, y tu dispositivo solicita datos de `198.98.54.105`, es muy probable que estés visitando Privacy Guides. + +Este método sólo es útil cuando la dirección IP pertenece a un servidor que sólo aloja unos pocos sitios web. Tampoco es muy útil si el sitio está alojado en una plataforma compartida (por ejemplo, Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). Tampoco es muy útil si el servidor está alojado detrás de un [proxy inverso](https://es.wikipedia.org/wiki/Proxy_inverso), lo cual es muy común en la Internet moderna. + +### Indicación del Nombre del Servidor (SNI) + +La Indicación del Nombre del Servidor se suele utilizar cuando una dirección IP aloja muchos sitios web. Esto podría ser un servicio como Cloudflare, o alguna otra protección de [ataque de denegación de servicio](https://es.wikipedia.org/wiki/Ataque_de_denegaci%C3%B3n_de_servicio). + +1. Comienza a capturar de nuevo con `tshark`. Hemos añadido un filtro con nuestra dirección IP para que no captures muchos paquetes: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Luego visitamos [https://privacyguides.org](https://privacyguides.org). + +3. Después de visitar el sitio web, queremos detener la captura de paquetes con CTRL + C. + +4. A continuación queremos analizar los resultados: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + Veremos el establecimiento de la conexión, seguido del enlace TLS para el sitio web de Privacy Guides. Alrededor del marco 5. verás un "Client Hello". + +5. Expande el triángulo ▸ junto a cada campo: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. Podemos ver el valor SNI que revela el sitio web que estamos visitando. El comando `tshark` puede darte el valor directamente para todos los paquetes que contienen un valor SNI: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +Esto significa que incluso si estamos utilizando servidores "DNS cifrados", es probable que el dominio se divulgue a través de SNI. El protocolo [TLS v1.3](https://es.wikipedia.org/wiki/Seguridad_de_la_capa_de_transporte#TLS_1.3) trae consigo [Client Hello Encriptado](https://blog.cloudflare.com/encrypted-client-hello/), que evita este tipo de fugas. + +Los gobiernos, en particular de [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) y [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), ya han [empezado a bloquearlo](https://es.wikipedia.org/wiki/Server_Name_Indication#Funcionamiento_de_ESNI) o han expresado su deseo de hacerlo. Recientemente, Rusia ha [comenzado a bloquear sitios web extranjeros](https://github.com/net4people/bbs/issues/108) que utilizan el estándar [HTTP/3](https://es.wikipedia.org/wiki/HTTP/3). Esto se debe a que el protocolo [QUIC](https://es.wikipedia.org/wiki/QUIC) que forma parte de HTTP/3 requiere que `ClientHello` también esté cifrado. + +### Protocolo de comprobación del Estado de un Certificado En línea (OCSP) + +Otra forma en que tu navegador puede revelar tus actividades de navegación es con el [Protocolo de comprobación del Estado de un Certificado En línea](https://es.wikipedia.org/wiki/Online_Certificate_Status_Protocol). Al visitar un sitio web HTTPS, el navegador puede comprobar si el [certificado](https://es.wikipedia.org/wiki/Certificado_de_clave_p%C3%BAblica) del sitio web ha sido revocado. Esto se hace generalmente a través del protocolo HTTP, lo que significa que **no** está cifrado. + +La solicitud OCSP contiene el "[número de serie](https://es.wikipedia.org/wiki/Certificado_de_clave_p%C3%BAblica#Campos_comunes)" del certificado, que es único. Se envía al "Respondedor OCSP" para comprobar su estado. + +Podemos simular lo que haría un navegador utilizando el comando [`openssl`](https://es.wikipedia.org/wiki/OpenSSL). + +1. Obtén el certificado del servidor y usa [`sed`](https://es.wikipedia.org/wiki/Sed_(inform%C3%A1tica)) para conservar sólo la parte importante y escribirla en un archivo: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Obtén el certificado intermedio. Las [Autoridades de Certificación (CA)](https://es.wikipedia.org/wiki/Autoridad_de_certificaci%C3%B3n) normalmente no firman un certificado directamente; utilizan lo que se conoce como un certificado "intermedio". + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. El primer certificado en `pg_and_intermediate.cert` es en realidad el certificado del servidor del paso 1. Podemos usar `sed` de nuevo para borrar hasta la primera instancia de END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Obtén el respondedor OCSP para el certificado del servidor: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Nuestro certificado muestra el respondedor del certificado Lets Encrypt. Si queremos ver todos los detalles del certificado podemos utilizar: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Inicia la captura de paquetes: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Realiza la solicitud OCSP: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Abre la captura: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + Habrá dos paquetes con el protocolo "OCSP": una "Solicitud" y una "Respuesta". Para la "Solicitud" podemos ver el "número de serie" expandiendo el triángulo ▸ al lado de cada campo: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + Para la "Respuesta" también podemos ver el "número de serie": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. O usa `tshark` para filtrar los paquetes por el número de serie: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +Si el observador de red tiene el certificado público, que está disponible públicamente, puede hacer coincidir el número de serie con ese certificado y, por lo tanto, determinar el sitio que estás visitando a partir de ese. El proceso puede automatizarse y asociar las direcciones IP con los números de serie. También es posible consultar los registros de [Certificate Transparency](https://es.wikipedia.org/wiki/Certificate_Transparency) para conocer el número de serie. + +## ¿Debería utilizar un DNS cifrado? + +Hemos elaborado este diagrama de flujo para describir cuándo *deberías* usar el DNS cifrado: + +``` mermaid +graph TB + Comienzo[Start] --> anonymous{¿Tratando de ser
anónimo?} + anonymous--> | Sí | tor(Usa Tor) + anonymous --> | No | censorship{¿Evitando la
censura?} + censorship --> | Sí | vpnOrTor(Usa una
VPN o Tor) + censorship --> | No | privacy{¿Quieres privacidad
del ISP?} + privacy --> | Sí | vpnOrTor + privacy --> | No | obnoxious{¿El ISP hace
odiosas
redirecciones?} + obnoxious --> | Sí | encryptedDNS(Usa
DNS cifrado
con terceros) + obnoxious --> | No | ispDNS{¿El ISP soporta
DNS cifrado?} + ispDNS --> | Sí | useISP(Usa
DNS cifrado
con ISP) + ispDNS --> | No | nothing(No hagas nada) +``` + +El DNS cifrado con un tercero solo debe usarse para evitar redirecciones y el [bloqueo básico de DNS](https://en.wikipedia.org/wiki/DNS_blocking) cuando puedas estar seguro de que no habrá consecuencias o estés interesado en un proveedor que realice un filtrado rudimentario. + +[Lista de servidores DNS recomendados](../dns.md ""){.md-button} + +## ¿Qué es DNSSEC? + +Las [extensiones de seguridad para el sistema de nombres de dominio](https://es.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) son una función del DNS que autentifica las respuestas a las búsquedas de nombres de dominio. No proporciona protecciones de privacidad para esas búsquedas, sino que evita que los atacantes manipulen o envenenen las respuestas a las solicitudes de DNS. + +En otras palabras, DNSSEC firma digitalmente los datos para ayudar a garantizar su validez. Para garantizar una búsqueda segura, la firma se produce en todos los niveles del proceso de búsqueda del DNS. Como resultado, todas las respuestas del DNS son de confianza. + +El proceso de firma de DNSSEC es similar al de alguien que firma un documento legal con un bolígrafo; esa persona firma con una firma única que nadie más puede crear, y un perito judicial puede mirar esa firma y verificar que el documento fue firmado por esa persona. Estas firmas digitales garantizan que los datos no han sido manipulados. + +DNSSEC implementa una política de firma digital jerárquica en todas las capas del DNS. Por ejemplo, en el caso de una búsqueda en `privacyguides.org`, un servidor DNS raíz firmaría una clave para el servidor de nombres `.org`, y el servidor de nombres `.org` firmaría entonces una clave para el servidor de nombres autoritativo `privacyguides.org`. + +Adaptado de [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) por Google y [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) por Cloudflare, ambos licensiados bajo [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## ¿Qué es la minimización de QNAME? + +Un QNAME es un "nombre cualificado", por ejemplo `privacyguides.org`. La minimización de QNAME reduce la cantidad de información enviada desde el servidor DNS al [servidor de nombres autoritativo](https://es.wikipedia.org/wiki/Servidor_de_nombres). + +En lugar de enviar todo el dominio `privacyguides.org`, la minimización de QNAME significa que el servidor DNS pedirá todos los registros que terminen en `.org`. Una descripción técnica más detallada se encuentra en [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## ¿Qué es la Subred del Cliente EDNS (ECS)? + +La [Subred de Cliente EDNS](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) es un método para que un resolvedor DNS recursivo especifique una [subred](https://es.wikipedia.org/wiki/Subred) para el [host o cliente](https://es.wikipedia.org/wiki/Cliente_(inform%C3%A1tica)) que está realizando la consulta DNS. + +Su objetivo es "acelerar" la entrega de datos dando al cliente una respuesta que pertenece a un servidor que está cerca de él, como una [red de distribución de contenidos](https://es.wikipedia.org/wiki/Red_de_distribuci%C3%B3n_de_contenidos), que se utilizan a menudo en la transmisión de vídeo y el servicio de aplicaciones web de JavaScript. + +Esta característica tiene un coste de privacidad, ya que indica al servidor DNS cierta información sobre la ubicación del cliente. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/advanced/tor-overview.md b/i18n/es/advanced/tor-overview.md new file mode 100644 index 00000000..f5469218 --- /dev/null +++ b/i18n/es/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Resumen de Tor" +icon: 'simple/torproject' +--- + +Tor es una red descentralizada y gratuita diseñada para utilizar Internet con la mayor privacidad posible. Si se utiliza correctamente, la red permite la navegación y las comunicaciones privadas y anónimas. + +## Construcción de ruta + +Tor funciona enrutando tu tráfico a través de una red compuesta por miles de servidores gestionados por voluntarios llamados nodos (o repetidores). + +Cada vez que te conectes a Tor, elegirá tres nodos para construir una ruta a Internet-esta ruta se llama "circuito." Cada uno de estos nodos tiene su propia función: + +### El nodo de entrada + +El nodo de entrada, a menudo llamado nodo de guardia, es el primer nodo al que se conecta tu cliente Tor. El nodo de entrada puede ver tu dirección IP, pero no puede ver a qué te estás conectando. + +A diferencia de los otros nodos, el cliente Tor seleccionará aleatoriamente un nodo de entrada y se quedará con él durante dos o tres meses para protegerte de ciertos ataques.[^1] + +### El nodo medio + +El nodo del medio es el segundo nodo al que se conecta tu cliente Tor. Puede ver de qué nodo procede el tráfico -el nodo de entrada- y a qué nodo se dirige a continuación. El nodo intermedio no puede, ver tu dirección IP o el dominio al que te estás conectando. + +Para cada nuevo circuito, el nodo central se selecciona aleatoriamente de entre todos los nodos Tor disponibles. + +### El nodo de salida + +El nodo de salida es el punto en el que tu tráfico web abandona la red Tor y es reenviado a su destino deseado. El nodo de salida no puede ver tu dirección IP, pero sí sabe a qué sitio te estás conectando. + +El nodo de salida será elegido al azar de entre todos los nodos Tor disponibles ejecutados con una bandera de retransmisión de salida.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Ruta del circuito de tor
+
+ +## Cifrado + +Tor encripta cada paquete (un bloque de datos transmitidos) tres veces con las claves del nodo de salida, medio y de entrada, en ese orden. + +Una vez que Tor ha construido un circuito, la transmisión de datos se realiza de la siguiente manera: + +1. En primer lugar: cuando el paquete llega al nodo de entrada, se elimina la primera capa de cifrado. En este paquete encriptado, el nodo de entrada encontrará otro paquete encriptado con la dirección del nodo intermedio. El nodo de entrada reenviará entonces el paquete al nodo intermedio. + +2. Segundo: cuando el nodo intermedio recibe el paquete del nodo de entrada, también elimina una capa de encriptación con su clave, y esta vez encuentra un paquete encriptado con la dirección del nodo de salida. El nodo intermedio reenviará entonces el paquete al nodo de salida. + +3. Por último, cuando el nodo de salida reciba su paquete, eliminará la última capa de cifrado con su clave. El nodo de salida verá la dirección de destino y reenviará el paquete a esa dirección. + +A continuación se presenta un diagrama alternativo que muestra el proceso. Cada nodo elimina su propia capa de encriptación, y cuando el servidor de destino devuelve los datos, el mismo proceso ocurre completamente a la inversa. Por ejemplo, el nodo de salida no sabe quién eres, pero sí sabe de qué nodo procede, por lo que añade su propia capa de encriptación y lo envía de vuelta. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Envío y recepción de datos a través de la red Tor
+
+ +Tor nos permite conectarnos a un servidor sin que nadie conozca la ruta completa. El nodo de entrada sabe quién eres, pero no a dónde vas; el nodo intermedio no sabe quién eres ni a dónde vas; y el nodo de salida sabe a dónde vas, pero no quién eres. Como el nodo de salida es el que realiza la conexión final, el servidor de destino nunca conocerá tu dirección IP. + +## Advertencias + +Aunque Tor proporciona fuertes garantías de privacidad, uno debe ser consciente de que Tor no es perfecto: + +- Los adversarios bien financiados con la capacidad de observar pasivamente la mayor parte del tráfico de la red en todo el mundo tienen la posibilidad de desanonimizar a los usuarios de Tor mediante el análisis avanzado del tráfico. Tor tampoco te protege de exponerte por error, como por ejemplo si compartes demasiada información sobre tu identidad real. +- Los nodos de salida de Tor también pueden monitorear el tráfico que pasa a través de ellos. Esto significa que el tráfico que no está encriptado, como el tráfico HTTP simple, puede ser grabado y monitoreado. Si dicho tráfico contiene información personal identificable, entonces puede desanonimizarlo a ese nodo de salida. Por lo tanto, recomendamos utilizar HTTPS sobre Tor siempre que sea posible. + +Si deseas utilizar Tor para navegar por la web, sólo recomendamos el navegador Tor Browser **oficial**-está diseñado para evitar las huellas digitales. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Recursos Adicionales + +- [Manual del usuario del navegador Tor](https://tb-manual.torproject.org) +- [¿Cómo funciona Tor? - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Servicios Onion de Tor - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.es.txt" + +[^1]: El primer repetidor en tu circuito se llama "guardia de entrada" o "guardia". Es un repetidor rápido y estable que se mantiene como el primero en tu circuito durante 2-3 meses para protegerse de un ataque conocido de ruptura del anonimato. El resto de tu circuito cambia con cada nuevo sitio web que visitas, y todos juntos estos repetidores proporcionan las protecciones de privacidad completas de Tor. Para obtener más información sobre el funcionamiento de los repetidores de protección, consulta esta [entrada del blog](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) y el [documento](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) sobre los guardias de entrada. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Bandera de repetidor: una (des)calificación de los repetidores para las posiciones de los circuitos (por ejemplo, "Guardia", "Salida", "MalaSalida"), las propiedades de los circuitos (por ejemplo, "Rápido", "Estable"), o los roles (por ejemplo, "Autoridad", "HSDir"), tal y como los asignan las autoridades de los directorios y se definen con más detalle en la especificación del protocolo del directorio. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/es/android.md b/i18n/es/android.md new file mode 100644 index 00000000..85d51ee5 --- /dev/null +++ b/i18n/es/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'fontawesome/brands/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +El **proyecto de código abierto de Android** es un sistema operativo móvil de código abierto liderado por Google, que está detrás de la mayor parte de los dispositivos móviles del mundo. La mayor parte de los teléfono vendidos con Android son modificados para incluir integraciones y aplicaciones invasivas como los servicios de Google Play, así que puedes mejorar la privacidad de tu dispositivo móvil de manera significativa al reemplazar la instalación predeterminada de tu teléfono con una versión de Android sin esas características invasivas. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +En particular, GrapheneOS admite [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play). Los Servicios de Google Play se pueden ejecutar completamente de manera aislada como una aplicación de usuario normal y se pueden incluir en un [perfil de trabajo o un perfil de usuario](#android-security-privacy) de su elección. + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Por qué recomendamos GrapheneOS sobre CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## Derivados de AOSP + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + ![Logotipo de GrapheneOS](assets/img/android/grapheneos.svg#only-light){ align=right } + ![Logotipo de GrapheneOS ](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** es la mejor opción cuando se trata de privacidad y seguridad. GrapheneOS proporciona mejoras adicionales de [seguridad](https://es.wikipedia.org/wiki/Endurecimiento_(inform%C3%A1tica)) y de privacidad. + +### GrapheneOS + +!!! recomendación + + Los dispositivos de "soporte extendido" de GrapheneOS no tienen correcciones de seguridad completos (actualizaciones de firmware) debido a que el fabricante de equipos originales (OEM) suspende el soporte. + + Estos dispositivos no pueden considerarse completamente seguros. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +Para complacer a los usuarios que necesitan Google Play Services, CalyxOS incluye de manera opcional [MicroG](https://microg.org/). Con MicroG, CalyxOS también se incluye en los servicios de localización de [Mozilla](https://location.services.mozilla.com/) y [DejaVu](https://github.com/n76/DejaVu). + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### CalyxOS + +!!! recomendación + + ![CalyxOS logo](assets/img/android/calyxos.svg){ align=right } + + **CalyxOS** es una alternativa aceptable a GrapheneOS. + Tiene algunas funciones de privacidad además de AOSP, que incluyen [Datura firewall](https://calyxos.org/docs/tech/datura-details), [Signal](https://signal.org) integración en la aplicación de marcación y un botón de pánico incorporado. CalyxOS también viene con actualizaciones de firmware y compilaciones firmadas, así que [el arranque verificado](https://source.android.com/security/verifiedboot) es completamente compatible. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. recommendation DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS ha automatizado el [parchamiento vulnerabilidad del kernel](https://gitlab.com/divested-mobile/cve_checker) ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)), menos blobs propietarios, un archivo personalizado de [hosts](https://divested.dev/index.php?page=dnsbl), y [F-Droid](https://www.f-droid.org) como tienda de aplicaciones. Incluye [UnifiedNlp](https://github.com/microg/UnifiedNlp) para la localización de la red. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS también incluye parches de GrapheneOS para el kernel y habilita todas las características de seguridad del kernel disponibles a través de [endurecimiento defconfig](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). Todos los kernels más recientes que la versión 3.4 incluyen [saneamiento](https://lwn.net/Articles/334747/) página completa y todos los ~22 kernels compilados por Clang tienen [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) habilitado. However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### DivestOS + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recomendación + + ![Logotipo de DivestOS](assets/img/android/divestos.svg){ align=right } + + **DivestOS** es un [soft-fork](https://es. wikipedia.org/wiki/Bifurcaci%C3%B3n_(desarrollo_de_software)) de [LineageOS](https://lineageos.org/). + + DivestOS hereda muchos [dispositivos soportados](https://divestos.org/index.php?page=devices&base=LineageOS) de LineageOS. + + Tiene builds firmados, lo que permite tener [arranque verificado](https://source.android.com/security/verifiedboot) en algunos dispositivos que no son Pixel. + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Perfiles de usuario + +!!! recomendación + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Perfil de trabajo + +!!! recomendación + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Arranque verificado + +!!! recomendación + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recomendación + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### Interruptores globales + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Orbot + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recomendación + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Shelter + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### Auditor + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Software + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/assets/img/account-deletion/exposed_passwords.png b/i18n/es/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/es/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/es/assets/img/android/rss-apk-dark.png b/i18n/es/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/es/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/es/assets/img/android/rss-apk-light.png b/i18n/es/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/es/assets/img/android/rss-apk-light.png differ diff --git a/i18n/es/assets/img/android/rss-changes-dark.png b/i18n/es/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/es/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/es/assets/img/android/rss-changes-light.png b/i18n/es/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/es/assets/img/android/rss-changes-light.png differ diff --git a/i18n/es/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/es/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/es/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/es/assets/img/how-tor-works/tor-encryption.svg b/i18n/es/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/es/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/es/assets/img/how-tor-works/tor-path-dark.svg b/i18n/es/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/es/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/es/assets/img/how-tor-works/tor-path.svg b/i18n/es/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/es/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/es/assets/img/multi-factor-authentication/fido.png b/i18n/es/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..d4b678fd Binary files /dev/null and b/i18n/es/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/es/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/es/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..2dc08ae9 Binary files /dev/null and b/i18n/es/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/es/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/es/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/es/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/es/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/es/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/es/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/es/basics/account-creation.md b/i18n/es/basics/account-creation.md new file mode 100644 index 00000000..aa3894b3 --- /dev/null +++ b/i18n/es/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Creación De Cuenta" +icon: 'material/account-plus' +--- + +A menudo la gente se inscribe en servicios sin pensar. Tal vez sea un servicio de streaming para que puedas ver ese nuevo show del que todo el mundo habla, o una cuenta que te da un descuento para tu lugar de comida rápida favorito. Sea cual sea el caso, debes tener en cuenta las implicaciones que tednrá para tus datos ahora y más adelante. + +Hay riesgos asociados con cada nuevo servicio que utilices. Las filtraciones de datos, la revelación de información de clientes a terceros o el acceso a datos por parte de empleados deshonestos son posibilidades que deben tenerse en cuenta a la hora de facilitar tu información. Tienes que estar seguro de que puedes confiar en el servicio, por eso no recomendamos almacenar datos valiosos en nada, excepto en los productos más maduros y que han sido puestos profundamente a prueba. Por lo general, se trata de servicios que ofrecen E2EE y han sido sometidos a una auditoría criptográfica. Una auditoría aumenta las garantías de que el producto se diseñó sin problemas de seguridad notorios causados por un desarrollador inexperto. + +También puede ser difícil eliminar las cuentas en algunos servicios. En ocasiones, [sobrescribir los datos](account-deletion.md#overwriting-account-information) asociados a una cuenta puede ser posible, pero en otros casos el servicio guardará un historial completo de los cambios realizados en la cuenta. + +## Términos del servicio y Política de privacidad + +Los ToS (Términos del Servicio) son las normas que usted se compromete a respetar al utilizar el servicio. En los servicios más grandes, estas normas suelen aplicarse mediante sistemas automatizados. A veces, estos sistemas automatizados pueden cometer errores. Por ejemplo, pueden expulsarte o bloquearte la cuenta en algunos servicios por utilizar una VPN o un número VOIP. Recurrir estos bloqueos suele ser difícil, y además implica un proceso automatizado que no siempre funciona bien. Esta es una de las razones por las que no sugerimos utilizar Gmail para el correo electrónico, por ejemplo. El correo electrónico es crucial para acceder a otros servicios a los que estés inscrito. + +La Política de Privacidad es la forma en que el servicio dice que utilizará tus datos y vale la pena leerla para que entiendas cómo se utilizarán tus datos. Una empresa u organización puede no estar legalmente obligada a seguir todo lo que contiene la política (depende de la jurisdicción). Te recomendamos que tengas una idea de cuál es tu legislación local y qué le permite recopilar a un proveedor. + +Te recomendamos que busques términos concretos como "recopilación de datos", "análisis de datos", "cookies", "anuncios" o servicios de "terceros". A veces podrás optar por no participar en la recopilación de datos o no compartirlos, pero lo mejor es elegir un servicio que respete tu privacidad desde el principio. + +Ten en cuenta que también estás depositando tu confianza en la empresa u organización y en que cumplirán su propia política de privacidad. + +## Métodos de autenticación + +Usualmente hay varias maneras para registrarse, cada una tiene sus propias ventajas y desventajas. + +### Correo electrónico y contraseña + +La manera más común de crear una nueva cuenta es utilizando una dirección de correo electrónico y una contraseña. Cuando se utiliza este método, se debe utilizar un gestor de contraseñas y seguir las [mejores prácticas](passwords-overview.md) respecto a las contraseñas. + +!!! consejo + + ¡También se puede usar un gestor de contraseñas para organizar otros métodos de autenticación! Solo añade la nueva entrada y completa los espacios apropiados, puedes agregar notas para cosas como las preguntas de seguridad o una clave de respaldo. + +Usted es responsable de gestionar sus credenciales de ingreso. Para mayor seguridad, se puede configurar la [autenticación multifactor](multi-factor-authentication.md) en las cuentas. + +[Gestores de contraseñas recomendados](../passwords.md ""){.md-button} + +#### Alias de correo electrónico + +Si no se quiere utilizar una dirección real de correo electrónico en un servicio, se cuenta con la opción de utilizar un alias. Estos los describimos con mayores detalles en nuestra página con recomendaciones de servicios de correo electrónico. Básicamente, los servicios de alias permiten generar nuevas direcciones de correo que reenvían todos los correos a la dirección principal. Esto puede ayudar a prevenir el rastreo a través de múltiples servicios y ayudar a gestionar los correos de mercadeo que algunas veces vienen con el proceso de registro. Estos pueden ser filtrados automáticamente basándose en el alias al que son enviados. + +Si un servicio es hackeado, puede que usted comience a recibir correos engañosos o basura en la dirección que utilizó para registrarse. Al utilizar un único alias para cada servicio, se puede identificar cual servicio fue hackeado. + +[Servicios recomendados de alias de correo electrónico](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/basics/account-deletion.md b/i18n/es/basics/account-deletion.md new file mode 100644 index 00000000..d9d81118 --- /dev/null +++ b/i18n/es/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Eliminación de cuenta" +icon: 'material/account-remove' +--- + +Con el tiempo, puede ser fácil acumular varias cuentas en línea, muchas de las cuales puede que ya no utilices. Eliminar estas cuentas que no utilizas es un paso importante para recuperar tu privacidad, ya que las cuentas inactivas son vulnerables a las filtraciones de datos. Una filtración de datos se da cuando la seguridad de un servicio se ve comprometida y la información protegida es vista, transmitida o robada por actores no autorizados. Desafortunadamente, las filtraciones de datos son [demasiado comunes](https://haveibeenpwned.com/PwnedWebsites) en estos días, por lo que practicar una buena higiene digital es la mejor manera de minimizar el impacto que tienen en tu vida. El objetivo de esta guía es ayudarte a atravesar el fastidioso proceso de eliminación de cuentas para mejorar tu presencia en línea, lo que es a menudo dificultado por [un diseño engañoso](https://www.deceptive.design/). + +## Buscar cuentas antiguas + +### Administrador de contraseñas + +Si tienes un gestor de contraseñas que has utilizado durante toda tu vida digital, esta parte será muy fácil. A menudo, incluyen funcionalidad integrada para detectar si tus credenciales fueron expuestas en una filtración de datos, como el [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/) (Reporte de filtración de datos) de Bitwarden. + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Incluso si no has usado explícitamente un gestor de contraseñas antes, es probable que hayas usado el de tu navegador o el de tu teléfono sin darte cuenta. Por ejemplo: [Firefox Password Manager](https://support.mozilla.org/es-es/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) y [Edge Password Manager](https://support.microsoft.com/es-es/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Los sistemas operativos también suelen tener un gestor de contraseñas que puede ayudarte a recuperar las que has olvidado: + +- Windows [Administrador de credenciales](https://support.microsoft.com/es-es/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Contraseñas](https://support.apple.com/es-es/HT211145) +- iOS [Contraseñas](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, al que se puede acceder a través de [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) o [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager/es) + +### Proveedores de VPN + +Si no utilizaste un gestor de contraseñas en el pasado o crees que tienes cuentas que nunca se añadieron a tu gestor de contraseñas, otra opción es buscar en la(s) cuenta(s) de correo electrónico en las que crees que te has registrado. En tu cliente de correo electrónico, busca palabras clave como "verificar" o "bienvenida" Casi siempre que se crea una cuenta en línea, el servicio envía un enlace de verificación o un mensaje introductorio a tu correo electrónico. Esta puede ser una buena manera de encontrar cuentas antiguas y olvidadas. + +## Eliminar cuentas antiguas + +### Inicio de sesión + +Para eliminar tus antiguas cuentas, primero tendrás que asegurarte de que puedes acceder a ellas. De nuevo, si la cuenta estaba en tu gestor de contraseñas, este paso es fácil. Si no, puedes intentar adivinando tu contraseña. Si no es así, suele haber opciones para recuperar el acceso a tu cuenta, normalmente disponibles a través de un enlace "olvido de contraseña" en la página de inicio de sesión. También es posible que las cuentas que has abandonado ya hayan sido eliminadas: a veces los servicios eliminan todas las cuentas antiguas. + +Cuando intentes recuperar el acceso, si el sitio devuelve un mensaje de error diciendo que el correo electrónico no está asociado a una cuenta, o nunca recibe un enlace de restablecimiento después de múltiples intentos, entonces no tienes una cuenta con esa dirección de correo electrónico y debes probar con otra. Si no puedes averiguar qué dirección de correo electrónico utilizaste, o ya no tienes acceso a ese correo, puedes intentar ponerte en contacto con el servicio de atención al cliente del servicio. Desafortunadamente, no hay garantía de que puedas recuperar el acceso a tu cuenta. + +### GDPR (solamente para residentes del EEE) + +Los residentes del EEE tienen derechos adicionales en relación con la supresión de datos especificados en [el artículo 17](https://www.gdpr.org/regulation/article-17.html) del GDPR. Si es aplicable para ti, lee la política de privacidad del servicio para encontrar información sobre cómo ejercer tu derecho de eliminación. Leer la política de privacidad puede ser importante, ya que algunos servicios tienen una opción de "Borrar cuenta" que solamente desactiva tu cuenta y para la eliminación real tienes que realizar una acción adicional. A veces, la eliminación real puede implicar llenar formularios, enviar un correo electrónico al responsable de la protección de datos del servicio, o incluso demostrar tu residencia en el EEE. Si planeas seguir este camino, **no** sobrescribas la información de tu cuenta; es posible que se requiera tu identidad como residente del EEE. Ten en cuenta que la ubicación del servicio no importa; el GDPR se aplica a cualquiera que preste servicios a usuarios europeos. Si el servicio no respeta tu derecho de supresión de datos, puedes ponerte en contacto con tu [Autoridad de Protección de Datos](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_es) y puedes tener derecho a una compensación monetaria. + +### Sobrescribir la información de la cuenta + +En algunas situaciones en la que planeas abandonar una cuenta, puede tener sentido sobrescribir la información de la cuenta con datos falsos. Una vez que te hayas asegurado de que puedes iniciar sesión, cambia toda la información de tu cuenta por información falsa. El motivo es que muchos sitios conservan la información que tenías anteriormente incluso después de la eliminación de la cuenta. Lo que se desea es que sobrescriban la información anterior con los datos más recientes que hayas introducido. Sin embargo, no hay forma de saber de qué no haya copias de seguridad con la información anterior. + +Para el correo electrónico de la cuenta, crea una nueva cuenta de correo electrónico alternativa a través de tu proveedor de elección o crea un alias utilizando un [servicio de alias de correo electrónico](/email/#email-aliasing-services). Una vez que hayas terminado, podrás eliminar tu dirección de correo electrónico alternativa. No recomendamos utilizar proveedores de correo electrónico temporales, ya que a menudo es posible reactivar los correos electrónicos temporales. + +### Eliminar + +Puedes consultar en [JustDeleteMe](https://justdeleteme.xyz/es) las instrucciones para eliminar la cuenta de un servicio específico. Algunos sitios tendrán amablemente una opción de "Borrar cuenta", mientras que otros llegarán a obligarte a hablar con un agente de soporte. El proceso de eliminación puede variar de un sitio a otro, siendo imposible la eliminación de la cuenta en algunos. + +Para los servicios que no permiten la eliminación de cuentas, lo mejor que puede hacer es falsificar toda su información como se mencionó anteriormente y fortalecer la seguridad de la cuenta. Para ello, habilita [MFA](basics/multi-factor-authentication) y cualquier característica de seguridad adicional ofrecida. Además, cambia la contraseña a una generada aleatoriamente que sea el tamaño máximo permitido (un [administrador de contraseñas](/passwords/#local-password-managers) puede ser útil para esto). + +Si tienes la certeza de que se ha eliminado toda la información que te importa, puedes olvidarte con seguridad de esta cuenta. Si no es así, puede ser una buena idea mantener las credenciales almacenadas con tus otras contraseñas y de vez en cuando volver a iniciar sesión para restablecer la contraseña. + +Aunque puedas eliminar una cuenta, no hay garantía de que toda tu información sea eliminada. De hecho, algunas empresas están obligadas por ley a conservar cierta información, sobre todo cuando está relacionada con transacciones financieras. La mayoría de las veces, lo que ocurre con tus datos está fuera de tu control cuando se trata de sitios web y servicios en la nube. + +## Evitar cuentas nuevas + +Como dice el refrán, "más vale prevenir que lamentar" Siempre que sientas la tentación de crear una nueva cuenta, pregúntate "¿realmente lo necesito? ¿Puedo lograr lo que necesito sin una cuenta?" A menudo puede ser mucho más difícil eliminar una cuenta que crearla. E incluso después de borrar o cambiar la información de tu cuenta, puede haber una versión en caché de un tercero, como en el [Internet Archive](https://archive.org/). Evita la tentación cuando puedas, ¡tu futuro yo te lo agradecerá! + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/basics/common-misconceptions.md b/i18n/es/basics/common-misconceptions.md new file mode 100644 index 00000000..9ffa5cd6 --- /dev/null +++ b/i18n/es/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Conceptos erróneos comunes" +icon: 'material/robot-confused' +--- + +## "El software de código abierto es siempre seguro" o "El software propietario es más seguro" + +Estos mitos provienen de varios prejuicios, pero el hecho de que el código fuente esté disponible y la forma en que se licencie el software no afecta intrínsecamente a su seguridad de ninguna manera. ==El software de código abierto tiene el *potencial* de ser más seguro que el software propietario, pero no hay ninguna garantía de que sea así.== Cuando evalúes el software, debes examinar la reputación y la seguridad de cada herramienta de forma individual. + +El software de código abierto *puede* ser auditado por terceros, y a menudo es más transparente sobre las vulnerabilidades potenciales que sus contrapartes propietarias. También te permite revisar el código y desactivar cualquier funcionalidad sospechosa que encuentres. Sin embargo, *a menos que lo hagas*, no hay garantía de que el código haya sido evaluado alguna vez, especialmente en los proyectos de software más pequeños. El proceso de desarrollo abierto también ha sido explotado en ocasiones para introducir nuevas vulnerabilidades incluso en proyectos aún más grandes.[^1] + +Por otro lado, el software propietario es menos transparente, pero eso no implica que no sea seguro. Los grandes proyectos de software propietario pueden ser auditados internamente y por agencias de terceros, y los investigadores de seguridad independientes pueden seguir encontrando vulnerabilidades con técnicas como la ingeniería inversa. + +Para evitar decisiones sesgadas, es *vital* que evalúes los estándares de privacidad y seguridad del software que utilizas. + +## "Transferir la confianza puede aumentar la privacidad" + +Hablamos mucho de "transferir la confianza" cuando hablamos de soluciones como las VPN (que transfieren la confianza que depositas en tu ISP al proveedor de VPN). Aunque esto protege tus datos de navegación de tu proveedor de internet *específicamente*, el proveedor de VPN que elijas sigue teniendo acceso a tus datos de navegación: Tus datos no están completamente protegidos de todas las partes. Esto significa que: + +1. Hay que ser prudente a la hora de elegir un proveedor al que confiar. +2. Aun así, deberías utilizar otras técnicas, como E2EE, para proteger tus datos por completo. Simplemente desconfiar de un proveedor para confiar en otro no es proteger tus datos. + +## "Las soluciones centradas en la privacidad son inherentemente fiables" + +Centrarse exclusivamente en las políticas de privacidad y en el marketing de una herramienta o proveedor puede impedirte ver sus debilidades. Cuando estés buscando una solución más privada, deberías determinar cuál es el problema subyacente y encontrar soluciones técnicas a ese problema. Por ejemplo, es posible que quieras evitar Google Drive, ya que da acceso a Google a todos tus datos. El problema subyacente en este caso es la falta de E2EE, por lo que deberías asegurarte de que el proveedor al que te cambias realmente implementa E2EE, o utiliza una herramienta (como [Cryptomator](../encryption.md#cryptomator-cloud)) que proporciona E2EE a cualquier proveedor de servicios en la nube. Cambiar a un proveedor "centrado en la privacidad" (que no implementa E2EE) no resuelve tu problema: esto solo cambia la confianza de Google a ese proveedor. + +Las políticas de privacidad y las prácticas empresariales de los proveedores que elijas son muy importantes, pero deben considerarse secundarias frente a las garantías técnicas de tu privacidad: No deberías cambiar la confianza a otro proveedor cuando la confianza en un proveedor no es un requisito en absoluto. + +## "Lo complicado es mejor" + +A menudo vemos a gente que describe modelos de amenaza a la privacidad que son excesivamente complejos. A menudo, estas soluciones incluyen problemas como muchas cuentas de correo electrónico diferentes o configuraciones complicadas con muchas partes móviles y condiciones. Las respuestas suelen responder a "¿Cuál es la mejor manera de hacer *X*?" + +Encontrar la "mejor" solución para uno mismo no significa necesariamente que se busque una solución infalible con docenas de condiciones: suele ser difícil trabajar con estas soluciones de forma realista. Como hemos comentado anteriormente, la seguridad a menudo viene a expensas de la comodidad. A continuación, te ofrecemos algunos consejos: + +1. ==Las acciones tienen que servir a un propósito concreto:== piensa en cómo hacer lo que quieres con el menor número de acciones. +2. ==Eliminar los puntos de fallo humanos:== Fallamos, nos cansamos y olvidamos cosas. Para mantener la seguridad, evita depender de condiciones y procesos manuales que tengas que recordar. +3. ==Utiliza el nivel adecuado de protección para lo que pretendes.== A menudo vemos recomendaciones de las llamadas soluciones de aplicación de la ley o a prueba de citaciones. Estas a menudo requieren conocimientos especializados y generalmente no es lo que la gente quiere. No tiene sentido construir un intrincado modelo de amenaza para el anonimato si puede ser fácilmente desanonimizado por un simple descuido. + +Así que, ¿cómo podría verse esto? + +Uno de los modelos de amenaza más claros es aquel en el que la gente *sabe quién eres* y otro en el que no. Siempre habrá situaciones en las que debes declarar tu nombre legal y otras en las que no es necesario. + +1. **Identidad conocida** - Una identidad conocida se utiliza para cosas en las que debes declarar tu nombre. Hay muchos documentos legales y contratos en los que se requiere una identidad legal. Esto puede abarcar desde la apertura de una cuenta bancaria, la firma de un contrato de arrendamiento de una propiedad, la obtención de un pasaporte, las declaraciones de aduana al importar artículos o cualquier otro trámite con tu Gobierno. Por lo general, estas cosas conducirán a credenciales como tarjetas de crédito, controles de calificación crediticia, números de cuenta y, posiblemente, direcciones físicas. + + No sugerimos usar una VPN o Tor para ninguna de estas cosas, ya que tu identidad ya es conocida por otros medios. + + !!! tip + + Al comprar en línea, el uso de un [casillero de paquetes](https://en.wikipedia.org/wiki/Parcel_locker) puede ayudar a mantener la privacidad de tu dirección física. + +2. **Identidad desconocida** - Una identidad desconocida podría ser un seudónimo estable que utilizas con regularidad. No es anónimo porque no cambia. Si formas parte de una comunidad en línea, es posible que desees mantener un personaje que los demás conozcan. Este seudónimo no es anónimo porque, si se vigila durante el tiempo suficiente, los detalles sobre el propietario pueden revelar más información, como su forma de escribir, sus conocimientos generales sobre temas de interés, etc. + + Es posible que desees utilizar una VPN para esto, para enmascarar tu dirección IP. Las transacciones financieras son más difíciles de enmascarar: Podrías considerar el uso de criptomonedas anónimas, como [Monero](https://www.getmonero.org/). El cambio a una moneda alternativa también puede ayudar a disfrazar dónde se originó tu moneda. Por lo general, los intercambios requieren que el KYC (conoce a tu cliente) se complete antes de que te permitan cambiar moneda fiduciaria a cualquier tipo de criptomoneda. Las opciones de encuentros locales también pueden ser una solución; sin embargo, suelen ser más caras y, a veces, también requieren KYC. + +3. **Identidad anónima** - Incluso con experiencia, las identidades anónimas son difíciles de mantener durante largos periodos de tiempo. Deben ser identidades a corto plazo y de corta duración que roten regularmente. + + Usar Tor puede ayudar con esto. También cabe destacar que es posible un mayor anonimato mediante la comunicación asíncrona: La comunicación en tiempo real es vulnerable al análisis de los patrones de escritura (es decir, más de un párrafo de texto, distribuido en un foro, por correo electrónico, etc.) + +--8<-- "includes/abbreviations.es.txt" + +[^1]: Un ejemplo notable de esto es [el incidente de 2021 en el que investigadores de la Universidad de Minnesota introdujeron tres vulnerabilidades en el proyecto de desarrollo del kernel de Linux](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/es/basics/common-threats.md b/i18n/es/basics/common-threats.md new file mode 100644 index 00000000..eef40a37 --- /dev/null +++ b/i18n/es/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Amenazas comunes" +icon: 'material/eye-outline' +--- + +En términos generales, clasificamos nuestras recomendaciones en las [amenazas](threat-modeling.md) u objetivos que se aplican a la mayoría de las personas. ==Puede que no te preocupe ninguna, una, varias o todas estas posibilidades==, y las herramientas y servicios que utilices dependerán de cuáles sean tus objetivos. Es posible que también tengas amenazas específicas fuera de estas categorías, ¡lo cual está perfectamente bien! Lo importante es desarrollar una comprensión de los beneficios y las deficiencias de las herramientas que elijas utilizar, porque prácticamente ninguna de ellas te protegerá de todas las amenazas. + +- :material-incognito: Anonimato - Proteger tu actividad en línea de tu identidad real, protegiendote de las personas que están tratando de descubrir *tu* identidad específicamente. +- :material-target-account: Ataques dirigidos - Estar protegido de los hackers u otros actores maliciosos que están tratando de acceder a *tus* datos o dispositivos específicamente. +- :material-bug-outline: Ataques pasivos - Estar protegido de cosas como el malware, las filtraciones de datos y otros ataques que se realizan contra muchas personas a la vez. +- :material-server-network: Proveedores de servicios - Proteger tus datos de los proveedores de servicios (por ejemplo, con E2EE, que hace que tus datos sean ilegibles para el servidor). +- :material-eye-outline: Vigilancia masiva - Protección contra las agencias gubernamentales, organizaciones, sitios web y servicios que trabajan juntos para rastrear tus actividades. +- :material-account-cash: Capitalismo de la vigilancia - Protegerse de las grandes redes de publicidad, como Google y Facebook, así como de una miríada de otros recolectores de datos de terceros. +- :material-account-search: Exposición pública - Limitar la información sobre ti que es accesible en línea, para los motores de búsqueda o el público en general. +- :material-close-outline: Censura - Evitar el acceso censurado a la información o ser censurado uno mismo al hablar en línea. + +Algunas de estas amenazas pueden ser más importantes para ti que otras, dependiendo de tus preocupaciones específicas. Por ejemplo, un desarrollador de software con acceso a datos valiosos o críticos puede estar preocupado principalmente por :material-target-account: Ataques dirigidos, pero probablemente siga queriendo proteger sus datos personales de ser barridos por los programas de :material-eye-outline: Vigilancia masiva. Del mismo modo, muchas personas pueden estar preocupadas principalmente por la :material-account-search: Exposición pública de sus datos personales, pero aún así deben tener cuidado con los problemas centrados en la seguridad, como los :material-bug-outline: Ataques pasivos-como el malware que afecta a sus dispositivos. + +## Anonimato vs. Privacidad + +:material-incognito: Anonimato + +El anonimato se confunde a menudo con la privacidad, pero son conceptos distintos. Mientras que la privacidad es un conjunto de decisiones que tomas sobre cómo se utilizan y comparten tus datos, el anonimato es la completa disociación de tus actividades en línea de tu identidad real. + +Los denunciantes y los periodistas, por ejemplo, pueden tener un modelo de amenaza mucho más extremo que requiere el anonimato total. Eso no sólo es ocultar lo que hacen, los datos que tienen y no ser hackeados por actores maliciosos o gobiernos, sino también ocultar por completo quiénes son. A menudo sacrificarán cualquier tipo de comodidad si eso significa proteger su anonimato, privacidad o seguridad, porque sus vidas podrían depender de ello. La mayoría de la gente no necesita ir tan lejos. + +## Seguridad y privacidad + +:material-bug-outline: Ataques pasivos + +La seguridad y la privacidad también se confunden a menudo, porque se necesita seguridad para obtener cualquier apariencia de privacidad: El uso de herramientas -incluso si son privadas por diseño- es inútil si pueden ser fácilmente explotadas por atacantes que luego liberen tus datos. Sin embargo, lo contrario no es necesariamente cierto: el servicio más seguro del mundo *no es necesariamente* privado. El mejor ejemplo de esto es confiar los datos a Google, que, dada su escala, ha tenido pocos incidentes de seguridad al emplear a expertos en seguridad líderes en la industria para asegurar su infraestructura. Aunque Google proporciona servicios muy seguros, muy pocas personas considerarían que sus datos son privados en los productos gratuitos de consumo de Google (Gmail, YouTube, etc.) + +En lo que respecta a la seguridad de las aplicaciones, generalmente no sabemos (y a veces no podemos) si el software que utilizamos es malicioso, o podría llegar a serlo algún día. Incluso en el caso de los desarrolladores más fiables, generalmente no hay garantía de que su software no tenga una vulnerabilidad grave que pueda ser explotada posteriormente. + +Para minimizar el daño que una pieza maliciosa de software *podría hacer*, deberías emplear la seguridad por compartimentación. Por ejemplo, esto podría darse en la forma de usar diferentes ordenadores para diferentes trabajos, usar máquinas virtuales para separar diferentes grupos de aplicaciones relacionadas, o usar un sistema operativo seguro con un fuerte enfoque en el aislamiento de aplicaciones y el control de acceso obligatorio. + +!!! tip + + Los sistemas operativos móviles suelen tener un mejor aislamiento de aplicaciones que los sistemas operativos de escritorio: Las aplicaciones no pueden obtener acceso a la raíz y requieren permiso para acceder a los recursos del sistema. + + Los sistemas operativos de escritorio generalmente se retrasan en el aislamiento adecuado. ChromeOS tiene capacidades de aislamiento similares a las de Android, y macOS tiene un control total de los permisos del sistema (y los desarrolladores pueden optar por el aislamiento para las aplicaciones). Sin embargo, estos sistemas operativos transmiten información de identificación a sus respectivos OEM. Linux tiende a no enviar información a los proveedores de sistemas, pero tiene poca protección contra los exploits y las aplicaciones maliciosas. Esto puede mitigarse un poco con distribuciones especializadas que hacen un uso significativo de máquinas virtuales o contenedores, como Qubes OS. + +:material-target-account: Ataques dirigidos + +Los ataques dirigidos contra una persona concreta son más problemáticos de tratar. Los ataques más comunes son el envío de documentos maliciosos por correo electrónico, la explotación de vulnerabilidades (por ejemplo, en los navegadores y sistemas operativos) y los ataques físicos. Si esto te preocupa, deberías emplear estrategias de mitigación de amenazas más avanzadas. + +!!! tip + + Por su diseño, los **navegadores web**, los **clientes de correo electrónico** y las **aplicaciones de oficina** suelen ejecutar código no fiable, enviado por terceros. Ejecutar múltiples máquinas virtuales -para separar aplicaciones como estas de su sistema anfitrión, así como entre sí- es una técnica que puedes utilizar para mitigar la posibilidad de que un exploit en estas aplicaciones comprometa el resto de tu sistema. Por ejemplo, tecnologías como Qubes OS o Microsoft Defender Application Guard en Windows proporcionan métodos convenientes para hacerlo. + +Si te preocupan los **ataques físicos** deberías utilizar un sistema operativo con una implementación de arranque seguro verificado, como Android, iOS, macOS o [Windows (con TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). También deberías asegurarte de que tu disco esté encriptado y de que el sistema operativo utiliza un TPM o Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) o [Element](https://developers.google.com/android/security/android-ready-se) para limitar los intentos de introducir la frase de contraseña de encriptación. Deberías evitar compartir tu ordenador con personas que no sean de tu confianza, ya que la mayoría de los sistemas operativos de escritorio no cifran los datos por separado para cada usuario. + +## Privacidad de los proveedores de servicios + +:material-server-network: Proveedores de servicios + +Vivimos en un mundo en el que casi todo está conectado a Internet. Nuestros mensajes "privados", correos electrónicos e interacciones sociales suelen almacenarse en un servidor, en algún lugar. Generalmente, cuando envías un mensaje a alguien, este se almacena en un servidor, y cuando tu amigo quiere leer el mensaje, el servidor se lo muestra. + +El problema obvio de esto es que el proveedor de servicios (o un hacker que haya comprometido el servidor) puede acceder a tus conversaciones cuando y como quiera, sin que tú lo sepas. Esto se aplica a muchos servicios comunes, como la mensajería SMS, Telegram y Discord. + +Afortunadamente, E2EE puede aliviar este problema encriptando las comunicaciones entre tú y los destinatarios deseados antes de que se envíen al servidor. La confidencialidad de tus mensajes está garantizada, suponiendo que el proveedor de servicios no tenga acceso a las claves privadas de ninguna de las partes. + +!!! nota "Nota sobre el cifrado basado en la web" + + En la práctica, la eficacia de las diferentes implementaciones de E2EE varía. Las aplicaciones, como [Signal](../real-time-communication.md#signal), se ejecutan de forma nativa en tu dispositivo, y cada copia de la aplicación es la misma en diferentes instalaciones. Si el proveedor de servicios introdujera un [backdoor](https://es.wikipedia.org/wiki/Puerta_trasera) en su aplicación -en un intento de robar tus claves privadas- podría ser detectado posteriormente con [ingeniería inversa](https://es.wikipedia.org/wiki/Ingenier%C3%Ada_inversa). + + Por otro lado, las implementaciones E2EE basadas en la web, como el webmail de Proton Mail o *Web Vault* de Bitwarden, dependen de que el servidor sirva dinámicamente código JavaScript al navegador para manejar la criptografía. Un servidor malicioso puede dirigirse a ti y enviarte un código JavaScript malicioso para robar tu clave de cifrado (y sería extremadamente difícil de notar). Dado que el servidor puede elegir servir diferentes clientes de la web a diferentes personas -incluso si te diste cuenta del ataque- sería increíblemente difícil probar la culpabilidad del proveedor. + + Por lo tanto, siempre que sea posible, hay que utilizar aplicaciones nativas en lugar de clientes web. + +Incluso con E2EE, los proveedores de servicios aún pueden hacerte un perfil basado en **metadatos**, que generalmente no están protegidos. Aunque el proveedor de servicios no puede leer tus mensajes, sí puede observar cosas importantes, como con quién hablas, la frecuencia con la que les envías mensajes y cuándo sueles estar activo. La protección de los metadatos es bastante infrecuente, y -si está dentro de tu [modelo de amenazas](basics/threat-modeling.md)- deberías prestar mucha atención a la documentación técnica del software que estás utilizando para ver si hay alguna minimización o protección de los metadatos. + +## Programas de vigilancia masiva + +:material-eye-outline: Vigilancia masiva + +La vigilancia masiva es el intrincado esfuerzo por controlar el "comportamiento, muchas actividades o información" de toda una población (o de una fracción sustancial de ella).[^1] Suele referirse a programas gubernamentales, como los que [reveló Edward Snowden en 2013](https://es.wikipedia.org/wiki/Revelaciones_sobre_la_red_de_vigilancia_mundial_(2013-2015)). Sin embargo, también puede ser llevada a cabo por empresas, ya sea en nombre de organismos gubernamentales o por iniciativa propia. + +!!! Sin embargo, al vulnerar los derechos humanos, se utiliza con mayor frecuencia para atacar desproporcionadamente a grupos minoritarios y disidentes políticos, entre otros. + + Si quiere saber más sobre los métodos de vigilancia y cómo se aplican en su ciudad, también puede echar un vistazo al [Atlas of Surveillance](https://atlasofsurveillance.org/) de la [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Los gobiernos suelen justificar los programas de vigilancia masiva como medios necesarios para combatir el terrorismo y prevenir la delincuencia. cita "ACLU: [*La lección de privacidad del 11 de septiembre: La vigilancia masiva no es el camino a seguir*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + Aunque eludir la censura en sí puede ser fácil, ocultar el hecho de que lo estás haciendo puede ser muy problemático. Debrías considerar qué aspectos de la red puede observar tu adversario y si tiene una negación plausible de tus acciones. + +En línea, puedes ser rastreado a través de una variedad de métodos: + +\[Esta lista no es exhaustiva]. + +- Tu dirección IP +- Cookies del navegador +- Los datos que envías a los sitios web +- La huella digital de tu navegador o dispositivo +- Correlación del método de pago + +Si te preocupan los programas de vigilancia masiva, puedes utilizar estrategias como compartimentar tus identidades en línea, mezclarte con otros usuarios o, siempre que sea posible, simplemente evitar dar información que te identifique. + +Si te preocupan los programas de vigilancia masiva, puedes utilizar estrategias como compartimentar tus identidades en línea, mezclarte con otros usuarios o, siempre que sea posible, simplemente evitar proporcionar información que te identifique. + +:material-account-cash: Capitalismo de Vigilancia + +> El capitalismo de vigilancia es un sistema económico centrado en la captura y mercantilización de datos personales con el propósito principal de obtener ganancias.[^3] + +Además, incluso empresas ajenas a la industria de *AdTech* o de seguimiento pueden compartir tu información con los [corredores de datos](https://es.wikipedia.org/wiki/Broker_de_informaci%C3%B3n) (como Cambridge Analytica, Experian o Datalogix) u otras partes. No puedes asumir automáticamente que tus datos están seguros sólo porque el servicio que utilizas no entra dentro del típico modelo de negocio de AdTech o de seguimiento. La mayor protección contra la recopilación de datos por parte de las empresas es encriptar u ofuscar tus datos siempre que sea posible, dificultando que los diferentes proveedores puedan correlacionar los datos entre sí y construir un perfil sobre ti. + +La mejor manera de mantener la privacidad de tus datos es simplemente no hacerlos públicos en primer lugar. Borrar la información no deseada que encuentres sobre ti en Internet es uno de los mejores primeros pasos que puedes dar para recuperar tu privacidad. La mayor protección contra la recopilación de datos por parte de las empresas es encriptar u ofuscar tus datos siempre que sea posible, dificultando que los diferentes proveedores puedan correlacionar los datos entre sí y construir un perfil sobre ti. + +## Limitación de la información pública + +:material-account-search: Exposición pública + +En los sitios en los que compartes información, es muy importante comprobar la configuración de privacidad de tu cuenta para limitar la difusión de esos datos. Por ejemplo, activa el "modo privado" en tus cuentas si tienes la opción: Esto garantiza que tu cuenta no sea indexada por los motores de búsqueda y que no pueda ser vista sin tu permiso. + +- [Mira nuestra guía sobre la eliminación de cuentas :material-arrow-right-drop-circle:](account-deletion.md) + +Si ya has enviado tu información real a sitios que no deberían tenerla, considera la posibilidad de utilizar tácticas de desinformación, como enviar información ficticia relacionada con esa identidad en línea. Esto hace que tu información real sea indistinguible de la falsa. + +La censura en línea puede ser llevada a cabo (en diversos grados) por actores que incluyen gobiernos totalitarios, administradores de redes y proveedores de servicios. Estos esfuerzos por controlar la comunicación y restringir el acceso a la información serán siempre incompatibles con el derecho humano a la Libertad de Expresión.[^5] + +## Evitar la censura + +:material-close-outline: Censura + +La censura en las plataformas corporativas es cada vez más común, ya que plataformas como Twitter y Facebook ceden a la demanda del público, a las presiones del mercado y a las de los organismos gubernamentales. Las presiones gubernamentales pueden ser peticiones encubiertas a las empresas, como la de la Casa Blanca [solicitando la retirada](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) de un vídeo provocativo de YouTube, o abiertamente, como la del gobierno chino exigiendo a las empresas que se adhieran a un estricto régimen de censura. + +La censura en las plataformas corporativas es cada vez más común, ya que plataformas como Twitter y Facebook ceden a la demanda del público, a las presiones del mercado y a las de los organismos gubernamentales. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.es.txt" + +[^1]: Wikipedia: [*Vigilancia masiva*](https://es.wikipedia.org/wiki/Vigilancia_masiva) y [*Vigilancia*](https://es.wikipedia.org/wiki/Vigilancia). +[^2]: Junta de Supervisión de la Privacidad y las Libertades Civiles de los Estados Unidos: [*Informe sobre el Programa de Registros Telefónicos llevado a cabo bajo la Sección 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Capitalismo de vigilancia*](https://es.wikipedia.org/wiki/Capitalismo_de_vigilancia) +[^4]: "[Enumerar la maldad](https://www.ranum.com/security/computer_security/editorials/dumb/)" (o, "enumerar todas las cosas malas que conocemos"), como hacen muchos bloqueadores de anuncios y programas antivirus, no protege adecuadamente de las amenazas nuevas y desconocidas porque aún no se han añadido a la lista de filtros. También deberías emplear otras técnicas de mitigación. +[^5]: Naciones Unidas: [*La Declaración Universal de Derechos Humanos*](https://www.un.org/es/about-us/universal-declaration-of-human-rights). diff --git a/i18n/es/basics/email-security.md b/i18n/es/basics/email-security.md new file mode 100644 index 00000000..6fbf613e --- /dev/null +++ b/i18n/es/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Seguridad del correo electrónico +icon: material/email +--- + +El correo electrónico es una forma de comunicación insegura por defecto. Puedes mejorar la seguridad de tu correo electrónico con herramientas como OpenPGP, que añaden cifrado de extremo a extremo a tus mensajes, pero OpenPGP sigue teniendo una serie de inconvenientes en comparación con el cifrado de otras aplicaciones de mensajería, y algunos datos del correo electrónico nunca pueden cifrarse de forma inherente debido a cómo está diseñado el correo electrónico. + +En consecuencia, el correo electrónico se utiliza mejor para recibir correos electrónicos transaccionales (como notificaciones, correos de verificación, restablecimiento de contraseñas, etc.) de los servicios en los que te registras en línea, no para comunicarte con otras personas. + +## Descripción de la encriptación del correo electrónico + +La forma estándar de añadir E2EE a los correos electrónicos entre diferentes proveedores de correo electrónico es utilizando OpenPGP. Existen diferentes implementaciones del estándar OpenPGP, siendo las más comunes [GnuPG](https://es.wikipedia.org/wiki/GNU_Privacy_Guard) y [OpenPGP.js](https://openpgpjs.org). + +Hay otro estándar que es popular entre las empresas llamada [S/MIME](https://es.wikipedia.org/wiki/S/MIME), sin embargo, requiere un certificado emitido por una [Autoridad de certificación](https://es.wikipedia.org/wiki/Autoridad_de_certificaci%C3%B3n) (no todos emiten certificados S/MIME). Tiene soporte en [Google Workplace](https://support.google.com/a/topic/9061730?hl=es&%3Bref_topic=9061731) y [Outlook para Web o Exchange Server 2016, 2019](https://support.microsoft.com/es-es/office/cifrar-mensajes-mediante-s-mime-en-outlook-en-la-web-878c79fc-7088-4b39-966f-14512658f480?ui=en-us&rs=en-us&ad=us). + +Incluso si utilizas OpenPGP, no admite el [secreto perfecto hacia adelante](https://es.wikipedia.org/wiki/Perfect_forward_secrecy), lo que significa que si alguna vez se roba tu clave privada o la del destinatario, todos los mensajes anteriores cifrados con ella se expondrán. Es por eso que recomendamos [servicios de mensajería instantáneos](../real-time-communication.md) que implementan el secreto perfecto hacia adelante por sobre el correo electrónico para las comunicaciones de persona a persona siempre que sea posible. + +### ¿Qué clientes de correo electrónico admiten E2EE? + +Los proveedores de correo electrónico que permiten utilizar protocolos de acceso estándar como IMAP y SMTP pueden utilizarse con cualquiera de los clientes de correo electrónico [que recomendamos](../email-clients.md). Dependiendo del método de autenticación, esto puede conducir a la disminución de la seguridad si el proveedor o el cliente de correo electrónico no soporta OATH o una aplicación puente debido a que la [autenticación multifactor](multi-factor-authentication.md) no es posible con la autenticación de contraseña simple. + +### ¿Cómo puedo proteger mis claves privadas? + +Una tarjeta inteligente (como una [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) o una [Nitrokey](https://www.nitrokey.com)) funciona recibiendo un mensaje de correo electrónico cifrado desde un dispositivo (teléfono, tableta, ordenador, etc.) que ejecuta un cliente de correo electrónico/correo web. El mensaje es entonces descifrado por la tarjeta inteligente y el contenido descifrado es enviado de vuelta al dispositivo. + +Es ventajoso que el descifrado ocurra en la tarjeta inteligente para evitar la posible exposición de tu clave privada a un dispositivo comprometido. + +## Descripción general de los metadatos de correo electrónico + +Los metadatos del correo electrónico se almacenan en la [cabecera del mensaje](https://es.wikipedia.org/wiki/Correo_electr%C3%B3nico#Escritura_del_mensaje) del correo electrónico e incluye algunas cabeceras visibles que puedes haber visto como: `Para`, `De`, `Cc`, `Fecha`, `Asunto`. También hay una serie de encabezados ocultos incluidos por muchos clientes y proveedores de correo electrónico que pueden revelar información sobre tu cuenta. + +El software del cliente puede usar metadatos de correo electrónico para mostrar de quién es un mensaje y a qué hora se recibió. Los servidores pueden utilizarlo para determinar dónde debe enviarse un mensaje de correo electrónico, [entre otros fines](https://es.wikipedia.org/wiki/Correo_electr%C3%B3nico#Escritura_del_mensaje) que no siempre son transparentes. + +### ¿Quién puede ver los metadatos del correo electrónico? + +Los metadatos del correo electrónico están protegidos de observadores externos con [STARTTLS](https://es.wikipedia.org/wiki/STARTTLS) protegiéndolos de observadores externos, pero aún pueden ser vistos por tu software de cliente de correo electrónico (o webmail) y cualquier servidor que retransmita el mensaje de ti a cualquier destinatario, incluyendo tu proveedor de correo electrónico. A veces, los servidores de correo electrónico también utilizan servicios de terceros para protegerse del spam, que generalmente también tienen acceso a tus mensajes. + +### ¿Por qué los metadatos no pueden ser E2EE? + +Los metadatos del correo electrónico son cruciales para la funcionalidad más básica del correo electrónico (de dónde viene y a dónde tiene que ir). E2EE no estaba integrado originalmente en los protocolos de correo electrónico, sino que requería un software adicional como OpenPGP. Dado que los mensajes OpenPGP todavía tienen que funcionar con los proveedores de correo electrónico tradicionales, no puede cifrar los metadatos del correo electrónico, sino sólo el cuerpo del mensaje. Esto significa que, incluso cuando se utiliza OpenPGP, los observadores externos pueden ver mucha información sobre tus mensajes, como a quién estás enviando correos electrónicos, las líneas de asunto, cuándo estás enviando correos, etc. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/basics/multi-factor-authentication.md b/i18n/es/basics/multi-factor-authentication.md new file mode 100644 index 00000000..2e3cf8e4 --- /dev/null +++ b/i18n/es/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Autenticación de múltiples factores" +icon: 'material/two-factor-authentication' +--- + +**La autenticación multifactorial** (**MFA**) es un mecanismo de seguridad que requiere pasos adicionales a la introducción del nombre de usuario (o correo electrónico) y la contraseña. El método más común son los códigos de tiempo limitado que puedes recibir de un SMS o una aplicación. + +Normalmente, si un hacker (o adversario) es capaz de averiguar tu contraseña, entonces obtendrá acceso a la cuenta a la que pertenece esa contraseña. Una cuenta con MFA obliga al hacker a tener tanto la contraseña (algo que *conoces*) como un dispositivo de tu propiedad (algo que *tienes*), como tu teléfono. + +Los métodos MFA varían en seguridad, pero se basan en la premisa de que cuanto más difícil sea para un atacante acceder a tu método MFA, mejor. Algunos ejemplos de métodos MFA (de más débil a más fuerte) incluyen SMS, códigos de correo electrónico, notificaciones push de aplicaciones, TOTP, Yubico OTP y FIDO. + +## Comparación de métodos MFA + +### SMS o correo electrónico MFA + +Recibir códigos OTP por SMS o correo electrónico es una de las formas más débiles de asegurar tus cuentas con MFA. Obtener un código por correo electrónico o SMS se aleja de la idea de "algo que *tienes*", porque hay una gran variedad de formas en las que un hacker podría [tomar tu número de teléfono](https://es.wikipedia.org/wiki/SIM_swapping) o acceder a tu correo electrónico sin tener acceso físico a ninguno de tus dispositivos. Si una persona no autorizada obtuviera acceso a tu correo electrónico, podría utilizar ese acceso tanto para restablecer tu contraseña como para recibir el código de autenticación, lo que le daría pleno acceso a tu cuenta. + +### Notificaciones push + +La MFA por notificación push consiste en el envío de un mensaje a una aplicación de tu teléfono en el que se te pide que confirmes el inicio de sesión de una nueva cuenta. Este método es mucho mejor que el de los SMS o el correo electrónico, ya que un atacante normalmente no podría obtener estas notificaciones push sin tener un dispositivo ya conectado, lo que significa que tendría que comprometer uno de tus otros dispositivos primero. + +Todos cometemos errores, y existe el riesgo de que aceptes el intento de inicio de sesión por accidente. Las autorizaciones de inicio de sesión mediante notificaciones push suelen enviarse a *todos* tus dispositivos a la vez, ampliando la disponibilidad del código MFA si tienes muchos dispositivos. + +La seguridad de las notificaciones push MFA depende tanto de la calidad de la aplicación como del componente del servidor y de la confianza del desarrollador que la produce. La instalación de una aplicación también puede requerir que aceptes privilegios invasivos que concedan acceso a otros datos de tu dispositivo. Una aplicación individual también requiere que tengas una aplicación específica para cada servicio que puede no requerir una contraseña para abrirse, a diferencia de una buena aplicación generadora de TOTP. + +### Contraseñas de un solo uso basado en tiempo (TOTP) + +El TOTP es una de las formas más comunes de MFA disponibles. Cuando se configura el TOTP, generalmente se requiere escanear un [código QR](https://es.wikipedia.org/wiki/C%C3%B3digo_QR) que establece un "[secreto compartido](https://es.wikipedia.org/wiki/Secreto_compartido)" con el servicio que se pretende utilizar. El secreto compartido está asegurado dentro de los datos de la aplicación de autenticación, y a veces está protegido por una contraseña. + +El código de tiempo limitado se deriva entonces del secreto compartido y de la hora actual. Como el código sólo es válido durante un corto periodo de tiempo, sin acceso al secreto compartido, un adversario no puede generar nuevos códigos. + +Si tienes una llave de seguridad de hardware con soporte para TOTP (como una YubiKey con [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), recomendamos que almacenes tus "secretos compartidos" en el equipo. El hardware como el YubiKey se desarrolló con la intención de que el "secreto compartido" fuera difícil de extraer y copiar. Una YubiKey tampoco está conectada a Internet, a diferencia de un teléfono con una aplicación TOTP. + +A diferencia de [WebAuthn](#fido-fast-identity-online), TOTP no ofrece protección contra [Phishing](https://es.wikipedia.org/wiki/Phishing) o ataques de reutilización. Si un adversario obtiene un código válido de ti, puede utilizarlo tantas veces como quiera hasta que caduque (generalmente 60 segundos). + +Un adversario podría crear un sitio web para imitar un servicio oficial en un intento de engañarte para que des tu nombre de usuario, contraseña y código TOTP actual. Si el adversario utiliza esas credenciales registradas puede ser capaz de entrar en el servicio real y secuestrar la cuenta. + +Aunque no es perfecto, TOTP es lo suficientemente seguro para la mayoría de la gente, y cuando las [llaves de seguridad de hardware](../multi-factor-authentication.md#hardware-security-keys) no son compatibles las [aplicaciones de autenticación](../multi-factor-authentication.md#authenticator-apps) siguen siendo una buena opción. + +### Llaves de seguridad de hardware + +La YubiKey almacena los datos en un chip de estado sólido resistente a las manipulaciones, al que es [imposible acceder](https://security.stackexchange.com/a/245772) de forma no destructiva sin un costoso proceso y un laboratorio forense. + +Estas claves suelen ser multifuncionales y ofrecen varios métodos de autenticación. A continuación se presentan los más comunes. + +#### Yubico OTP + +Yubico OTP es un protocolo de autenticación típicamente implementado en llaves de seguridad de hardware. Cuando decidas utilizar Yubico OTP, la clave generará un ID público, un ID privado y una clave secreta que se cargará en el servidor Yubico OTP. + +Para entrar en un sitio web, basta con tocar físicamente la clave de seguridad. La llave de seguridad emulará un teclado e imprimirá una contraseña de un solo uso en el campo de la contraseña. + +El servicio enviará entonces la contraseña de un solo uso al servidor Yubico OTP para su validación. Se incrementa un contador tanto en la llave como en el servidor de validación de Yubico. La OTP sólo puede utilizarse una vez, y cuando se produce una autenticación con éxito, el contador se incrementa, lo que impide la reutilización de la OTP. Yubico proporciona un [documento detallado](https://developers.yubico.com/OTP/OTPs_Explained.html) sobre el proceso. + +
+ ![Yubico OTP](/assets/img/multi-factor-authentication/yubico-otp.png) +
+ +El uso de Yubico OTP tiene algunas ventajas y desventajas en comparación con TOTP. + +El servidor de validación de Yubico es un servicio basado en la nube, y estás confiando en que Yubico almacena los datos de forma segura y no los perfila. El ID público asociado con Yubico OTP se reutiliza en todos los sitios web y podría ser otra vía para que terceros te perfilen. Al igual que TOTP, Yubico OTP no proporciona resistencia al phishing. + +Si tu modelo de amenaza requiere que tengas diferentes identidades en diferentes sitios web, **no** utilices Yubico OTP con la misma clave de seguridad de hardware entre esos sitios web ya que el ID público es único para cada clave de seguridad. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) incluye una serie de estándares, primero fue U2F y después [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) el cual incluye el estándar web [WebAuthn](https://es.wikipedia.org/wiki/WebAuthn). + +U2F y FIDO2 se refieren al [Protocolo Cliente-Autenticador](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), que es el protocolo entre la clave de seguridad y el ordenador, como un portátil o un teléfono. Complementa a WebAuthn, que es el componente utilizado para autenticarse con el sitio web (la "parte dependiente") en el que estás intentando de iniciar sesión. + +WebAuthn es la forma más segura y privada de autenticación de segundo factor. Si bien la experiencia de autenticación es similar a Yubico OTP, la clave no imprime una contraseña de una sola vez y se valida con un servidor de terceros. En su lugar, utiliza [criptografía de clave pública](https://es.wikipedia.org/wiki/Criptograf%C3%Ada_asim%C3%A9trica) para la autenticación. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +Cuando creas una cuenta, la clave pública se envía al servicio, luego cuando inicias sesión, el servicio requerirá que "firmes" algunos datos con tu clave privada. La ventaja de esto es que el servicio no almacena nunca los datos de la contraseña, por lo que no hay nada que un adversario pueda robar. + +Esta presentación habla de la historia de la autenticación de contraseñas, los tropiezos (como la reutilización de contraseñas) y el debate de los estándares FIDO2 y [WebAuthn](https://webauthn.guide). + +
+ +
+ +FIDO2 y WebAuthn tienen propiedades de seguridad y privacidad superiores en comparación con cualquier método MFA. + +Por lo general, para los servicios web se utiliza con WebAuthn, que es una parte de las [recomendaciones W3C](https://es.wikipedia.org/wiki/World_Wide_Web_Consortium#Recomendaci%C3%B3n_de_W3C_(REC)). Utiliza la autenticación de clave pública y es más segura que los secretos compartidos utilizados en los métodos OTP y TOTP de Yubico, ya que incluye el nombre de origen (normalmente, el nombre del dominio) durante la autenticación. La certificación se proporciona para protegerte del phishing, ya que te ayuda a determinar que estás utilizando el servicio auténtico y no una copia falsa. + +A diferencia de Yubico OTP, WebAuthn no utiliza ningún ID público, entonces la clave **no** es identificable a través de diferentes sitios web. Tampoco utiliza ningún servidor de nube de terceros para la autenticación. Toda la comunicación se completa entre la clave y el sitio web en el que estás iniciando sesión. FIDO también utiliza un contador que se incrementa cuando se utiliza para evitar la reutilización de la sesión y llaves clonadas. + +Si un sitio web o servicio es compatible con WebAuthn para la autenticación, es muy recomendable que lo utilices sobre cualquier otra forma de MFA. + +## Recomendaciones generales + +Tenemos estas recomendaciones generales: + +### ¿Qué método debería usar? + +Al configurar tu método MFA, ten en cuenta que es tan seguro como el método de autenticación más débil que utilices. Esto significa que es importante que sólo utilices el mejor método de MFA disponible. Por ejemplo, si ya estás utilizando TOTP, deberías desactivar la MFA por correo electrónico y SMS. Si ya estás usando FIDO2/WebAuthn, no deberías usar Yubico OTP o TOTP en tu cuenta. + +### Copias de seguridad + +Siempre debes tener copias de seguridad de tu método MFA. Las llaves de seguridad de hardware pueden perderse, ser robadas o simplemente dejar de funcionar con el tiempo. Se recomienda tener un par de llaves de seguridad de hardware con el mismo acceso a tus cuentas en lugar de una sola. + +Cuando utilices TOTP con una aplicación de autenticación, asegúrate de hacer una copia de seguridad de tus claves de recuperación o de la propia aplicación, o de copiar los "secretos compartidos" a otra instancia de la aplicación en un teléfono diferente o a un contenedor cifrado (por ejemplo, [VeraCrypt](../encryption.md#veracrypt)). + +### Configuración inicial + +Cuando compres una llave de seguridad, es importante que cambies las credenciales por defecto, configures la protección por contraseña de la llave y actives la confirmación táctil si tu llave es compatible con ella. Los productos como el YubiKey tienen múltiples interfaces con credenciales separadas para cada uno de ellos, por lo que debes repasar cada interfaz y configurar la protección también. + +### Correo electrónico y SMS + +Si tienes que utilizar el correo electrónico para MFA, asegúrate de que la propia cuenta de correo electrónico está protegida con un método MFA adecuado. + +Si usas MFA de SMS, utiliza un operador que no cambie tu número de teléfono a una nueva tarjeta SIM sin acceso a la cuenta, o usa un número VoIP dedicado de un proveedor con seguridad similar para evitar un [ataque de duplicación de SIM](https://es.wikipedia.org/wiki/SIM_swapping). + +[Herramientas de MFA que recomendamos](../multi-factor-authentication.md ""){.md-button} + +## Más lugares para configurar MFA + +Además de proteger tus inicios de sesión del sitio web, la autenticación de múltiples factores también se puede utilizar para proteger tus inicios de sesión locales, claves SSH o incluso bases de datos de contraseñas. + +### Windows + +Yubico tiene un [Proveedor de credenciales](https://learn.microsoft.com/es-es/windows/win32/secauthn/credential-providers-in-windows) dedicado que añade la autenticación Challenge-Response para el flujo de inicio de sesión con nombre de usuario + contraseña para las cuentas locales de Windows. Si tienes una YubiKey con soporte de autenticación Challenge-Response, echa un ojo a la [Guía de configuración de Yubico Login para Windows](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), que te permitirá configurar MFA en tu computadora Windows. + +### macOS + +macOS tiene [soporte nativo](https://support.apple.com/es-es/guide/deployment/depd0b888248/web) para la autenticación con tarjetas inteligentes (PIV). Si tienes una tarjeta inteligente o una llave de seguridad de hardware compatible con la interfaz PIV como la YubiKey, te recomendamos que sigas la documentación de tu tarjeta inteligente/vendedor de seguridad de hardware y configures la autenticación de segundo factor para tu ordenador macOS. + +Yubico tiene una guía [Uso de su YubiKey como tarjeta inteligente en macOS](https://support.yubico.com/hc/en-us/articles/360016649059) que puede ayudarte a configurar tu YubiKey en macOS. + +Después de configurar tu tarjeta inteligente/clave de seguridad, te recomendamos que ejecutes este comando en el Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +El comando evitará que un adversario se salte la MFA al arrancar el ordenador. + +### Linux + +!!! warning + + Si el nombre de host de tu sistema cambia (por ejemplo, debido al DHCP), no podrás iniciar sesión. Es vital que configures un nombre de host adecuado para tu ordenador antes de seguir esta guía. + +El módulo `pam_u2f` en Linux puede proporcionar autenticación de dos factores para iniciar sesión en las distribuciones Linux más populares. Si tienes una llave de seguridad de hardware compatible con U2F, puedes configurar la autenticación MFA para tu inicio de sesión. Yubico tiene una guía [Guía de inicio de sesión en Ubuntu Linux - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) que debería funcionar en cualquier distribución. Sin embargo, los comandos del gestor de paquetes—como `"apt-get"`—y los nombres de los paquetes pueden ser diferentes. Esta guía **no** se aplica a Qubes OS. + +### Qubes OS + +Qubes OS tiene soporte para la autenticación Challenge-Response con YubiKeys. Si tienes una YubiKey con soporte de autenticación Challenge-Response, echale un ojo a la [documentación de YubiKey](https://www.qubes-os.org/doc/yubikey/) de Qubes OS si quieres configurar MFA en Qubes OS. + +### SSH + +#### Llaves de Seguridad + +MFA de SSH podría configurarse utilizando varios métodos de autenticación diferentes que son populares con las claves de seguridad de hardware. Te recomendamos que consultea la [documentación](https://developers.yubico.com/SSH/) de Yubico sobre cómo configurarlo. + +#### Contraseñas de un solo uso basado en tiempo (TOTP) + +MFA de SSH también se puede configurar utilizando TOTP. DigitalOcean ha proporcionado un tutorial [Cómo configurar la autenticación multifactor para SSH en Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). La mayoría de las cosas deberían ser las mismas independientemente de la distribución, sin embargo los comandos del gestor de paquetes—como `"apt-get"`—y los nombres de los paquetes pueden diferir. + +### KeePass (y KeePassXC) + +Las bases de datos de KeePass y KeePassXC pueden ser aseguradas utilizando Challenge-Response o HOTP como segundo factor de autenticación. Yubico ha proporcionado un documento para KeePass [Uso de su YubiKey con KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) y también hay uno en el sitio web de [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa). + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/basics/passwords-overview.md b/i18n/es/basics/passwords-overview.md new file mode 100644 index 00000000..51ad8fdf --- /dev/null +++ b/i18n/es/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introducción a las contraseñas" +icon: 'material/form-textbox-password' +--- + +Las contraseñas son una parte esencial de nuestra vida digital cotidiana. Las utilizamos para proteger nuestras cuentas, nuestros dispositivos y nuestros secretos. A pesar de ser a menudo lo único que nos separa de un adversario que busca nuestra información privada, no se piensa mucho en ellas, lo que a menudo lleva a la gente a utilizar contraseñas que pueden ser fácilmente adivinadas o forzadas. + +## Buenas prácticas + +### Utilice contraseñas únicas para cada servicio + +Imagínate por un momento esta situación: te suscribes con el mismo correo y contraseña en múltiples servicios online. Si alguno de esos proveedores de servicios es malicioso, o su servicio tiene una filtración de datos que expone tu contraseña en un formato sin encriptar, todo lo que los malos actores deben hacer es probar esa combinación de correo electrónico y contraseña, a través de múltiples servicios populares hasta obtener un resultado. No importa lo fuerte que sea esa contraseña, porque ya la tienen. + +Esto es llamado [suplantación de identidad](https://en.wikipedia.org/wiki/Credential_stuffing), y es una de las formas comunes en que las cuentas son comprometidas por malos actores. Para evitar esto, asegúrate de que nunca reutilices tus contraseñas. + +### Utilizar contraseñas generadas aleatoriamente + +===**Nunca** debes confiar en ti mismo para inventar una buena contraseña.== Recomendamos utilizar [contraseñas generadas aleatoriamente](#passwords) o [frases de contraseña](#diceware-passphrases) con suficiente entropía para proteger tus cuentas y dispositivos. + +Todos nuestros [gestores recomendados de contraseñas](../passwords.md) incluyen un generador integrado de contraseñas que puedes usar. + +### Rotación de contraseñas + +Debes evitar cambiar frecuentemente las contraseñas que debes recordar (como la contraseña maestra de tu gestor de contraseñas), a menos que tengas alguna razón para creer que ha sido comprometida, porque cambiarla con mucha frecuencia te expone al riesgo de olvidarla. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Copias de seguridad + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/basics/threat-modeling.md b/i18n/es/basics/threat-modeling.md new file mode 100644 index 00000000..51dd7ef4 --- /dev/null +++ b/i18n/es/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "¿Qué son los modelos de amenaza?" +icon: 'material/target-account' +--- + +Equilibrar la seguridad, la privacidad y la facilidad de uso es una de las primeras y más difíciles tareas a las que se enfrentará en su camino hacia la privacidad. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +Si quisiera utilizar las herramientas **más** seguras disponibles, tendría que sacrificar *mucha facilidad de uso*. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. Por eso es que los modelos de amenaza son importantes. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. ¿Qué quiero proteger? +2. ¿De quién quiero protegerlo? +3. ¿Qué probabilidad hay de que tenga que protegerlo? +4. ¿Qué tan graves serían las consecuencias si fallo? +5. ¿Cuánto esfuerzo estoy dispuesto a dedicar para prevenir posibles consecuencias? + +### ¿Qué quiero proteger? + +Un "activo" es algo que usted valora y quiere proteger. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Sus dispositivos también pueden ser activos. + +*Haz una lista de tus activos: datos que guardas, dónde se guardan, quién tiene acceso a ellos y qué impide que otros los accedan.* + +### ¿De quién quiero protegerlo? + +Para responder a esta pregunta, es importante identificar quién podría querer suponer una amenaza para usted o su información. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Su lista puede incluir individuos, una agencia gubernamental o empresas.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### ¿Qué probabilidad hay de que tenga que protegerlo? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. Aunque tu proveedor de telefonía móvil tiene la capacidad de acceder a todos tus datos, el riesgo de que publiquen tus datos privados en Internet para dañar tu reputación es bajo. + +Es importante distinguir entre lo que podría ocurrir y la probabilidad de que ocurra. Por ejemplo, existe la amenaza de que su edificio se derrumbe, pero el riesgo de que esto ocurra es mucho mayor en San Francisco (donde los terremotos son habituales) que en Estocolmo (donde no lo son). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. En otros casos, las personas ignoran algunos altos riesgos porque no ven la amenaza como un problema. + +*Anote qué amenazas va a tomar en serio y cuáles pueden ser demasiado raras o demasiado inofensivas (o demasiado difíciles de combatir) como para preocuparse por ellas.* + +### ¿Qué tan graves serían las consecuencias si fallo? + +Hay muchas maneras de que un adversario pueda acceder a sus datos. Por ejemplo, un adversario puede leer sus comunicaciones privadas mientras pasan por la red, o puede borrar o corromper sus datos. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. Por el contrario, un opositor político puede querer acceder a contenido secreto y publicarlo sin que usted lo sepa. + +La planificación de la seguridad implica comprender las consecuencias que podría tener el hecho de que un adversario consiga acceder a uno de sus activos. Para determinar esto, debe considerar la capacidad de su adversario. For example, your mobile phone provider has access to all of your phone records. Un hacker en una red Wi-Fi abierta puede acceder a sus comunicaciones no cifradas. Su gobierno podría tener capacidades más fuertes. + +*Escriba lo que su adversario podría querer hacer con sus datos privados.* + +### ¿Cuánto esfuerzo estoy dispuesto a dedicar para prevenir posibles consecuencias? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Su evaluación de riesgos le permitirá planificar la estrategia adecuada para usted, equilibrando la comodidad, el coste y la privacidad. + +Por ejemplo, un abogado que representa a un cliente en un caso de seguridad nacional puede estar dispuesto a hacer mayores esfuerzos para proteger las comunicaciones sobre ese caso, como el uso de correo electrónico cifrado, que una madre que envía regularmente a su hija vídeos divertidos de gatos por correo electrónico. + +*Anote las opciones que tiene a su disposición para ayudar a mitigar sus amenazas únicas. Tenga en cuenta si tiene limitaciones financieras, técnicas o sociales.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**¿Qué quiere proteger? (O bien, *¿qué tiene que vale la pena proteger?*)** +: + +Sus activos pueden incluir joyas, aparatos electrónicos, documentos importantes o fotos. + +**¿De quién quiere protegerlo?** +: + +Sus adversarios pueden ser ladrones, compañeros de piso o invitados. + +**¿Qué probabilidad hay de que tenga que protegerlo?** +: + +¿Su vecindario un historial de robos? How trustworthy are your roommates or guests? ¿Cuáles son las capacidades de sus adversarios? ¿Cuáles son los riesgos que debe tener en cuenta? + +**¿Cómo de graves son las consecuencias si falla?** +: + +¿Tiene algo en tu casa que no pueda reemplazar? Do you have the time or money to replace those things? ¿Tiene un seguro que cubra los bienes robados en su casa? + +**¿Cuánto esfuerzo estaría dispuesto a dedicar para prevenir posibles consecuencias?** +: + +¿Está dispuesto a comprar una caja fuerte para documentos confidenciales? ¿Puede permitirse comprar una cerradura de alta calidad? ¿Tiene tiempo para abrir una caja de seguridad en su banco local y mantener sus objetos de valor allí? + +Sólo una vez que se haya planteado estas preguntas estará en condiciones de evaluar qué medidas tomar. Si sus posesiones son valiosas, pero la probabilidad de que se produzca un robo es baja, quizás no quiera invertir demasiado dinero en una cerradura. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Elaborar un plan de seguridad le ayudará a comprender las amenazas que le son propias y a evaluar sus activos, sus adversarios y las capacidades de éstos, junto con la probabilidad de los riesgos a los que se enfrenta. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Fuentes + +- [EFF Surveillance Self Defense: Su plan de seguridad](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/basics/vpn-overview.md b/i18n/es/basics/vpn-overview.md new file mode 100644 index 00000000..0cdbc15d --- /dev/null +++ b/i18n/es/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: Vista general del VPN +icon: material/vpn +--- + +Las redes virtuales privadas (conocidas en inglés como Virtual Private Networks) son una manera de ampliar el extremo de tu red hacia algún lugar del mundo. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/calendar.md b/i18n/es/calendar.md new file mode 100644 index 00000000..23fe133d --- /dev/null +++ b/i18n/es/calendar.md @@ -0,0 +1,85 @@ +--- +title: "Clientes de Correo Electrónico" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Solo software como servicio (ScuS) + +!!! recomendación + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. [Visita tutanota.com](https://tutanota.com/calendar){ .md-button .md-button--primary } [Política de privacidad](https://tutanota.com/privacy){ .md-button } + + **Descargas** + - [:fontawesome-brands-windows: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.tutao.tutanota) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:fontawesome-brands-github: Fuente](https://github.com/tutao/tutanota) + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Autoalojable + +!!! recomendación + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Todos los datos almacenados en él se cifran de extremo a extremo cuando se almacenan en los servidores de ProtonMail. [Visita calendar.protonmail.com](https://calendar.protonmail.com){ .md-button .md-button--primary } [Política de privacidad](https://protonmail.com/privacy-policy){ .md-button } + + **Descargas** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:fontawesome-brands-github: Source](https://github.com/ProtonMail/WebClients) Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/cloud.md b/i18n/es/cloud.md new file mode 100644 index 00000000..0b020a27 --- /dev/null +++ b/i18n/es/cloud.md @@ -0,0 +1,63 @@ +--- +title: "Correo Electrónico" +icon: material/file-cloud +--- + +Muchos proveedores de almacenamiento en la nube exigen que confíes plenamente en que no mirarán tus archivos. Las alternativas que se enumeran a continuación eliminan la necesidad de confianza, ya que le ponen en control de sus datos o implementan E2EE. + +Confíe en su proveedor utilizando una alternativa a continuación que es compatible con [cifrado de extremo a extremo (E2EE)](https://es.wikipedia.org/wiki/Cifrado_de_extremo_a_extremo). + +??? recommendation + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Cryptee + +!!! recomendación + + ![Logotipo de Proton Drive](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** es un servicio general de almacenamiento de archivos cifrados de extremo a extremo (E2EE) hecho por el proveedor de correo electrónico cifrado [ProtonMail](https://protonmail.com). + + [Visita drive.protonmail.com](https://drive.protonmail.com){ .md-button .md-button--primary } [Política de privacidad](https://docs.tildes.net/policies/privacy-policy){ .md-button } + + **Descargas** + - [:fontawesome-brands-github: Fuente](hhttps://https://github.com/ProtonMail/WebClients) [:octicons-home-16: Inicio](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Política de privacidad" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Código fuente" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribuir } + + ??? + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/data-redaction.md b/i18n/es/data-redaction.md new file mode 100644 index 00000000..f3c305d9 --- /dev/null +++ b/i18n/es/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recomendación + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Firmware del Router + +### ExifEraser (Android) + +!!! recomendación + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recomendación + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recomendación + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recomendación + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/desktop-browsers.md b/i18n/es/desktop-browsers.md new file mode 100644 index 00000000..cc56f637 --- /dev/null +++ b/i18n/es/desktop-browsers.md @@ -0,0 +1,262 @@ +--- +title: "Navegadores de escritorio" +icon: material/laptop +--- + +Estas son nuestras recomendaciones de navegadores web para computadoras y las configuraciones para la navegación estándar/no anónima por Internet. Si necesitas navegar por Internet de forma anónima, deberías utilizar [Tor](tor.md) . En general, recomendamos mantener una cantidad mínima de extensiones; estas tienen un acceso privilegiado dentro de tu navegador, requieren que confíes en el desarrollador, pueden hacerte [destacar](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), y [debilitan](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) el aislamiento del sitio. + +## Firefox + +!!! recomendación + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** brinda una configuración fuerte de privacidad como la [Protección de Rastreo Mejorada](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), que puede ayudar con el bloqueo de varios [tipos de rastreadores](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! recommendation The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +Estas opciones se encuentran en la página de configuración *Privacidad & Seguridad* ( ≡ → Ajustes → Privacidad y Seguridad). + +##### Enhanced Tracking Protection + +- Seleccione: "Estricto" + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- Seleccione: "Habilitar el modo solo HTTPS en todas las ventanas". +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Extensiones + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recomendación + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Firefox + +Tor Browser is the only way to truly browse the internet anonymously. Cuando uses Brave, te recomendamos cambiar la siguiente configuración para proteger tu privacidad de ciertas partes, pero todos los navegadores que no sean [el navegador Tor](tor.md#tor-browser) serán rastreables por *alguien* en algún sentido u otro. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensiones + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Recursos Adicionales + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recomendación + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Incluye la funcionalidad de bloquear contenido. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.es.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/es/desktop.md b/i18n/es/desktop.md new file mode 100644 index 00000000..a4e9b1ba --- /dev/null +++ b/i18n/es/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Almacenamiento en la Nube" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Distribuciones tradicionales + +### Fedora Workstation + +!!! recomendación + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recomendación + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recomendación + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Distribuciones inmutables + +### Fedora Silverblue + +!!! recomendación + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recomendación + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Distribuciones enfocadas en el anonimato + +### Whonix + +!!! recomendación + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recomendación + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Distribuciones centradas en la seguridad + +### Qubes OS + +!!! recomendación + + ![Logotipo de Qubes OS](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes** es un sistema operativo de código abierto diseñado para proporcionar una fuerte seguridad para el uso de escritorio. Qubes se basa en Xen, el Sistema de Ventanas X y Linux, y puede ejecutar la mayoría de las aplicaciones Linux y utilizar la mayoría de los controladores de Linux. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +El sistema operativo Qubes OS asegura el ordenador aislando subsistemas (por ejemplo, redes, USB, etc.) y aplicaciones en máquinas virtuales separadas. Si una parte del sistema se ve comprometida, es probable que el aislamiento adicional proteja al resto del sistema. Para obtener más detalles, consulte las [Preguntas frecuentes de Qubes](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Nuestros sistemas operativos recomendados: + +- Deben ser de código abierto. +- Deben recibir actualizaciones periódicas de software y del núcleo de Linux. +- Las distribuciones Linux deben ser compatibles con [Wayland](os/linux-overview.md#Wayland). +- Debe soportar el cifrado de disco completo durante la instalación. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Debe ser compatible con una amplia variedad de hardware. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/dns.md b/i18n/es/dns.md new file mode 100644 index 00000000..7d8c0aa0 --- /dev/null +++ b/i18n/es/dns.md @@ -0,0 +1,142 @@ +--- +title: "Introducción a DNS" +icon: material/dns +--- + +!!! ¿Debería utilizar un DNS cifrado? + + El DNS cifrado con un tercero solo debe usarse para evitar redirecciones y el bloqueo básico de DNS cuando puedas estar seguro de que no habrá consecuencias o estés interesado en un proveedor que realice un filtrado rudimentario. DNS encriptado no te ayudará a esconder tu actividad en línea. + + [Aprende más sobre DNS](technology/dns.md){ .md-button } + +## Proveedores recomendados + +| DNS | Política de Privacidad | Protocolo | Protocolos | Registros | ECS | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | --------- | -------------------------------------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Comercial | Texto simple
DoH
DoT
DNSCrypt | 2 | No Filter list being used can be found here. [**DNS mediante HTTPS**](https://es.wikipedia.org/wiki/DNS_mediante_HTTPS) como está definido en el [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) empaqueta las consultas en el protocolo [HTTP/2](https://es.wikipedia.org/wiki/HTTP/2) y proporciona seguridad con HTTPS. | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Comercial | Texto simple
DoH
DoT | 2 | No | +| [**ControlID**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Comercial | Texto simple
DoH
DoT | 2 | No | +| [**IVPN**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | Comercial | DoH
DoT | 2 | No Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Comercial | Texto simple
DoH
DoT
DNSCrypt | Opcional [^5] | No | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Comercial | Some[^6] | Opcional [^5] | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Debe soportar [DNSSEC](technology/dns.md#what-is-dnssec-and-when-is-it-used) +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## DNS sin cifrado + +### Android + +Las últimas versiones de iOS, iPadOS, tvOS y macOS, soportan tanto DoT como DoH. Ambos protocolos son soportados nativamente a través de [configuración de perfiles ](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) o a través de la [API de configuración DNS](https://developer.apple.com/documentation/networkextension/dns_settings). + +### Dispositivos Apple + +Tras la instalación de un perfil de configuración o de una aplicación que utilice la API de configuración de DNS, se puede seleccionar la configuración de DNS. Si una VPN está activo, la resolución dentro del túnel VPN utilizará la configuración DNS de la VPN y no la configuración de todo el sistema. + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. Información Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### DNS + +!!! recomendación + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### DNSCrypt + +!!! recomendación + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### RethinkDNS + +!!! recomendación + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### DNSCloak + +!!! recomendación + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.es.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/es/email-clients.md b/i18n/es/email-clients.md new file mode 100644 index 00000000..5962ed57 --- /dev/null +++ b/i18n/es/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Nuestra lista de recomendaciones contiene clientes de correo electrónico que soportan [OpenPGP](encryption.md#openpgp) y una autenticación fuerte como [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth te permite utilizar la [Autenticación Multifactor](basics/multi-factor-authentication.md) y previene el robo de cuentas. + +??? advertencia "El correo electrónico no proporciona el secreto de reenvío" + + Cuando se utiliza una tecnología de cifrado de extremo a extremo (E2EE, por sus siglas en inglés) como OpenPGP, el correo aún tendrá algunos [metadatos](email.md#email-metadata-overview) que no son encriptados en el encabezado del correo. + + OpenPGP tampoco soporta '[forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy)', lo que significa que si la clave privada del receptor es robada, todos los mensajes encriptados previamente con esta se encontrarán expuestos: [¿Cómo puedo proteger mis claves privadas?](basics/email-security.md) Considere utilizar un medio que brinde 'forward secrecy': + + [Comunicación en tiempo real](real-time-communication.md){ .md-button } + +## Multiplataforma + +### Thunderbird + +!!! recomendación + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** es un cliente gratuito, de código abierto y multiplataforma, de correo electrónico, grupos de noticias y chat (XMPP, IRC, Twitter), desarrollado por la comunidad Thunderbird, y previamente por la Fundación Mozilla. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Firefox + +We recommend changing some of these settings to make Thunderbird a little more private. + +Estas opciones se encuentran en la página de configuración *Privacidad & Seguridad* ( ≡ → Ajustes → Privacidad y Seguridad). + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recomendación + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recomendación + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recomendación + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recomendación + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recomendación + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recomendación + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recomendación + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recomendación + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/email.md b/i18n/es/email.md new file mode 100644 index 00000000..3b4f339f --- /dev/null +++ b/i18n/es/email.md @@ -0,0 +1,485 @@ +--- +title: "Servicios de correo electrónico" +icon: material/email +--- + +El correo electrónico es prácticamente necesario para utilizar cualquier servicio en línea. Sin embargo, no lo recomendamos para las conversaciones de persona a persona. En vez de utilizar el correo electrónico para comunicarse con otras personas, considere utilizar un servicio de mensajería instantánea que soporte el secreto de reenvío. + +[Servicios de mensajería instantánea recomendados](real-time-communication.md ""){.md-button} + +Para todo lo demás, recomendamos una variedad de proveedores de correo electrónico basados en modelos sostenibles, además de características de seguridad y privacidad integradas. + +## Servicios compatibles con OpenPGP + +Estos proveedores soportan de manera nativa el cifrado/descifrado de OpenPGP, permitiendo que los correos electrónicos E2EE sean independientes del proveedor. Por ejemplo, un usuario de Proton Mail no puede enviar un mensaje E2EE a un usuario de Mailbox.org, o usted puede recibir notificaciones cifradas con OpenPGP desde servicios de internet que lo soporten. + +!!! warning + + Al utilizar una tecnología de cifrado de extremo a extremo (E2EE, por sus siglas en inglés) como OpenPGP, los correos aún tendrán algunos metadatos que no son encriptados en el encabezado del correo. Más información sobre los [metadatos de correo electrónico](basics/email-security.md#email-metadata-overview). + + OpenPGP tampoco soporta el secreto de reenvío, lo que significa si la clave privada del receptos es robada, todos los mensajes cifrados previamente con ella, serán expuestos. [¿Cómo puedo proteger mis claves privadas?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recomendación + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** es un servicio de correo electrónico con un enfoque en la privacidad, el cifrado, la seguridad y la facilidad de uso. Ellos operan desde **2013**. Proton AG tiene su sede en Ginebra, Suiza. Las cuentas inician con 500 MB de almacenamiento en el plan gratuito. + + [:octicons-home-16: Página principal](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Las cuentas gratuitas tienen algunas limitaciones, como no poder buscar texto en el contenido, y no tener acceso a [Proton Mail Bridge](https://proton.me/mail/bridge), que es requerido para utilizar un [cliente recomendado de correo electrónico para escritorio](email-clients.md) (como Thunderbird). Las cuentas de pago incluyen características como Proton Mail Bridge, almacenamiento adicional y soporte para dominios personalizados. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? check "Aplicaciones móviles" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recomendación + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? check "Aplicaciones móviles" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recomendación + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? check "Aplicaciones móviles" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Solo software como servicio (ScuS) + +!!! recomendación + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? check "Aplicaciones móviles" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recomendación + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recomendación + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Nuestro criterio + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recomendación + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recomendación + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Tecnología + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Mejor caso:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacidad + +We prefer our recommended providers to collect as little data as possible. + +**Mejor caso:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Seguridad + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Mejor caso:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Programas de recompensa de errores y/o un proceso coordinado de divulgación de vulnerabilidades. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Confianza + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Mejor caso:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Informes de transparencia frecuentes. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Mejor caso:** + +- Debe tener análisis propios (no Google Analytics, etc.). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Garantizar la protección del anonimato al 100%. Cuando alguien afirma que algo es 100% significa que no hay certeza de fracaso. Sabemos que la gente puede desanonimizarse fácilmente de varias maneras, por ejemplo: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Funcionalidades adicionales + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/encryption.md b/i18n/es/encryption.md new file mode 100644 index 00000000..a781ee90 --- /dev/null +++ b/i18n/es/encryption.md @@ -0,0 +1,358 @@ +--- +title: "Software de encriptación" +icon: material/file-lock +--- + +El cifrado de los datos es la única forma de controlar quién puede acceder a ellos. Si actualmente no está utilizando software de encriptación para su disco duro, correos electrónicos o archivos, debería elegir una opción aquí. + +## Multi plataforma + +Las opciones enumeradas aquí son multiplataforma y excelentes para crear copias de seguridad cifradas de sus datos. + +### VeraCrypt + +!!! recomendación + + ![Logotipo de VeraCrypt](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** es una utilidad freeware fuente disponible que se utiliza para el cifrado transparente. Le permite crear bóvedas que se almacenan en una unidad virtual, cuyo contenido está encriptado y sincronizado con su proveedor de almacenamiento en la nube. + + [:octicons-home-16: Inicio](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Política de privacidad" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="código fuente" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribuir } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator utiliza el cifrado AES-256 para cifrar tanto los archivos como los nombres de archivo. Cryptomator no puede cifrar metadatos como las marcas de tiempo de acceso, modificación y creación, ni el número y tamaño de los archivos y carpetas. + +Algunas bibliotecas criptográficas de Cryptomator han sido [auditadas](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) por Cure53. El alcance de las bibliotecas auditadas incluye: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) y [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). La auditoría no se extendió a [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), que es una biblioteca utilizada por Cryptomator para iOS. + +La documentación de Cryptomator detalla su intención [objetivo de seguridad](https://docs.cryptomator.org/en/latest/security/security-target/), [arquitectura de seguridad](https://docs.cryptomator.org/en/latest/security/architecture/), y [mejores prácticas](https://docs.cryptomator.org/en/latest/security/best-practices/) para su uso con más detalle. + +### Picocrypt (Archivo) + +!!! recomendación + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** es una herramienta de cifrado pequeña y simple que proporciona un cifrado moderno. Picocrypt utiliza el cifrado seguro XChaCha20 y la función de derivación de clave Argon2id para proporcionar un alto nivel de seguridad. Utiliza los módulos x/crypto estándar de Go para sus funciones de cifrado. + + [:octicons-repo-16: Repositorio](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Código fuente" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disco) + +!!! recomendación + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** es una utilidad de software gratuito con el código fuente disponible que se utiliza para el cifrado sobre la marcha. Puede crear un disco cifrado virtual dentro de un archivo, cifrar una partición o cifrar todo el dispositivo de almacenamiento con autenticación previa al arranque. + + [:octicons-home-16: Página principal](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentación} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Código fuente" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt es una bifurcación del proyecto TrueCrypt ya descontinuado. Según sus desarrolladores, se implementaron mejoras de seguridad y se abordaron los problemas planteados por la auditoría inicial del código TrueCrypt. + +Al cifrar con VeraCrypt, tiene la opción de seleccionar entre diferentes [funciones hash](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). Le sugerimos **únicamente** seleccionar [SHA-512](https://en.wikipedia.org/wiki/SHA-512) y seleccionar el [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) como cifrado de bloque. + +Truecrypt ha sido [auditado un buen número de veces](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), y VeraCrypt también ha sido [auditado de manera separada](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## Cifrado de disco completo del sistema operativo + +Los sistemas operativos modernos [FDE](https://en.wikipedia.org/wiki/Disk_encryption) y tendrán un[criptoprocesador seguro](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recomendación + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** es la solución de cifrado de volumen completo incluida con Microsoft Windows. La razón principal por la que lo recomendamos, es por su [uso de TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), una empresa forense, ha escrito sobre ello en [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentación} + +BitLocker es [únicamente compatible](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) en las versiones Pro, Enterprise y Education de Windows. Se puede habilitar en las ediciones Home siempre que cumplan con los requisitos previos. + +??? ejemplo "Habilitación de BitLocker en Windows Home" + + Para habilitar BitLocker en las ediciones "Home" de Windows, debe tener particiones formateadas con una [tabla de partición GUID](https://en.wikipedia.org/wiki/GUID_Partition_Table) y tener un módulo TPM (v1.2, 2.0+) dedicado. + + 1. Abra un símbolo del sistema y verifique el formato de la tabla de particiones de su unidad con el siguiente comando. Debería ver "**GPT**" listado bajo "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Ejecute este comando (en un símbolo del sistema con derechos de administración) para verificar su versión de TPM. Debería ver `2.0` o `1.2` junto a `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Acceda a [Opciones avanzadas de inicio](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). Debe reiniciar mientras pulsa la tecla F8 antes de que se inicie Windows y entrar en el símbolo del sistema ** en **Solucionar problemas** → **Opciones avanzadas** → **Símbolo del sistema**. + + 4. Inicie sesión con su cuenta de administrador y escriba esto en el símbolo del sistema para iniciar el cifrado: + + ``` + manage-bde -on c: -used + ``` + + 5. Cierre el símbolo del sistema y continúe con el arranque normal de Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. La pérdida de este código de recuperación puede resultar en la pérdida de datos. + +### FileVault + +!!! recomendación + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recomendación + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. Esto se puede hacer con: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recomendación + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recomendación + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recomendación + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recomendación + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recomendación + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recomendación + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recomendación + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/file-sharing.md b/i18n/es/file-sharing.md new file mode 100644 index 00000000..8ca0d147 --- /dev/null +++ b/i18n/es/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "Compartición y sincronización de archivos" +icon: material/share-variant +--- + +Descubra cómo puede compartir de manera privada sus archivos entre sus dispositivos, con sus amigos y familia, o de manera anónima en línea. + +## Programas para compartir archivos + +### Enviar + +!!! recomendación + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** es una bifurcación del programa Firefox Send (descontinuado por Mozilla), que permite enviar archivos a otras personas mediante un enlace. Los archivos son encriptados en su dispositivo, lo que no permite que sean leídos por el servidor y, opcionalmente, también pueden protegerse por una contraseña. El responsable de mantener Send ofrece una [instancia pública](https://send.vis.ee/). Puede usitlizar otras instancias públicas o puede hospedar Send usted mismo. + + [:octicons-home-16: Página principal](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send puede utilizarse a través de su interfaz web o mediante la herremienta de comandos [ffsend](https://github.com/timvisee/ffsend). Si usted es familiar con la línea de comandos y envía archivos frecuentemente, recomendamos utilizar el cliente CLI para evitar la encriptación basada en JavaScript. Usted puede especificar la bandera `--host` para utilizar un servidor en específico: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recomendación + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** es una herramienta de código abierto que permite compartir de manera segura y anónima un archivo de cualquier tamaño. Funciona iniciando un servidor web accesible como un servicio onion de Tor, con un enlace indescifrable que se puede compartir con los receptores para descargar o enviar archivos. + + [:octicons-home-16: Página principal](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? descargas + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criterios + +**Por favor, tome en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** En adición a [nuestros criterios estándares](about/criteria.md), hemos desarrollado un claro conjunto de requisitos para permitirnos brindar recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista antes de optar por utilizar un proyecto, y realizar su propia investigación para asegurarse que es la elección adecuada. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna pregunta sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no consideramos algo al hacer nuestras recomendaciones, si no se encuentra listado aquí. Hay múltiples factores considerados y discutidos cuando recomendamos un proyecto, y documentar cada uno es un trabajo en progreso. + +- No debe almacenar información sin encriptar en un servidor remoto. +- Debe ser un programa de código abierto. +- Debe tener clientes para Linux, macOS y Winwos; o tener una interfaz web. + +## FreedomBox + +!!! recomendación + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** es un sistema operativo diseñado para correr en una [computadora de placa única (SBC, por sus siglas en inglés)](https://en.wikipedia.org/wiki/Single-board_computer). El propósito es facilitar la configuración de aplicaciones que requieran un servidor y se puedan alojar por usted mismo. + + [:octicons-home-16: Página principal](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## Sincronización de archivos + +### Nextcloud (Cliente-Servidor) + +!!! recomendación + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** es un conjunto de programas gratuitos y de código abierto, para la creación de su propio servicio de almacenamiento de archivos en un servidor privado que usted controle. + + [:octicons-home-16: Página principal](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! peligro + + No recomendamos utilizar la [aplicación con cifrado de extremo a extremo](https://apps.nextcloud.com/apps/end_to_end_encryption) para Nextcloud, porque puede causar la pérdida de datos; esta es considerada como altamente experimental y no debe utilizarse en entornos de producción. + +### Syncthing (P2P) + +!!! recomendación + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** es una herramienta de sincronización continua de archivos peer-to-peer de código abierto. Es utilizada para sincronizar archivos entre dos o más dispositivos sobre la red local o el Internet. Syncthing no utiliza un servidor centralizado, este utiliza el [Protocolo de Intercambio de Bloques](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) para transferir los datos entre dispositivos. Todos los datos son encriptados utilizando TLS. + + [:octicons-home-16: Página principal](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criterios + +**Por favor, tome en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** En adición a [nuestros criterios estándares](about/criteria.md), hemos desarrollado un claro conjunto de requisitos para permitirnos brindar recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista antes de optar por utilizar un proyecto, y realizar su propia investigación para asegurarse que es la elección adecuada. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Debe tener clientes para Linux, macOS y Winwos; o tener una interfaz web. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/frontends.md b/i18n/es/frontends.md new file mode 100644 index 00000000..2fe35509 --- /dev/null +++ b/i18n/es/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## Clientes + +### Librarian + +!!! recomendación + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Reddit + +### Nitter + +!!! recomendación + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recomendación + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### FreeTube + +!!! recomendación + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Considere la posibilidad de utilizar un [VPN](vpn.md) o [Tor](https://www.torproject.org) si su [modelo de amenaza](basics/threat-modeling.md) requiere ocultar su dirección IP. + +### Yattee + +!!! recomendación + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Considere la posibilidad de utilizar un [VPN](vpn.md) o [Tor](https://www.torproject.org) si su [modelo de amenaza](basics/threat-modeling.md) requiere ocultar su dirección IP. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recomendación + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Considere la posibilidad de utilizar un [VPN](vpn.md) o [Tor](https://www.torproject.org) si su [modelo de amenaza](basics/threat-modeling.md) requiere ocultar su dirección IP. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Advertencia + + When using NewPipe, your IP address will be visible to the video providers used. Considere la posibilidad de utilizar un [VPN](vpn.md) o [Tor](https://www.torproject.org) si su [modelo de amenaza](basics/threat-modeling.md) requiere ocultar su dirección IP. + +### Invidious + +!!! recomendación + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recomendación + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/index.md b/i18n/es/index.md new file mode 100644 index 00000000..ac41e0eb --- /dev/null +++ b/i18n/es/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.es.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/kb-archive.md b/i18n/es/kb-archive.md new file mode 100644 index 00000000..5667d7aa --- /dev/null +++ b/i18n/es/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrando Eliminación de Metadatos](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/meta/brand.md b/i18n/es/meta/brand.md new file mode 100644 index 00000000..f2792cfd --- /dev/null +++ b/i18n/es/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Lineamientos de marca +--- + +El nombre de la página es **Privacy Guides** y **no** debe ser cambiado a: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +El nombre del subreddit es **r/PrivacyGuides** o **el subreddit de Privacy Guides**. + +Lineamientos adicionales de marca pueden encontrarse en [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Marca registrada + +"Privacy Guides" y el logo del escudo son marcas registradas por Jonah Aragon, el uso ilimitado es otorgado al proyecto de Privacy Guides. + +Sin renuncias a ninguno de sus derechos, Privacy Guides no asesora a terceros sobre el alcance de sus derechos de propiedad intelectual. Privacy Guides no permite o autoriza el uso de ninguna de sus marcas de ninguna manera, donde es probable que se cause confusión al implicar la asociació o el patrocinio de Privacy Guides. Si tiene conocimiento de algún uso de este tipo, por favor contacte a Jonah Aragon en jonah@privacyguides.org. Consulte a su asesor jurídico si tiene preguntas. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/meta/git-recommendations.md b/i18n/es/meta/git-recommendations.md new file mode 100644 index 00000000..b3fb0761 --- /dev/null +++ b/i18n/es/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/meta/uploading-images.md b/i18n/es/meta/uploading-images.md new file mode 100644 index 00000000..85ba5477 --- /dev/null +++ b/i18n/es/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/meta/writing-style.md b/i18n/es/meta/writing-style.md new file mode 100644 index 00000000..c0fe9160 --- /dev/null +++ b/i18n/es/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/mobile-browsers.md b/i18n/es/mobile-browsers.md new file mode 100644 index 00000000..5e8d66a4 --- /dev/null +++ b/i18n/es/mobile-browsers.md @@ -0,0 +1,192 @@ +--- +title: "Navegadores Móviles" +icon: material/cellphone-information +--- + +Estos son nuestros navegadores web para móviles y configuraciones recomendadas actualmente para la navegación estándar/no anónima por Internet. Si necesitas navegar por Internet de forma anónima, deberías utilizar [Tor](tor.md) . En general, recomendamos mantener las extensiones al mínimo; tienen acceso privilegiado dentro de su navegador, requieren que confíe en el desarrollador, pueden hacerte [destacar](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), y [debilitar el aislamiento del sitio](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ). + +## Android + +En Android, Firefox es incluso menos seguro que las alternativas basadas en Chromium: El motor de Mozilla, [GeckoView](https://mozilla.github.io/geckoview/), aún no soporta el aislamiento de sitios [](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) ni habilita [ProcesoAislado](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recomendación + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? notas de descarga + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Firefox + +Tor Browser is the only way to truly browse the internet anonymously. Cuando uses Brave, te recomendamos cambiar la siguiente configuración para proteger tu privacidad de ciertas partes, pero todos los navegadores que no sean [el navegador Tor](tor.md#tor-browser) serán rastreables por *alguien* en algún sentido u otro. + +Estas opciones se pueden encontrar en :material-menu: → **Configuración** → **Protecciones y privacidad de Brave** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Selecciona **Agresivo** en Bloquear rastreadores y anuncios + +??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Opcional) Selecciona **Bloquear Scripts** (1) +- [x] Selecciona **Estricto, puede dañar los sitios** en Bloquear fingerprint + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### IPFS + +- [x] Selecciona **Borrar datos al salir** + +##### Bloqueo de redes sociales + +- [ ] Uncheck all social media components + +##### Otros ajustes de privacidad + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recomendación + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Firefox + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recomendación + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/multi-factor-authentication.md b/i18n/es/multi-factor-authentication.md new file mode 100644 index 00000000..31173e9f --- /dev/null +++ b/i18n/es/multi-factor-authentication.md @@ -0,0 +1,149 @@ +--- +title: "Autenticación de múltiples factores" +icon: 'material/two-factor-authentication' +--- + +## Llaves de Seguridad + +### YubiKey + +!!! recomendación + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + Las **YubiKeys** están entre las llaves de seguridad más populares. Algunos modelos de YubiKey tienen un gran rango de caracteristicas como: [2ndo Factor Universal (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 WebAuthn](https://es.wikipedia.org/wiki/WebAuthn), [Yubico OTP](https://developers.yubico.com/OTP/), [PIV](https://en.wikipedia.org/wiki/FIPS_201), [OpenPGP](https://developers.yubico.com/PGP/) y autenticación [TOTP and HOTP](https://developers.yubico.com/OATH/). + + Una de las ventajas de la YubiKey es que una llave puede hacer casi todo (YubiKey 5), se podría esperar de una llave de seguridad. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +La [tabla de comparación](https://www.yubico.com/store/compare/) muestra las características y cómo se comparan las YubiKeys. Le recomendamos que seleccione las llaves de las Series YubiKey 5. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! !!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recomendación + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Aplicaciones de Autenticación + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recomendación + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recomendación + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/news-aggregators.md b/i18n/es/news-aggregators.md new file mode 100644 index 00000000..99dd93c4 --- /dev/null +++ b/i18n/es/news-aggregators.md @@ -0,0 +1,178 @@ +--- +title: "News Aggregators" +icon: octicons/rss-24 +--- + +Un [agregador de noticias](https://es.wikipedia.org/wiki/Agregador) es una forma de mantenerse al día con sus blogs y sitios de noticias favoritos. + +## Clientes agregadores + +### Fluent Reader + +!!! recomendación + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. [Visita hyliu.me](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } [Política de Privacidad](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .md-button } + + **Descargas** + - [:fontawesome-brands-windows: Windows](https://hyliu.me/fluent-reader) + - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/app/id1520907427) + - [:fontawesome-brands-github: Código Fuente](https://github.com/yang991178/fluent-reader.git) + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### GNOME Feeds + +!!! recomendación + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Akregator + +!!! recomendación + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### Handy News Reader + +!!! recomendación + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### NetNewsWire + +!!! recomendación + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### Miniflux + +!!! recomendación + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recomendación + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Youtube + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Reddit + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### Twitter + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/notebooks.md b/i18n/es/notebooks.md new file mode 100644 index 00000000..e7ddd271 --- /dev/null +++ b/i18n/es/notebooks.md @@ -0,0 +1,119 @@ +--- +title: "Bloc de Notas" +icon: material/notebook-edit-outline +--- + +Mantén el control de tus notas y diarios sin darlos a un tercero. + +Si actualmente utilizas una aplicación como Evernote, Google Keep o Microsoft OneNote, te sugerimos que elijas aquí una alternativa que soporte [Cifrado de extremo a extremo (E2EE)](https://es.wikipedia.org/wiki/Cifrado_de_extremo_a_extremo). + +## Basado en la nube + +### Joplin + +!!! recomendación + + ![Logotipo de Joplin](/assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** es una aplicación gratuita, de código abierto y con todas las funciones para tomar notas y hacer tareas, que puede manejar un gran número de notas markdown organizadas en cuadernos y etiquetas. Ofrece encriptación de extremo a extremo y puede sincronizar a través de Nextcloud, Dropbox y más. También ofrece una fácil importación desde Evernote y notas en texto plano. + + [Visita joplinapp.org](https://joplinapp.org/){ .md-button .md-button--primary } + + **Descargas** + - [:fontawesome-brands-windows: Windows](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-firefox-browser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjfek) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:pg-f-droid: F-Droid](https://f-droid.org/es/packages/net.cozic.joplin) + - [:fontawesome-brands-android: Android](https://joplinapp.org/#mobile-applications) + - [:fontawesome-brands-github: GitHub](https://github.com/laurent22/joplin) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recomendación + + Nota: A partir de diciembre de 2018, Joplin no admite la protección con contraseña/pin para la propia aplicación o las notas/cuadernos individuales. Los datos se siguen encriptando en tránsito y en la ubicación de sincronización utilizando su clave maestra. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recomendación + + ![Logotipo de Standard Notes](/assets/img/notebooks/standard-notes.svg){ align=right } + + Standard Notes es una aplicación de notas simple y privada que hace que tus notas sean fáciles y estén disponibles dondequiera que estés. Cuenta con cifrado de extremo a extremo en todas las plataformas y una potente experiencia de escritorio con temas y editores personalizados. + + También ha sido [auditada de forma independiente (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). [Visita standardnotes.org](https://standardnotes.org/){ .md-button .md-button--primary } + + **Descargas** + - [:fontawesome-brands-windows: Windows](https://standardnotes.org/#get-started) + - [:fontawesome-brands-apple: macOS](https://standardnotes.org/#get-started) + - [:fontawesome-brands-linux: Linux](https://standardnotes.org/#get-started) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1285392450) + - [:octicons-browser-16: Navegador](https://app.standardnotes.org/) + - [:fontawesome-brands-github: GitHub](https://github.com/standardnotes) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Dignos de mención + +### Org-mode + +!!! recomendación + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/os/android-overview.md b/i18n/es/os/android-overview.md new file mode 100644 index 00000000..ef74b455 --- /dev/null +++ b/i18n/es/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Visión general de Android +icon: fontawesome/brands/android +--- + +Android es un sistema operativo seguro el cuál tiene [aislamiento de las aplicaciones](https://source.android.com/security/app-sandbox), [arranque verificado](https://source.android.com/security/verifiedboot) (AVB), y un robusto sistema de control de [permisos](https://developer.android.com/guide/topics/permissions/overview). + +## Elegir una distribución de Android + +Cuando compras un celular Android, el sistema operativo por defecto suele venir con una integración invasiva con aplicaciones y servicios que no son parte del [Android Open Source Project](https://source.android.com/). Un ejemplo de ello son los servicios de Google Play, el cual tiene permisos irrevocables a tus archivos, almacenamiento de contactos, registros de llamadas, mensajes SMS, ubicación, cámara, micrófono, identificadores de hardware, etc. Estas aplicaciones y servicios aumentan la superficie de ataque de tu dispositivo y son la fuente de varios problemas de privacidad en Android. + +Este problema puede ser solucionado al usar una distribución modificada de Android la cual no contenga tal integración invasiva. Desafortunadamente, varias distribuciones modificadas de Android suelen violar el modelo de seguridad de Android al no soportar características críticas de seguridad como el AVB, protección de reversión, actualizaciones del firmware, etc. Algunas distribuciones también incluyen compilaciones [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) las cuales exponen root vía [ADB](https://developer.android.com/studio/command-line/adb) y requieren políticas [más permisivas](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) de SELinux para acomodar las características de depuración, lo que resulta en una superficie de ataque aún más grande y un modelo de seguridad debilitado. + +Idealmente, cuando escojas una distribución de Android, deberías asegurarte de que mantenga el modelo de seguridad de Android. Al menos, la distribución debería tener compilaciones de producción, soporte para AVB, protección de reversión, actualizaciones oportunas del firmware y el sistema operativo, y tener a SELinux en [modo de cumplimiento](https://source.android.com/security/selinux/concepts#enforcement_levels). Todas nuestras distribuciones recomendadas para Android cumplen con estos criterios. + +[Nuestras recomendaciones del sistema Android :material-arrow-right:](../android.md ""){.md-button} + +## Evita el Rooting + +Hacer [Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) en celulares Android puede debilitar la seguridad significativamente debido que debilita el [modelo completo de seguridad de Android](https://es.wikipedia.org/wiki/Android#Seguridad,_privacidad_y_vigilancia). Esto puede debilitar la privacidad en caso de que haya un exploit que sea asistido por la seguridad debilitada. Los métodos de rooteo más comunes involucran la manipulación directa de la partición de arranque, haciendo que sea imposible realizar con éxito el arranque verificado. Las aplicaciones que requieren root también modificarán la partición del sistema, lo que significa que el arranque verificado tendría que permanecer deshabilitado. Tener el root expuesto directamente en la interfaz del usuario también incrementa la [superficie de ataque](https://en.wikipedia.org/wiki/Attack_surface) de tu dispositivo y puede asistir en la [escalada de privilegios](https://es.wikipedia.org/wiki/Escalada_de_privilegios) de vulnerabilidades y omisiones de la política de SELinux. + +Los bloqueadores de anuncios que modifican el [archivo hosts](https://es.wikipedia.org/wiki/Archivo_hosts) (AdAway) y los cortafuegos (AFWall+) que requieren acceso root persistente son peligrosos y no deberían ser usados. Tampoco son la forma correcta de resolver sus propósitos. Para el bloqueo de anuncios sugerimos usar soluciones de bloqueo de servidor como un [DNS](../dns.md) encriptado o una [VPN](../vpn.md) en su lugar. RethinkDNS, TrackerControl y AdAway en modo no raíz ocuparán la ranura VPN (mediante el uso de una VPN de bucle local) que le impide utilizar servicios de mejora de la privacidad como Orbot o un servidor VPN real. + +AFWall+ funciona basado en el enfoque del [filtrado de paquetes](https://es.wikipedia.org/wiki/Cortafuegos_(inform%C3%A1tica)#Primera_generaci%C3%B3n_%E2%80%93_cortafuegos_de_red:_filtrado_de_paquetes) el cual puede ser omitido en algunas situaciones. + +No creemos que los sacrificios de seguridad realizados al rootear un teléfono merezcan la pena por los cuestionables beneficios de privacidad de esas aplicaciones. + +## Arranque verificado + +El [arranque verificado](https://source.android.com/security/verifiedboot) es una parte importante del modelo de seguridad de Android. Proviene de protección contra ataques [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack), persistencia del malware, y se asegura que las actualizaciones de seguridad no puedan ser desactualizadas gracias a la [protección de reversión](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 y superior se han alejado del cifrado de disco completo por un cifrado más flexible [basado en archivos](https://source.android.com/security/encryption/file-based). Tus datos se encriptan utilizando claves de encriptación únicas, y los archivos del sistema operativo se dejan sin encriptar. + +El arranque verificado garantiza la integridad de los archivos del sistema operativo, evitando así que un adversario con acceso físico pueda manipular o instalar malware en el dispositivo. En el improbable caso de que el malware pueda explotar otras partes del sistema y obtener un acceso privilegiado más alto, el arranque verificado evitará y revertirá los cambios en la partición del sistema al reiniciar el dispositivo. + +Desgraciadamente, los fabricantes de equipos originales (OEM) solo están obligados a dar soporte al arranque verificado en su distribución de Android de serie. Solo unos pocos fabricantes de equipos originales, como Google, admiten la inscripción de claves AVB modificadas en sus dispositivos. Además, algunos derivados de AOSP como LineageOS o /e/ OS no admiten arranque verificado, incluso en hardware con soporte de arranque verificado para sistemas operativos de terceros. Nosotros recomendamos que compruebe la compatibilidad **antes** de comprar un nuevo dispositivo. Los derivados de AOSP que no soportan el arranque verificado **no son** recomendados. + +Muchos OEMs también han roto la implementación del Arranque Verificado que tienes que conocer más allá de su marketing. Por ejemplo, los Fairphone 3 y 4 no son seguros por defecto, ya que el [bootloader de serie confía en la clave de firma pública AVB](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). Esto rompe el arranque verificado en un dispositivo Fairphone de fábrica, ya que el sistema arrancará sistemas operativos Android alternativos como (como /e/) [sin ninguna advertencia](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) sobre el uso del sistema operativo personalizado. + +## Actualizaciones de firmware + +Las actualizaciones de firmware son fundamentales para mantener la seguridad y, sin ellas, tu dispositivo no puede ser seguro. Los fabricantes de equipos originales tienen acuerdos de asistencia con sus socios para proporcionar los componentes de código cerrado durante un periodo de asistencia limitado. Estos se detallan en los [boletines de seguridad mensuales de Android](https://source.android.com/security/bulletin). + +Dado que los componentes del teléfono, como el procesador y las tecnologías de radio, dependen de componentes de código cerrado, las actualizaciones deben ser proporcionadas por los respectivos fabricantes. Por lo tanto, es importante que compres un dispositivo dentro de un ciclo de soporte activo. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) y [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) dan soporte a sus dispositivos por un período de 4 años, mientras que los productos más baratos suelen tener un ciclo de soporte más corto. Con la introducción del [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google ahora hace su propio SoC y van a ofrecer un mínimo de 5 años de soporte. + +Los dispositivos EOL que ya no son compatibles con el fabricante del SoC no pueden recibir actualizaciones de firmware de los proveedores OEM o de los distribuidores Android posteriores al mercado. Esto significa que los problemas de seguridad con esos dispositivos permanecerán sin solucionar. + +Fairphone, por ejemplo, comercializa sus dispositivos con 6 años de soporte. Sin embargo, el SoC (Qualcomm Snapdragon 750G en el Fairphone 4) tiene una fecha de caducidad considerablemente más corta. Esto significa que las actualizaciones de seguridad de firmware de Qualcomm para el Fairphone 4 terminarán en septiembre de 2023, independientemente de que Fairphone siga publicando actualizaciones de seguridad de software. + +## Versiones de Android + +Es importante no usar una versión de Android al [final de su vida útil](https://endoflife.date/android). Las versiones más recientes de Android no solo reciben actualizaciones de seguridad para el sistema operativo, sino también actualizaciones importantes para mejorar la privacidad. Por ejemplo, [antes de Android 10](https://developer.android.com/about/versions/10/privacy/changes), cualquier aplicación con el permiso [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) podía acceder a números de serie únicos y sensibles como el [IMEI](https://es.wikipedia.org/wiki/IMEI), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), el [IMSI](https://es.wikipedia.org/wiki/IMSI) de tu tarjeta SIM, mientras que ahora deben ser aplicaciones del sistema para poder hacerlo. Las aplicaciones del sistema sólo las proporciona el OEM o la distribución de Android. + +## Permisos de Android + +Los [permisos en Android](https://developer.android.com/guide/topics/permissions/overview) te dan control sobre que pueden acceder las aplicaciones. Google regularmente hace [mejoras](https://developer.android.com/about/versions/11/privacy/permissions) en el sistema de permisos en cada versión sucesiva. Todas las aplicaciones que instales están estrictamente [aisladas](https://source.android.com/security/app-sandbox), por lo que no es necesario instalar ninguna aplicación de antivirus. Un smartphone con la última versión de Android siempre será más seguro que un smartphone antiguo con un antivirus que hayas pagado. Es mejor no pagar por un antivirus y ahorrar para comprar un nuevo smartphone como un Google Pixel. + +Si quieres ejecutar una aplicación sobre la que no estás seguro, considera usar un perfil de usuario o de trabajo. + +## Acceso a medios + +Unas cuantas aplicaciones te permiten "compartir" un archivo con ellos para la carga de medios. Si quieres, por ejemplo, tuitear una foto a Twitter, no le des acceso a tus "medios y fotos", porque entonces tendrá acceso a todas tus fotos. En su lugar, ve a tu gestor de archivos (documentsUI), mantén la imagen y compártela en Twitter. + +## Perfiles de usuario + +Los perfiles de usuario múltiples pueden ser encontrados en **Ajustes** → **Sistema** → **Usuarios múltiples** y son la manera más simple de aislar en Android. + +Con los perfiles de usuario, puedes imponer restricciones a un perfil específico, como: realizar llamadas, usar SMS o instalar aplicaciones en el dispositivo. Cada perfil se cifra con su propia clave de cifrado y no puede acceder a los datos de ningún otro perfil. Incluso el propietario del dispositivo no puede ver los datos de otros perfiles sin conocer su contraseña. Los perfiles de usuario múltiples son un método más seguro de aislamiento. + +## Perfil de trabajo + +Los [perfiles de trabajo](https://support.google.com/work/android/answer/6191949) son otra manera de aislar aplicaciones individuales y pueden ser más convenientes que usar perfiles de usuario separados. + +Se requiere una aplicación de **controlador de dispositivo** como [Shelter](#recommended-apps) para crear un perfil de trabajo sin una MDM empresarial, a menos que estés utilizando un sistema operativo Android personalizado que incluya uno. + +El perfil de trabajo depende de un controlador de dispositivo para funcionar. Características como el *transbordador de archivos* y el *bloqueo de búsqueda de contactos* o cualquier tipo de característica de aislamiento debe ser implementada por el controlador. También debes confiar plenamente en la aplicación del controlador del dispositivo, ya que tiene acceso completo a tus datos dentro del perfil de trabajo. + +Este método es generalmente menos seguro que un perfil de usuario secundario; sin embargo, le permite la comodidad de ejecutar aplicaciones tanto en el trabajo y perfiles personales simultáneamente. + +## "Killswitch" de un VPN + +Android 7 y superiores soportan un VPN killswitch y está disponible sin necesidad de instalar aplicaciones de terceros. Esta función puede evitar fugas si la VPN está desconectada. Se puede encontrar en :gear: **Ajustes** → **Red e internet** → **VPN** → :gear: → **Bloquear conexiones sin VPN**. + +## Cambios globales + +Los dispositivos Android modernos tienen interruptores globales para desactivar los servicios de Bluetooth y de localización. Android 12 introdujo interruptores para la cámara y el micrófono. Cuando no estén en uso, recomendamos desactivar estas funciones. Las aplicaciones no pueden usar las funciones desactivadas (incluso si se les concede un permiso individual) hasta que se reactiven. + +## Google + +Si está utilizando un dispositivo con servicios de Google, ya sea su sistema operativo de stock o un sistema operativo que utiliza Google Play Services de forma segura como GrapheneOS, hay una serie de cambios adicionales que puede realizar para mejorar su privacidad. Seguimos recomendando evitar los servicios de Google por completo, o limitar los servicios de Google Play a un perfil específico de usuario/trabajo combinando un controlador de dispositivo como *Shelter* con Google Play aislado de GrapheneOS. + +### Programa de Protección Avanzada + +Si tienes una cuenta de Google sugerimos que te inscribas en el [Programa de protección avanzada](https://landing.google.com/advancedprotection/). Está disponible sin costo a cualquiera que tenga dos o más llaves de seguridad de hardware con soporte para [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online). + +El Programa de protección avanzada proporciona una supervisión de amenazas mejorada y permite: + +- Autenticación de dos factores más estricta; por ejemplo: que [FIDO](/security/multi-factor-authentication/#fido-fast-identity-online) **deba** ser usado y restringe el uso de [SMS OTPs](/security/multi-factor-authentication/#sms-or-email-mfa), [TOTP](/security/multi-factor-authentication.md#time-based-one-time-password-totp), y [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Solo las aplicaciones de Google y de terceros verificadas pueden acceder a los datos de la cuenta +- Escaneo de correos electrónicos inminentes en las cuentas de Gmail contra los intentos de [phishing](https://es.wikipedia.org/wiki/Phishing#T%C3%A9cnicas_de_phishing) +- Más estricto [escaneo seguro del navegador](https://www.google.com/chrome/privacy/whitepaper.html#malware) con Google Chrome +- Proceso de recuperación más estricto para cuentas con credenciales perdidas + + Si no usas los servicios de Google Play aislados (común en los sistemas operativos por defecto), el programa de protección avanzada también viene con [beneficios adicionales](https://support.google.com/accounts/answer/9764949?hl=en) como: + +- No permitir la instalación de aplicaciones fuera de la Google Play Store, la tienda de aplicaciones del proveedor del sistema operativo, o vía [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Escaneo automático obligatorio con [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Advertencia sobre aplicaciones no verificadas + +### Actualizaciones del sistema de Google Play + +En el pasado, las actualizaciones de seguridad de Android tenían que ser enviadas por el proveedor del sistema operativo. Android se ha vuelto más modular a partir de Android 10, y Google puede impulsar las actualizaciones de seguridad para **algunos** componentes del sistema vía los servicios de Google Play privilegiados. + +Si tienes un dispositivo EOL (end-of-life) incluido con Android 10 o superior y no puedes ejecutar ninguno de nuestros sistemas operativos recomendados en tu dispositivo, es probable que te resulte mejor seguir con tu instalación de Android OEM (a diferencia de un sistema operativo que no aparece aquí, como LineageOS o /e/ OS). Esto te permitirá recibir **algunos** arreglos de seguridad de Google, mientras que no viola el modelo de seguridad de Android al usar un derivado de Android inseguro y aumentando tu superficie de ataque. Aún así, te recomendamos que actualices a un dispositivo compatible lo antes posible. + +### ID de publicidad + +Todos los dispositivos con los servicios de Google Play instalados automáticamente generan un [ID de publicidad](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) usado para la publicidad dirigida. Deshabilite esta función para limitar los datos recopilados sobre usted. + +En las distribuciones de Android con los [servicios de Google Play aislados](https://grapheneos.org/usage#sandboxed-google-play), ve a :gear: **Ajustes** → **Aplicaciones** → **Google Play aislado** → **Ajustes de Google** → **Anuncios**, y selecciona *Eliminar el ID de publicidad*. + +En las distribuciones de Android con servicios privilegiados de Google Play (como los sistemas operativos de serie), la configuración puede estar en una de varias ubicaciones. Revisa + +- :gear: **Ajustes** → **Google** → **Anuncios** +- :gear: **Ajustes** → **Privacidad** → **Anuncios** + +Te van a dar la opción de eliminar tu ID de publicidad o *Optar por no recibir anuncios basados en intereses*, esto varía según la distribución OEM de Android. Si se presenta la opción de eliminar el ID de publicidad eso sería lo ideal. Si no es así, asegúrate de optar por no participar y restablecer tu ID de publicidad. + +### SafetyNet y Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) y el [Play Integrity APIs](https://developer.android.com/google/play/integrity) son generalmente usados para [aplicaciones bancarias](https://grapheneos.org/usage#banking-apps). Muchas aplicaciones bancarias funcionarán bien en GrapheneOS con los servicios de Google Play aislados, sin embargo, algunas aplicaciones no financieras tienen sus propios mecanismos anti-manipulación que pueden fallar. GrapheneOS pasa con éxito el chequeo `basicIntegrity`, pero no el check de certificación `ctsProfileMatch`. Los dispositivos con Android 8 o posterior tienen soporte de certificación de hardware que no se puede omitir sin claves filtradas o vulnerabilidades graves. + +En cuanto a Google Wallet, no lo recomendamos debido a su [política de privacidad](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), la cual dicta que debes optar por excluirte si no quieres que tu calificación crediticia y tu información personal sea compartido con los servicios de marketing afiliados. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/os/linux-overview.md b/i18n/es/os/linux-overview.md new file mode 100644 index 00000000..775c0de0 --- /dev/null +++ b/i18n/es/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Vista general de Linux +icon: simple/linux +--- + +Es una creencia popular que los programas de [código abierto](https://en.wikipedia.org/wiki/Open-source_software) son seguros porque su código fuente está disponible. Siempre hay una expectativa de que la verificación comunitaria sucede regularmente; sin embargo, [este no siempre es el caso](https://seirdy.one/posts/2022/02/02/floss-security/). Esto depende de varios factores, como la actividad del proyecto, la experiencia del desarrollador, el nivel de rigor aplicado a las [revisiones de código](https://en.wikipedia.org/wiki/Code_review) y con qué frecuencia se le brinda atención a ciertas partes del [código base](https://en.wikipedia.org/wiki/Codebase), que pueden no ser modificados en años. + +De momento, Linux de escritorio tiene algunas áreas que pueden ser mejoradas al ser comparadas con sus contrapartes propietarias, por ejemplo: + +- Una cadena verificada de inicio, como el [Inicio Seguro](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) de Apple (con el [enclave seguro](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), el [Arranque Verificado](https://source.android.com/security/verifiedboot) de Android, el [Arranque Verificado](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot) de ChromeOS, o el [proceso de inicio](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) de Windows con [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). Estas características y tecnologías de hardware pueden ayudar a prevenir la manipulación persistente ocasionada por algún malware o [ataque de 'evil-maid'](https://en.wikipedia.org/wiki/Evil_Maid_attack). +- Una fuerte solución de aislamiento como la que se encuentra en [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md) y [Android](https://source.android.com/security/app-sandbox). Las soluciones de aislamiento utilizadas comúnmente de Linux como [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) y [Firejail](https://firejail.wordpress.com/), aún tienen mucho por recorrer. +- Fuertes [mitigaciones de vulnerabilidades](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations). + +A pesar de estos inconvenientes, las distribuciones Linux de escritorio son geniales si quieres: + +- Evitar la telemetría que, regularmente, viene con los sistemas operativos propietarios. +- Mantener la ['libertad del software'](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms). +- Tener sistemas enfocados en la privacidad como [Whonix](https://www.whonix.org) o [Tails](https://tails.boum.org/). + +Nuestra página generalmente utiliza el término "Linux" para describir las distribuciones Linux de escritorio. Otros sistemas operativos que también utilizan el kernel de Linux como ChromeOS, Android y Qubes OS no se discuten aquí. + +[Nuestras recomendaciones de Linux: :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Elegir tu distribución + +No todas las distribuciones Linux son iguales. Mientras nuestra página con recomendaciones de Linux no fue creada para ser una fuente autorizada para decidir cuál distribución debes utilizar, hay algunos aspectos que debes considerar al elegir cuál distribución usar. + +### Ciclo de lanzamiento + +Recomendamos encarecidamente que elijas las distribuciones que permanecen cerca a los lanzamientos estables, comúnmente denominadas como distribuciones de lanzamiento continuo. Esto se debe a que las distribuciones de lanzamiento de ciclo congelado, normalmente no actualizan las versiones de sus paquetes y se encuentran detrás en actualizaciones de seguridad. + +Para las distribuciones congeladas como [Debian](https://www.debian.org/security/faq#handling), se espera que los encargados de mantener los paquetes adapten los parches para corregir vulnerabilidades, en lugar de actualizar el software a la "siguiente versión" lanzada por el desarrollador original. Algunos arreglos de seguridad [no](https://arxiv.org/abs/2105.14565) reciben un [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (programas de menor popularidad) del todo y no llegan a la distribución con este modelo de parches. Por ello, a veces las correcciones de seguridad son pospuestas hasta la siguiente versión importante. + +No creemos que retener paquetes y aplicar los parches provisionales sea una buena idea, porque se aleja de la forma en que el desarrollador se pudo asegurar que el software funcione. [Richard Brown](https://rootco.de/aboutme/) tiene una presentación sobre esto: + +
+ +
+ +### Actualizaciones tradicionales vs. Atómicas + +Tradicionalmente, las distribuciones de Linux se actualizan secuencialmente, actualizando los paquetes deseados. Las actualizaciones tradicionales, como las utilizadas en las distribuciones basadas en Fedora, Arch Linux y Debian, son menos confiables, si un error se produce al actualizar. + +Las distribuciones de actualizaciones Atómicas, aplican las actualizaciones en su totalidad o no del todo. Normalmente, los sistemas de actualización transaccional también son atómicos. + +Un sistema de actualización transaccional crea una instantánea que se realiza antes y después de haber aplicado una actualización. Si una actualización falla en cualquier momento (debido a situaciones como fallas de electricidad), la actualización puede revertirse fácilmente al "último estado bueno conocido". + +El método de actualizaciones Atómicas es utilizado para distribuciones inmutables como Silverblue, Tumbleweed y NixOS, y puede obtener confiabilidad con este modelo. [Adam Šamalik](https://twitter.com/adsamalik) brinda una presentación sobre cómo `rpm-ostree` funciona con Silverblue: + +
+ +
+ +### Distribuciones "enfocadas en la seguridad" + +A menudo existe cierta confusión entre las distribuciones "enfocadas en la privacidad" y las distribuciones "pentesting". Una búsqueda rápida para "la distribución más segura de Linux" suele arrojar resultados como Kali Linux, Black Arch y Parrot OS. Estas distribuciones son distribuciones de pruebas de penetración ofensivas que incluyen herramientas para probar otros sistemas. Estas no incluyen ninguna "seguridad adicional" o mitigaciones defensivas destinadas a un uso regular. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Recomendaciones generales + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/os/qubes-overview.md b/i18n/es/os/qubes-overview.md new file mode 100644 index 00000000..a580e999 --- /dev/null +++ b/i18n/es/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: pg/qubes-os +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Recursos Adicionales + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/passwords.md b/i18n/es/passwords.md new file mode 100644 index 00000000..34937ec0 --- /dev/null +++ b/i18n/es/passwords.md @@ -0,0 +1,241 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Manténgase seguro y protegido en línea con un gestor de contraseñas cifrado y de código abierto. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + ![Logotipo de KeepassXC](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** es una bifurcación mantenida por la comunidad de KeePassX, un puerto nativo multiplataforma de KeePass Password Safe, con el objetivo de extenderlo y mejorarlo con nuevas características y correcciones de errores para proporcionar un gestor de contraseñas de código abierto con varias características, totalmente multiplataforma y moderno. [Visita keepassxc.org](https://keepassxc.org){ .md-button .md-button--primary } [Política de Privacidad](https://keepassxc.org/privacy){ .md-button } + + **Descargas** + - [:fontawesome-brands-windows: Windows](https://keepassxc.org/download/#windows) + - [:fontawesome-brands-apple: macOS](https://keepassxc.org/download/#mac) + - [:fontawesome-brands-linux: Linux](https://keepassxc.org/download/#linux) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + - [:fontawesome-brands-github: Código Fuente](https://github.com/keepassxreboot/keepassxc) + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Basado en la nube + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### KeepassXC + +!!! recomendación + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### KeepassDX + +!!! recomendación + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Bitwarden + +!!! recomendación + + ![Logotipo de Joplin](/assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** es un gestor de contraseñas gratuito y de código abierto. Su objetivo es resolver los problemas de gestión de contraseñas para individuos, equipos y organizaciones empresariales. Bitwarden es una de las soluciones más fáciles y seguras para almacenar todas sus contraseñas e inicios de sesión manteniéndolos convenientemente sincronizados entre todos sus dispositivos. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Gestores de Contraseñas Locales + +These options allow you to manage an encrypted password database locally. + +### Vaultwarden + +!!! recomendación + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recomendación + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recomendación + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recomendación + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/productivity.md b/i18n/es/productivity.md new file mode 100644 index 00000000..4192af63 --- /dev/null +++ b/i18n/es/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recomendación + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** es un conjunto de programas gratuitos y de código abierto, para la creación de su propio servicio de almacenamiento de archivos en un servidor privado que usted controle. + + [:octicons-home-16: Página principal](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! peligro + + No recomendamos utilizar la [aplicación con cifrado de extremo a extremo](https://apps.nextcloud.com/apps/end_to_end_encryption) para Nextcloud, porque puede causar la pérdida de datos; esta es considerada como altamente experimental y no debe utilizarse en entornos de producción. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recomendación + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recomendación + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recomendación + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recomendación + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/real-time-communication.md b/i18n/es/real-time-communication.md new file mode 100644 index 00000000..cc0eb879 --- /dev/null +++ b/i18n/es/real-time-communication.md @@ -0,0 +1,212 @@ +--- +title: "Comunicación en tiempo real" +icon: material/chat-processing +--- + +Estas son nuestras recomendaciones para la comunicación cifrada en tiempo real. + +[Tipos de redes de comunicación :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Mensajeros multiplataforma + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recomendación + + ![Logotipo de Signal](assets/img/messengers/signal.svg){ align=right } + + **Signal** es una aplicación móvil desarrollada por Signal Messenger LLC. La aplicación ofrece mensajería instantánea, así como llamadas de voz y vídeo. + + Todas las comunicaciones son E2EE. Las listas de contactos se encriptan con tu PIN de Signal y el servidor no tiene acceso a ellas. Los perfiles personales también están encriptados y sólo se comparten con los contactos con los que chateas. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +El protocolo fue [auditado](https://eprint.iacr.org/2016/1013.pdf) de forma independiente en 2016. La especificación del protocolo Signal puede encontrarse en su [documentación](https://signal.org/docs/). Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recomendación + + ![Logotipo de Element](assets/img/messengers/element.svg){ align=right } + + **Element** es el cliente de referencia para el protocolo [Matrix](https://matrix.org/docs/guides/introduction), un [estándar abierto](https://matrix.org/docs/spec) para la comunicación segura descentralizada en tiempo real. Los mensajes y los archivos compartidos en las salas privadas (las que requieren una invitación) son por defecto E2EE, al igual que las llamadas de voz y vídeo uno a uno. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. La especificación del protocolo Matrix puede encontrarse en su [documentación](https://spec.matrix.org/latest/). El trinquete criptográfico [Olm](https://matrix.org/docs/projects/other/olm) utilizado por Matrix es una implementación del + +algoritmo de doble trinquete de Signal.

+ +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + + + +### Briar + +!!! recomendación + + ![Logotipo de Session](assets/img/messengers/session.svg){ align=right } + + **Session** es un mensajero descentralizado con un foco en las comunicaciones privadas, seguras y anónimas. Session soporta los mensajes directos, chats de grupo y llamadas de voz. Session utiliza la red descentralizada [Oxen Service Node Network](https://oxen.io/) para almacenar y enrutar los mensajes. + + Cada mensaje encriptado pasa por tres nodos de una red llamada "Red de Nodos de Servicio Oxen", lo que hace prácticamente imposible que los nodos recopilen información significativa sobre quienes utilizan la red. downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + + + +## Otros mensajeros + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Briar también puede conectarse a través de Wi-Fi o Bluetooth cuando está cerca. + + + + +### Element + +!!! recomendación + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + + +Briar tiene una [especificación publicada](https://code.briarproject.org/briar/briar-spec) completamente. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + + + +### Session + +!!! recomendación + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + + + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + + + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/router.md b/i18n/es/router.md new file mode 100644 index 00000000..57288b8d --- /dev/null +++ b/i18n/es/router.md @@ -0,0 +1,51 @@ +--- +title: "Firmware del Router" +icon: material/router-wireless +--- + +A continuación se presentan algunos sistemas operativos alternativos, que pueden utilizarse en routers, puntos de acceso Wi-Fi, etc. + +## OpenWrt + +!!! recomendación + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** es un sistema operativo basado en Linux; se utiliza principalmente en dispositivos integrados para enrutar el tráfico de red. Incluye util-linux, uClibc, y BusyBox. Todos los componentes han sido optimizados para routers domésticos. + + [:octicons-home-16: Inicio](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Código Fuente } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribuir } + +Puedes consultar [ la tabla de hardware](https://openwrt.org/toh/start) de OpenWrt para comprobar si tu dispositivo es compatible. + +## OPNsense + +!!! recomendación + + ![pfSense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** es una plataforma de enrutamiento y cortafuegos de código abierto basada en FreeBSD que incorpora muchas características avanzadas, como la conformación del tráfico, el equilibrio de carga y las capacidades de VPN, con muchas más características disponibles en forma de plugins. OPNsense se implementa habitualmente como cortafuegos perimetral, router, punto de acceso inalámbrico, servidor DHCP, servidor DNS y punto final VPN. + + [:octicons-home-16: Inicio](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribuir } + +OPNsense se desarrolló originalmente como una bifurcación de [pfSense](https://en.wikipedia.org/wiki/PfSense), y ambos proyectos destacan por ser distribuciones de cortafuegos libres y fiables que ofrecen características que a menudo sólo se encuentran en los costosos cortafuegos comerciales. Lanzado en 2015, los desarrolladores de OPNsense [citaron a](https://docs.opnsense.org/history/thefork.html) una serie de problemas de seguridad y de calidad del código de pfSense que consideraban que necesitaba una bifurcación del proyecto, así como preocupaciones por la adquisición mayoritaria de pfSense por parte de Netgate y la futura dirección del proyecto pfSense. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Debe ser de código abierto. +- Debe recibir actualizaciones de manera periódica. +- Debe ser compatible con una amplia variedad de hardware. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/search-engines.md b/i18n/es/search-engines.md new file mode 100644 index 00000000..2091e801 --- /dev/null +++ b/i18n/es/search-engines.md @@ -0,0 +1,105 @@ +--- +title: "Motores de Búsqueda" +icon: material/search-web +--- + +Utilice un motor de búsqueda que no construya un perfil publicitario basado en sus búsquedas. + +Las recomendaciones aquí se basan en los méritos de la política de privacidad de cada servicio. No hay **garantías** de que estas políticas de privacidad se respetan. + +Considera usar un [VPN](/vpn) o [Tor](https://www.torproject.org/) si tu modelo de amenaza requiere ocultar tu dirección IP al proveedor de búsquedas. + +## Brave Search + +!!! recomendación + + ![Logotipo de DuckDuckGo](/assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** es un popular motor de búsqueda y es el predeterminado para el Navegador Tor. DuckDuckGo utiliza una API comercial de Bing y [otras fuentes](https://help.duckduckgo.com/results/sources) para proporcionar sus datos de búsqueda. + + [Visita duckduckgo.com](https://duckduckgo.com){ .md-button .md-button--primary } [:pg-tor:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .md-button } [Política de privacidad](https://duckduckgo.com/privacy){ .md-button } + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. note IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recomendación + + DuckDuckGo está basado en 🇺🇸 USA. Su [Política de Privacidad](https://duckduckgo.com/privacy) indica que sí registran tus consultas de búsqueda, pero no tu IP o cualquier otra identificable. The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. recommendation + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. note These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recomendación + + ![Logotipo de Startpage](/assets/img/search-engines/startpage.svg){ align=right } + + **Startpage** es un motor de búsqueda que ofrece resultados de búsqueda de Google. Es una forma muy cómoda de obtener resultados de búsqueda en Google sin experimentar patrones oscuros como los difíciles captchas o que te denieguen el acceso porque has utilizado un [VPN](/vpn) o [Tor](https://www.torproject.org/download/). + + [Visita startpage.com](https://www.startpage.com){ .md-button .md-button--primary } [Política de privacidad](https://www.startpage.com/en/privacy-policy){ .md-button } + +SearXNG is a proxy between you and the search engines it aggregates from. recommendation + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. note + +When you are using a SearXNG instance, be sure to go read their privacy policy. recommendation Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recomendación + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/tools.md b/i18n/es/tools.md new file mode 100644 index 00000000..fee0caf5 --- /dev/null +++ b/i18n/es/tools.md @@ -0,0 +1,458 @@ +--- +title: "Herramientas de Privacidad" +icon: material/tools +hide: + - toc +--- + +Si está buscando una solución específica para algo, estas son las herramientas de hardware y software que recomendamos en una variedad de categorías. Nuestras herramientas de privacidad recomendadas se eligen principalmente en función de sus características de seguridad, con un énfasis adicional en las herramientas descentralizadas y de código abierto. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Navegadores Web + +
+ +- ![Logotipo del Navegador Tor](assets/img/browsers/tor.svg){ .twemoji } [Navegador Tor](https://www.torproject.org/) +- ![Logotipo de Firefox](assets/img/browsers/firefox.svg){ .twemoji } [Firefox (Escritorio)](https://firefox.com/) +- ![Logotipo de Bromite](assets/img/browsers/bromite.svg){ .twemoji } [Bromite (Android)](https://www.bromite.org/) +- ![Logotipo de Safari](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](https://www.apple.com/safari/) + +
+ +1. Snowflake no aumenta la privacidad, sin embargo, te permite contribuir fácilmente a la red Tor y ayudar a que la gente en redes censuradas consiga una mejor privacidad. + +[Aprender más :material-arrow-right:](tor.md) + +## Sistemas Operativos + +
+ +- ![Logotipo de uBlock Origin](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](https://github.com/gorhill/uBlock) +- ![Logotipo de AdGuard](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard para Safari](https://adguard.com/es/adguard-safari/overview.html) +- ![Logotipo de ToS;DR](assets/img/browsers/terms_of_service_didnt_read.svg){ .twemoji } [Terms of Service; Didn't Read](https://tosdr.org/) (1) + +
+ +[Aprender más :material-arrow-right:](desktop-browsers.md) + +### Recursos Adicionales + +
+ +- ![Logotipo de GrapheneOS](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](https://grapheneos.org/) +- ![Logotipo de CalyxOS](assets/img/android/calyxos.svg){ .twemoji } [CalyxOS](https://calyxos.org/) +- ![Logotipo de DivestOS](assets/img/android/divestos.svg){ .twemoji } [DivestOS](https://divestos.org/) + +
+ +[Aprender más :material-arrow-right:](desktop-browsers.md#additional-resources) + +## Proveedores de Servicios + +
+ +- ![Logotipo de Droid-ify](assets/img/android/droid-ify.png){ .twemoji } [Droid-ify (Cliente de F-Droid)](https://github.com/Iamlooker/Droid-ify) +- ![Logotipo de Orbot](assets/img/android/orbot.svg){ .twemoji } [Orbot (Proxy de Tor)](https://orbot.app/) +- ![Logotipo de Shelter](assets/img/android/shelter.svg){ .twemoji } [Shelter (Perfiles de Trabajo)](https://gitea.angry.im/PeterCxy/Shelter) +- ![Logotipo de Auditor](assets/img/android/auditor.svg#only-light){ .twemoji }!¡[Logotipo de GrapheneOS](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Dispositivos Compatibles)](https://attestation.app/) +- ![Logotipo de Secure Camera](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Logotipo de Secure Camera](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](https://github.com/GrapheneOS/Camera) +- ![Logotipo de Secure PDF Viewer](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![Logotipo de GrapheneOS](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](https://github.com/GrapheneOS/PdfViewer) +- ![Logotipo de PrivacyBlur](assets/img/android/privacyblur.svg){ .twemoji } [PrivacyBlur](https://privacyblur.app/) + +
+ +[Aprender más :material-arrow-right:](mobile-browsers.md) + +### Recursos Adicionales + +
+ +- ![Logotipo de Fedora](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](https://getfedora.org/) +- ![Logotipo de openSUSE Tumbleweed](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](https://get.opensuse.org/tumbleweed/) +- ![Logotipo de Arch](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](https://archlinux.org/) +- ![Logotipo de Fedora Silverblue](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](https://silverblue.fedoraproject.org/) +- ![Logotipo de nixOS](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](https://nixos.org/) +- ![Logotipo de Whonix](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](https://www.whonix.org/) +- ![Logotipo de Tails](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Arranque en vivo (Live boot))](https://tails.boum.org/) +- ![Logotipo de Qubes OS](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](https://www.qubes-os.org/) (1) + +
+ +[Aprender más :material-arrow-right:](mobile-browsers.md#adguard) + +## Software + +### Firmware del Router + +
+ +- ![Logotipo de OpenWrt](assets/img/router/openwrt.svg#only-light){ .twemoji }![Logotipo de OpenWrt](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](https://openwrt.org/) +- ![Logotipo de pfSense](assets/img/router/pfsense.svg#only-light){ .twemoji }![Logotipo de pfSense](assets/img/router/pfsense-dark.svg#only-dark){ .twemoji } [pfSense](https://www.pfsense.org/) + +
+ +[Aprender más :material-arrow-right:](android.md) + +#### Proveedores DNS + +
+ +- ![Logotipo de Nextcloud](assets/img/cloud/nextcloud.svg){ .twemoji } [Nextcloud (Autoalojable)](https://nextcloud.com/) +- ![Logotipo de Proton Drive](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](https://drive.protonmail.com/) +- ![Logotipo de Cryptee](assets/img/cloud/cryptee.svg#only-light){ .twemoji }![Logotipo de Cryptee](assets/img/cloud/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](https://crypt.ee/) +- ![Logotipo de Tahoe-LAFS](assets/img/cloud/tahoe-lafs.svg#only-light){ .twemoji }![Tahoe-LAFS logo](assets/img/cloud/tahoe-lafs-dark.svg#only-dark){ .twemoji } [Tahoe-LAFS (Avanzado)](https://www.tahoe-lafs.org/) + +
+ +[Aprender más :material-arrow-right:](android.md#general-apps) + +### Almacenamiento en la Nube + +
+ +- ![Logotipo de ProtonMail](assets/img/email/mini/protonmail.svg){ .twemoji } [ProtonMail](https://protonmail.com/) +- ![Logotipo de Mailbox.org](assets/img/email/mini/mailboxorg.svg){ .twemoji } [Mailbox.org](https://mailbox.org/) +- ![Logotipo de Disroot](assets/img/email/mini/disroot.svg#only-light){ .twemoji }![Logotipo de Disroot](assets/img/email/mini/disroot-dark.svg#only-dark){ .twemoji } [Disroot](https://disroot.org/) +- ![Logotipo de Tutanota](assets/img/email/mini/tutanota.svg){ .twemoji } [Tutanota](https://tutanota.com/) +- ![Logotipo de StartMail](assets/img/email/mini/startmail.svg#only-light){ .twemoji }![Logotipo de StartMail](assets/img/email/mini/startmail-dark.svg#only-dark){ .twemoji } [StartMail](https://startmail.com/) +- ![Logotipo de CTemplar](assets/img/email/mini/ctemplar.svg#only-light){ .twemoji }![Logotipo de CTemplar](assets/img/email/mini/ctemplar-dark.svg#only-dark){ .twemoji } [CTemplar](https://ctemplar.com/) + +
+ +[Aprender más :material-arrow-right:](desktop.md) + +### Firmware del Router + +
+ +- ![Logotipo de AnonAddy](assets/img/email/mini/anonaddy.svg#only-light){ .twemoji }![Logotipo de AnonAddy](assets/img/email/mini/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](https://anonaddy.com/) +- ![Logotipo de SimpleLogin](assets/img/email/mini/simplelogin.svg){ .twemoji } [SimpleLogin](https://simplelogin.io/) + +
+ +[Aprender más :material-arrow-right:](router.md) + +## Proveedores de Servicios + +### Correo Electrónico + +
+ +- ![Logotipo de Mail-in-a-Box](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](https://mailinabox.email/) +- ![Logotipo de mailcow](assets/img/email/mailcow.svg){ .twemoji } [mailcow](https://mailcow.email/) + +
+ +[Aprender más :material-arrow-right:](cloud.md) + +### Almacenamiento en la Nube + +#### DNS Providers + +[Recomendamos](dns.md#recommended-providers) una serie de servidores DNS cifrados, como [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) y [Quad9](https://quad9.net/) entre otros, según varios criterios. Recomendamos que leas nuestras páginas sobre DNS antes de elegir un proveedor. En muchos casos no se recomienda utilizar un proveedor de DNS alternativo. + +[Aprender más :material-arrow-right:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![Logotipo de DuckDuckGo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](https://duckduckgo.com/) +- ![Logotipo de Startpage](assets/img/search-engines/startpage.svg){ .twemoji } [Startpage](https://www.startpage.com/) +- ![Logotipo de Mojeek](assets/img/search-engines//mini/mojeek.svg){ .twemoji } [Mojeek](https://www.mojeek.com/) +- ![Logotipo de Searx](assets/img/search-engines/searx.svg){ .twemoji } [Searx](https://searx.me/) + +
+ +[Aprender más :material-arrow-right:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Aprender más :material-arrow-right:](dns.md#self-hosted-solutions) + +### Proveedores de VPN + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Aprender más :material-arrow-right:](email.md) + +#### Email Aliasing Services + +
+ +- ![Logotipo de Joplin](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](https://joplinapp.org/) +- ![Logotipo de Standard Notes](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](https://standardnotes.org/) + +
+ +[Aprender más :material-arrow-right:](email.md#email-aliasing-services) + +#### Nuestro criterio + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Aprender más :material-arrow-right:](email.md#self-hosting-email) + +### Motores de Búsqueda + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Aprender más :material-arrow-right:](search-engines.md) + +### VPN Providers + +??? danger "Las VPN no proporcionan anonimato" + + El uso de una VPN **no** mantendrá tus hábitos de navegación en el anonimato, ni añadirá seguridad adicional al tráfico no seguro (HTTP). + + Si estás buscando **anonimato**, deberías usar el navegador Tor **en lugar** de una VPN. + + Si buscas mayor **seguridad**, deberías asegurarte siempre de que te conectas a sitios web que utilicen HTTPS. Una VPN no sustituye las buenas prácticas de seguridad. + + [Aprende más :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Aprender más :material-arrow-right:](vpn.md) + +## Software + +### Clientes de Correo Electrónico + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Aprender más :material-arrow-right:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Aprender más :material-arrow-right:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Aprender más :material-arrow-right:](email-clients.md) + +### Software de encriptación + +??? info "Operating System Disk Encryption" + + Para cifrar la unidad de tu sistema operativo, normalmente recomendamos utilizar cualquier herramienta de cifrado que proporcione tu sistema operativo, ya sea **BitLocker** en Windows, **FileVault** en macOS, o **LUKS** en Linux. Estas herramientas están incluidas en el sistema operativo y suelen utilizar elementos de cifrado por hardware, como un TPM, que otros programas de cifrado de disco completo, como VeraCrypt, no utilizan. VeraCrypt sigue siendo adecuado para los discos que no son del sistema operativo, como las unidades externas, especialmente las unidades a las que se puede acceder desde varios sistemas operativos. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Aprender más :material-arrow-right:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Aprender más :material-arrow-right:](encryption.md#openpgp) + +### Software de Cifrado + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Aprender más :material-arrow-right:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Aprender más :material-arrow-right:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Aprender más :material-arrow-right:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Aprender más :material-arrow-right:](news-aggregators.md) + +### Bloc de Notas + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Aprender más :material-arrow-right:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Aprender más :material-arrow-right:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Aprender más :material-arrow-right:](productivity.md) + +### Comunicación en tiempo real + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](real-time-communication.md#briar-android) + +
+ +[Aprender más :material-arrow-right:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Aprender más :material-arrow-right:](video-streaming.md) + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/tor.md b/i18n/es/tor.md new file mode 100644 index 00000000..bd1a4598 --- /dev/null +++ b/i18n/es/tor.md @@ -0,0 +1,126 @@ +--- +title: "Navegadores Web" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +La red **Tor** es un grupo de servidores operados por voluntarios que te permite conectarte gratuitamente y mejorar tu privacidad y seguridad en Internet. Los individuos y las organizaciones también pueden compartir información a través de la red Tor con los "servicios ocultos.onion" sin comprometer su privacidad. Debido a que el tráfico de Tor es difícil de bloquear y rastrear, Tor es una herramienta eficaz para eludir la censura. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Inicio} +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Servicio Onion" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentación} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Código Fuente" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuir } + +Tor funciona enrutando tu tráfico de Internet a través de esos servidores operados por voluntarios, en lugar de hacer una conexión directa con el sitio que estás tratando de visitar. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Ruta del circuito Tor - Los nodos en la ruta solo pueden ver los servidores a los que están directamente conectados, por ejemplo el nodo "Entry" que se muestra puede ver tu dirección IP y la dirección del nodo "Middle", pero no tiene forma de ver qué sitio web estás visitando.
+
+ +- [Más información sobre cómo funciona Tor :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Conectarse a Tor + +Hay varias maneras de conectarse a la red Tor desde tu dispositivo, el más utilizado es **Tor Browser**, un fork de Firefox diseñado para la navegación anónima para ordenadores de sobremesa y Android. Además de las aplicaciones enumeradas a continuación, también hay sistemas operativos diseñados específicamente para conectarse a la red Tor, como [Whonix](linux-desktop.md/#whonix) en [Qubes OS](qubes.md), que proporcionan incluso mayor seguridad y protección que el Navegador Tor estándar. + +### Tor Browser + +!!! recomendación + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Inicio](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Servicio Onion" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentación } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + - [:simple-openbsd: OpenBSD](https://openports.se/net/tor) + - [:simple-netbsd: NetBSD](https://pkgsrc.se/net/tor) + +!!! peligro + + **Nunca** deberías instalar ninguna extensión adicional en el Navegador Tor, ni siquiera las que sugerimos para Firefox. Las extensiones del navegador y las configuraciones no estándar te hacen destacar de los demás en la red Tor, haciendo así que tu navegador sea más fácil de [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +El navegador Tor está diseñado para evitar la toma de huellas dactilares o tu identificación debido a la configuración de tu navegador. Por lo tanto, es imperativo que **no** modifiques el navegador más allá de los [niveles de seguridad](https://tb-manual.torproject.org/security-settings/) predeterminados. + +### Perfiles de usuario + +!!! recomendación + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** es una VPN de Tor gratuita para smartphones que enruta el tráfico desde cualquier aplicación en tu dispositivo a través de la red Tor. + + [:octicons-home-16: Inicio](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentación} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! consejo "Consejos para Android" + + Orbot puede hacer de proxy de aplicaciones individuales si soportan SOCKS o proxy HTTP. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot suele estar desactualizado en el [repositorio F-Droid](https://guardianproject.info/fdroid) de Guardian Project y en [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), así que considera descargarlo directamente desde el [repositorio GitHub](https://github.com/guardianproject/orbot/releases). + + Todas las versiones están firmadas con la misma firma, por lo que deberían ser compatibles entre sí. + +## Relays and Bridges + +### Snowflake + +!!! recomendación + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** te permite donar ancho de banda al Proyecto Tor operando un "proxy Snowflake" dentro de tu navegador. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Inicio](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentación} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/video-streaming.md b/i18n/es/video-streaming.md new file mode 100644 index 00000000..598ef26c --- /dev/null +++ b/i18n/es/video-streaming.md @@ -0,0 +1,56 @@ +--- +title: "Transmisiones en Vivo" +icon: material/video-wireless +--- + +La principal amenaza al utilizar una plataforma de streaming es que sus hábitos de streaming y sus suscripciones podrían utilizarse para elaborar un perfil. Debería combinar estas herramientas con un [VPN](/vpn) o [Tor](https://www.torproject.org/) para hacer más difícil perfilar su perfil. + +## Clientes + +!!! recomendación + + ![FreeTube logo](assets/img/video-streaming/freetube.svg){ align=right } + + **FreeTube** es una aplicación gratuita y de código abierto para [YouTube](https://youtube.com). Al usar FreeTube, su lista de suscripción y listas de reproducción se guardan localmente en su dispositivo. Por defecto, FreeTube bloquea todos los anuncios de YouTube. + + Además, FreeTube se integra opcionalmente con [SponsorBlock](https://sponsor.ajay.app) para ayudarle a saltar segmentos de vídeo patrocinados. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:fontawesome-brands-windows: Windows](https://freetubeapp.io/#download) + - [:fontawesome-brands-apple: macOS](https://freetubeapp.io/#download) + - [:fontawesome-brands-linux: Linux](https://freetubeapp.io/#download) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! note + + Solo se recomienda el **cliente de escritorio LBRY**, ya que el sitio web [Odysee](https://odysee.com) y los clientes LBRY en F-Droid, Play Store y App Store tienen sincronización y telemetría obligatorias. + +!!! warning + + ![logo LBRY](assets/img/video-streaming/lbry.svg){ align=right } + + **La red LBRY** es una red descentralizada para compartir vídeos. Considere la posibilidad de utilizar un [VPN](vpn.md) o [Tor](https://www.torproject.org) si su [modelo de amenaza](basics/threat-modeling.md) requiere ocultar su dirección IP. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. Si sincroniza su wallet con LBRY Inc. tendrá que confiar que ellos no mirarán su lista de suscripciones, sus fondos [LBC](https://lbry.com/faq/earn-credits) o tomen el control de su canal. + +Puede desactivar la opción *Guardar datos de alojamiento para ayudar a la red LBRY* en :gear: **Ajustes** → **Ajustes avanzados**, para evitar exponer su dirección IP y los vídeos vistos cuando utilice LBRY durante un periodo de tiempo prolongado. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/es/vpn.md b/i18n/es/vpn.md new file mode 100644 index 00000000..884f1aa9 --- /dev/null +++ b/i18n/es/vpn.md @@ -0,0 +1,314 @@ +--- +title: "Servicios VPN" +icon: material/vpn +--- + +Encuentre una VPN sin registro que no esté dispuesto a vender o leer su tráfico web. + +??? danger "Las VPN no proporcionan anonimato" + + El uso de una VPN **no** mantendrá tus hábitos de navegación en el anonimato, ni añadirá seguridad adicional al tráfico no seguro (HTTP). + + Si estás buscando **anonimato**, deberías usar el navegador Tor **en lugar** de una VPN. + + Si buscas mayor **seguridad**, deberías asegurarte siempre de que te conectas a sitios web que utilicen HTTPS. Una VPN no sustituye las buenas prácticas de seguridad. + + [Descargar Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Mitos de Tor & FAQ](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904){ .md-button } + +??? question "¿Cuándo son útiles las VPN?" + + Si buscas una mayor **privacidad** de tu ISP, de una red wifi pública o mientras hace o descargar archivos Torrent, una VPN puede ser la solución para usted, siempre y cuando entienda los riesgos que conlleva. + + [Más información](basics/vpn-overview.md){ .md-button } + +## Proveedores recomendados + +!!! summary "Criterios" + + Nuestros proveedores recomendados usan encriptación, aceptan Monero, soportan WireGuard & OpenVPN, y tienen una política de no registro. Lea nuestra [lista de criterios completa](#our-criteria) para mayor información. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg#only-light){ align=right } + ![Mullvad logo](assets/img/vpn/mullvad-dark.svg#only-dark){ align=right } + + **Mullvad** es una VPN rápida y cómoda con un enfoque serio en la transparencia y la seguridad. Llevan en funcionamiento desde **2009**. + + Mullvad tiene su sede en Suecia y no tiene prueba gratuita. descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? check annotate "38 Países" + + Mullvad tiene [servidores en 38 países](https://mullvad.net/servers/) (1). Elegir un proveedor de VPN con un servidor cercano a usted reducirá la latencia del tráfico de red que envíe. Esto se debe a que es una ruta más corta (menos saltos) hasta el destino. + + También pensamos que es mejor para la seguridad de las claves privadas del proveedor de VPN si utilizan [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), en lugar de soluciones compartidas más baratas (con otros clientes) como los [servidores privados virtuales](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. En 2022/05/17 + +??? check "Auditoria independiente" + + Los clientes VPN de Mullvad han sido auditados por Cure53 y Assured AB en un reporte de pentest [publicado en cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). Los investigadores de seguridad concluyeron: + + > Cure53 y Assured AB están satisfechos con los resultados de la auditoría y el software deja una impresión positiva en general. Con la dedicación a la seguridad del equipo interno de Mullvad VPN, los testers no tienen dudas de que el proyecto va por buen camino desde el punto de vista de la seguridad. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? check "Clientes Open Source" + + Proton VPN proporciona el código fuente para su aplicación de escritorio and móvil en su [GitHub organization](https://github.com/ProtonVPN). + +??? check "Acepta dinero y Monero" + + Proton VPN, además de aceptar tarjetas de crédito/débito y Paypal, acepta Bitcoin, y **cash/local currency** como formas anónimas de pago. + +??? check "Soporte de WireGuard" + + Mullvad soporta el protocolo WireGuard®. [WireGuard](https://www.wireguard.com) es un protocolo más reciente que utiliza [criptografía](https://www.wireguard.com/protocol/) de última generación. Además, WireGuard pretende ser más simple y veloz. + + Mullvad [recomienda](https://mullvad.net/en/help/why-wireguard/) el uso de WireGuard con su servicio. Es el protocolo por defecto o único en las aplicaciones de Mullvad para Android, iOS, macOS y Linux, pero en Windows hay que [activar manualmente](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. + +??? check "Soporte de IPv6" + + Mullvad soporta el futuro de la red [IPv6](https://es.wikipedia.org/wiki/IPv6). Su red permite [acceder a servicios alojados en IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) a diferencia de otros proveedores que bloquean las conexiones IPv6. + +??? check "Redirección remota de puertos" + + Además de proporcionar los archivos de configuración estándar de OpenVPN, Proton VPN tiene clientes móviles para [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085) y [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US) que permiten conectarse fácilmente a sus servidores. + +??? check "Aplicaciones móviles" + + Mullvad ha publicado su cliente en la [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) y en [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn), ambos con una interfaz fácil de usar en lugar de requerir la configuración manual de la conexión de WireGuard. El cliente móvil en Android también está disponible en [F-Droid](https://f-droid.org/packages/net.mullvad.mullvadvpn), lo que garantiza que se compila con [builds reproducibles](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html). They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! info "Funcionalidades adicionales" + + Mullvad es muy transparente en cuanto a los nodos que posee o alquila (https://mullvad.net/es/servers/). Utilizan [ShadowSocks](https://shadowsocks.org/en/index.html) en su configuración de ShadowSocks + OpenVPN, lo que les hace más resistentes contra los cortafuegos con [Inspección profunda de paquete](https://es.wikipedia.org/wiki/Deep_Packet_Inspection) que intentan bloquear las VPN. + +### Proton VPN + +!!! recomendación + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** es un fuerte contendiente en el espacio de las VPN, y ha estado en funcionamiento desde 2016. Proton AG tiene su sede en Suiza y ofrece un nivel gratuito limitado, así como una opción premium con más funciones. + + **Free** — **Plus Plan USD $71.88/anual** (1) + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } También pensamos que es mejor para la seguridad de las claves privadas del proveedor de VPN si utilizan [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), en lugar de soluciones compartidas más baratas (con otros clientes) como los [servidores privados virtuales](https://en.wikipedia.org/wiki/Virtual_private_server). + +??? check annotate "63 países" + + Proton VPN tiene [servidores en 63 países](https://protonvpn.com/vpn-servers) (1). Elegir un proveedor de VPN con un servidor cercano a usted reducirá la latencia del tráfico de red que envíe. Esto se debe a que es una ruta más corta (menos saltos) hasta el destino. + + También pensamos que es mejor para la seguridad de las claves privadas del proveedor de VPN si utilizan [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), en lugar de soluciones compartidas más baratas (con otros clientes) como los [servidores privados virtuales](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. En 2022/05/17 + +??? check "Auditoria independiente" + + IVPN se ha sometido a una [auditoría de no-logging de Cure53](https://cure53.de/audit-report_ivpn.pdf) que concluyó de acuerdo con la afirmación de no-logging de IVPN. IVPN también ha completado un [informe completo de pentest Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) en enero de 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? check "Clientes Open Source" + + A partir de febrero de 2020 [las aplicaciones de IVPN son ahora de código abierto](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? check "Acepta efectivo" + + Además de aceptar tarjetas de crédito/débito y PayPal, IVPN acepta Bitcoin, **Monero** y **efectivo/moneda local** (en planes anuales) como formas de pago anónimas. + +??? check "Soporte de WireGuard" + + Proton VPN soporta principalmente el protocolo WireGuard®. [WireGuard](https://www.wireguard.com) es un protocolo más reciente que utiliza [criptografía](https://www.wireguard.com/protocol/) de última generación. Además, WireGuard pretende ser más simple y veloz. + + IVPN [recomienda](https://www.ivpn.net/wireguard/) el uso de WireGuard con su servicio y, como tal, es el protocolo predeterminado en todas las aplicaciones de IVPN. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? warning "Redirección remota de puertos" + + El [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) es posible con un plan de pago (Pro). Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? check "Redirección remota de puertos" + + Además de proporcionar los archivos de configuración estándar de OpenVPN, Proton VPN tiene clientes móviles para [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683) y [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client) que permiten conectarse fácilmente a sus servidores. + +??? check "Aplicaciones móviles" + + Proton VPN tiene sus propios servidores y centros de datos en Suiza, Islandia y Suecia. Ofrecen bloqueo de anuncios y de dominios con malware conocido con su servicio de DNS. + +### IVPN + +!!! recomendación + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** es otro proveedor de VPN premium, y llevan en funcionamiento desde 2009. IVPN tiene su sede en Gibraltar. **Standard USD $60/año** — **Pro USD $100/año** + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + También pensamos que es mejor para la seguridad de las claves privadas del proveedor de VPN si utilizan [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), en lugar de soluciones compartidas más baratas (con otros clientes) como los [servidores privados virtuales](https://en.wikipedia.org/wiki/Virtual_private_server). downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? check annotate "32 Países" + + IVPN tiene [servidores en 32 países](https://www.ivpn.net/server-locations) (1). Elegir un proveedor de VPN con un servidor cercano a usted reducirá la latencia del tráfico de red que envíe. Esto se debe a que es una ruta más corta (menos saltos) hasta el destino. + + También pensamos que es mejor para la seguridad de las claves privadas del proveedor de VPN si utilizan [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), en lugar de soluciones compartidas más baratas (con otros clientes) como los [servidores privados virtuales](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. En 2022/05/17 + +??? check "Auditoria independiente" + + Los clientes VPN de Mullvad han sido auditados por Cure53 y Assured AB en un reporte de pentest [publicado en cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). Los investigadores de seguridad concluyeron: + + > Cure53 y Assured AB están satisfechos con los resultados de la auditoría y el software deja una impresión positiva en general. Con la dedicación a la seguridad del equipo interno de Mullvad VPN, los testers no tienen dudas de que el proyecto va por buen camino desde el punto de vista de la seguridad. + + En 2020 se anunció una segunda auditoría (https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) y el [informe final de la auditoría] (https://cure53.de/pentest-report_mullvad_2020_v2.pdf) se publicó en el sitio web de Cure53: + + > Los resultados de este proyecto de mayo-junio de 2020 dirigido al complejo Mullvad, son bastante positivos. [...] El ecosistema general de aplicaciones utilizado por Mullvad deja una impresión sólida y estructurada. La estructura general de la aplicación facilita el despliegue de parches y correcciones de forma estructurada. Más que nada, los hallazgos detectados por Cure53 muestran la importancia de auditar y reevaluar constantemente los vectores de filtración actuales, para garantizar siempre la privacidad de los usuarios finales. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? check "Clientes Open Source" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? check "Acepta efectivo" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. [WireGuard](https://www.wireguard.com) es un protocolo más reciente que utiliza [criptografía](https://www.wireguard.com/protocol/) de última generación. + +??? check "Soporte de WireGuard" + + IVPN soporta el protocolo WireGuard®. [WireGuard](https://www.wireguard.com) es un protocolo más reciente que utiliza [criptografía](https://www.wireguard.com/protocol/) de última generación. Además, WireGuard pretende ser más simple y veloz. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? check "Redirección remota de puertos" + + El [redirección de puertos] (https://es.wikipedia.org/wiki/Port_Forwarding) es posible con un plan Pro. La redirección de puertos [puede ser activada](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) a través del Client Area. + +??? warning "Redirección remota de puertos" + + Además de proporcionar archivos de configuración estándar de OpenVPN, IVPN tiene aplicaciones móviles para [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683) y [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client) que permiten conectarse fácilmente a sus servidores. La aplicación móvil en Android también está disponible en [F-Droid](https://f-droid.org/en/packages/net.ivpn.client), lo que garantiza que se compila con [builds reproducibles](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html). See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? check "Redirección remota de puertos" + + Los clientes IVPN soportan la autenticación de dos factores (los clientes Mullvad y Proton VPN no). IVPN también proporciona la funcionalidad "[AntiTracker](https://www.ivpn.net/antitracker)", que bloquea las redes publicitarias y los rastreadores de la red. + +??? check "Aplicaciones móviles" + + Es importante tener en cuenta que el uso de un proveedor de VPN no le hará anónimo, pero le dará mayor privacidad en ciertas situaciones. Una VPN no es una herramienta para actividades ilegales. No confíes en una política de "no registro". Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! peligro + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +Exigimos que todos nuestros proveedores de VPN recomendados, proporcionen archivos de configuración de OpenVPN para ser utilizados en cualquier cliente. **Si** una VPN proporciona su propio cliente personalizado, requerimos un killswitch para bloquear las fugas de datos de la red cuando se desconecta. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Tecnología + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Mejor caso:** + +- Soporte para protocolos fuertes como WireGuard & OpenVPN. +- Killswitch integrado en los clientes. +- Soporte de multisaltos. El multihopping es importante para mantener la privacidad de los datos en caso de que un solo nodo se vea comprometido. +- Si se proporciona clientes VPN, deben ser [de código abierto](https://en.wikipedia.org/wiki/Open_source), como el software VPN que generalmente llevan incorporado. Creemos que la disponibilidad de [código fuente](https://en.wikipedia.org/wiki/Source_code) proporciona una mayor transparencia sobre lo que su dispositivo está haciendo realmente. + +**Best Case:** + +- Soporte de WireGuard y OpenVPN. +- Killswitch con opciones altamente configurables (activar/desactivar en determinadas redes, en el arranque, etc.) +- Clientes VPN fáciles de usar +- Admite [IPv6](https://en.wikipedia.org/wiki/IPv6). Esperamos que los servidores permitan las conexiones entrantes a través de IPv6 y le permitan acceder a los servicios alojados en direcciones IPv6. +- La capacidad de [redirección de puertos](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) ayuda a crear conexiones cuando se utiliza software de intercambio de archivos P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)), Freenet, o se aloja un servidor (por ejemplo, Mumble). + +### Privacidad + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Mejor caso:** + +- Opción de pago en Monero o en efectivo. +- No se requiere información personal para registrarse: Sólo nombre de usuario, contraseña y correo electrónico como máximo. + +**Best Case:** + +- Acepta Monero, dinero en efectivo y otras formas de pago anónimo (tarjetas de regalo, etc.) +- No se aceptan datos personales (nombre de usuario autogenerado, no se requiere correo electrónico, etc.) + +### Seguridad + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Mejor caso:** + +- Esquemas de cifrado fuertes: OpenVPN con autenticación SHA-256; RSA-2048 o mejor handshake; AES-256-CBC o cifrado de datos AES-256-GCM. +- Perfect Forward Secrecy (PFS). +- Auditorías de seguridad publicadas por una empresa externa de prestigio. + +**Best Case:** + +- Cifrado más fuerte: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Auditorías de seguridad exhaustivas publicadas por una empresa externa de prestigio. +- Programas de recompensa de errores y/o un proceso coordinado de divulgación de vulnerabilidades. + +### Confianza + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Mejor caso:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Informes de transparencia frecuentes. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Mejor caso:** + +- Debe tener análisis propios (no Google Analytics, etc.). El sitio del proveedor también debe cumplir con [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) para las personas que quieran excluirse. + +Must not have any marketing which is irresponsible: + +- Garantizar la protección del anonimato al 100%. Cuando alguien afirma que algo es 100% significa que no hay certeza de fracaso. Sabemos que la gente puede desanonimizarse fácilmente de varias maneras, por ejemplo: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Afirmar que una VPN de un solo circuito es "más anónima" que Tor, el cual es un circuito de 3 o más saltos que cambia regularmente. +- Utilice un lenguaje responsable, por ejemplo, está bien decir que una VPN está "desconectada" o "no conectada", pero afirmar que alguien está "expuesto", "vulnerable" o "comprometido" es un uso innecesario de un lenguaje alarmante que puede ser incorrecto. Por ejemplo, esa persona podría simplemente estar en el servicio de otro proveedor de VPN o usar Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- Una comparación precisa para cuando se debe utilizar Tor u otras [redes autónomas](self-contained-networks.md). +- Disponibilidad del sitio web del proveedor de VPN a través de un .onion [Hidden Service](https://es.wikipedia.org/wiki/.onion) + +### Funcionalidades adicionales + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.es.txt" diff --git a/i18n/fa/404.md b/i18n/fa/404.md new file mode 100644 index 00000000..49886058 --- /dev/null +++ b/i18n/fa/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/CODE_OF_CONDUCT.md b/i18n/fa/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/fa/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/fa/about/criteria.md b/i18n/fa/about/criteria.md new file mode 100644 index 00000000..562a5d4a --- /dev/null +++ b/i18n/fa/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/about/donate.md b/i18n/fa/about/donate.md new file mode 100644 index 00000000..5e700e2a --- /dev/null +++ b/i18n/fa/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/about/index.md b/i18n/fa/about/index.md new file mode 100644 index 00000000..917b4910 --- /dev/null +++ b/i18n/fa/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/about/notices.md b/i18n/fa/about/notices.md new file mode 100644 index 00000000..2ded68df --- /dev/null +++ b/i18n/fa/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "اطلاعیه ها و سلب مسئولیت" +hide: + - toc +--- + +## سلب مسئولیت حقوقی + +Privacy Guides(راهنمای حفظ حریم خصوصی) یک شرکت حقوقی نیست. به این ترتیب، که وب سایت راهنمای حریم خصوصی و مشارکت کنندگان . مشاوره حقوقی ارائه نمی دهند. مطالب و توصیه‌های موجود در وب‌سایت و راهنماهای ما به منزله مشاوره حقوقی نیست و مشارکت در وب‌سایت یا برقراری ارتباط با راهنمای حریم خصوصی یا سایر مشارکت‌کنندگان در مورد وب‌سایت ما باعث ایجاد رابطه وکیل و مشتری نمی‌شود. + +راه اندازی این وب سایت، مانند هر تلاش انسانی، مستلزم عدم اطمینان و مبادله است. امیدواریم این وب سایت به شما کمک کند، اما ممکن است شامل اشتباهاتی باشد و نتواند به هر موقعیتی رسیدگی کند. اگر در مورد وضعیت خود سؤالی دارید، ما شما را تشویق می‌کنیم که تحقیقات خود را انجام دهید، کارشناسان دیگر را جستجو کنید و با انجمن راهنماهای حریم خصوصی وارد بحث شوید. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licenses + +Unless otherwise noted, all content on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to this repository you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/about/privacy-policy.md b/i18n/fa/about/privacy-policy.md new file mode 100644 index 00000000..70ab9d9b --- /dev/null +++ b/i18n/fa/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/about/privacytools.md b/i18n/fa/about/privacytools.md new file mode 100644 index 00000000..319fac36 --- /dev/null +++ b/i18n/fa/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/about/services.md b/i18n/fa/about/services.md new file mode 100644 index 00000000..45a5f176 --- /dev/null +++ b/i18n/fa/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/about/statistics.md b/i18n/fa/about/statistics.md new file mode 100644 index 00000000..6e2334d4 --- /dev/null +++ b/i18n/fa/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/advanced/communication-network-types.md b/i18n/fa/advanced/communication-network-types.md new file mode 100644 index 00000000..fcbc0465 --- /dev/null +++ b/i18n/fa/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/advanced/dns-overview.md b/i18n/fa/advanced/dns-overview.md new file mode 100644 index 00000000..1e872d2d --- /dev/null +++ b/i18n/fa/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +[سیستم نام دامنه (DNS)](https://en.wikipedia.org/wiki/Domain_Name_System) 'دفترچه تلفن اینترنت' است. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## دی ان اس DNS چیست؟ + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/advanced/tor-overview.md b/i18n/fa/advanced/tor-overview.md new file mode 100644 index 00000000..678ffe86 --- /dev/null +++ b/i18n/fa/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.fa.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/fa/android.md b/i18n/fa/android.md new file mode 100644 index 00000000..082a7126 --- /dev/null +++ b/i18n/fa/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/assets/img/account-deletion/exposed_passwords.png b/i18n/fa/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/fa/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/fa/assets/img/android/rss-apk-dark.png b/i18n/fa/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/fa/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/fa/assets/img/android/rss-apk-light.png b/i18n/fa/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/fa/assets/img/android/rss-apk-light.png differ diff --git a/i18n/fa/assets/img/android/rss-changes-dark.png b/i18n/fa/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/fa/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/fa/assets/img/android/rss-changes-light.png b/i18n/fa/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/fa/assets/img/android/rss-changes-light.png differ diff --git a/i18n/fa/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/fa/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/fa/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fa/assets/img/how-tor-works/tor-encryption.svg b/i18n/fa/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/fa/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fa/assets/img/how-tor-works/tor-path-dark.svg b/i18n/fa/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/fa/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fa/assets/img/how-tor-works/tor-path.svg b/i18n/fa/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/fa/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fa/assets/img/multi-factor-authentication/fido.png b/i18n/fa/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/fa/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/fa/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/fa/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/fa/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/fa/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/fa/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/fa/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/fa/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/fa/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/fa/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/fa/basics/account-creation.md b/i18n/fa/basics/account-creation.md new file mode 100644 index 00000000..e1371a80 --- /dev/null +++ b/i18n/fa/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/basics/account-deletion.md b/i18n/fa/basics/account-deletion.md new file mode 100644 index 00000000..5bc04f10 --- /dev/null +++ b/i18n/fa/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/basics/common-misconceptions.md b/i18n/fa/basics/common-misconceptions.md new file mode 100644 index 00000000..9db645e0 --- /dev/null +++ b/i18n/fa/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.fa.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/fa/basics/common-threats.md b/i18n/fa/basics/common-threats.md new file mode 100644 index 00000000..4b111199 --- /dev/null +++ b/i18n/fa/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.fa.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/fa/basics/email-security.md b/i18n/fa/basics/email-security.md new file mode 100644 index 00000000..61694ede --- /dev/null +++ b/i18n/fa/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/basics/multi-factor-authentication.md b/i18n/fa/basics/multi-factor-authentication.md new file mode 100644 index 00000000..f3f5b704 --- /dev/null +++ b/i18n/fa/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## توصیه‌های عمومی + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/basics/passwords-overview.md b/i18n/fa/basics/passwords-overview.md new file mode 100644 index 00000000..2bb9b52a --- /dev/null +++ b/i18n/fa/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/basics/threat-modeling.md b/i18n/fa/basics/threat-modeling.md new file mode 100644 index 00000000..ecb360e8 --- /dev/null +++ b/i18n/fa/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/basics/vpn-overview.md b/i18n/fa/basics/vpn-overview.md new file mode 100644 index 00000000..906b31f0 --- /dev/null +++ b/i18n/fa/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/calendar.md b/i18n/fa/calendar.md new file mode 100644 index 00000000..ced20981 --- /dev/null +++ b/i18n/fa/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/cloud.md b/i18n/fa/cloud.md new file mode 100644 index 00000000..3e05b2d6 --- /dev/null +++ b/i18n/fa/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? توصیه شده + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/data-redaction.md b/i18n/fa/data-redaction.md new file mode 100644 index 00000000..b3879c41 --- /dev/null +++ b/i18n/fa/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/desktop-browsers.md b/i18n/fa/desktop-browsers.md new file mode 100644 index 00000000..f903cef9 --- /dev/null +++ b/i18n/fa/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### فایرفاکس Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### افزونه‌ها + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### فایرفاکس Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### افزونه‌ها + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.fa.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/fa/desktop.md b/i18n/fa/desktop.md new file mode 100644 index 00000000..0d4f97cf --- /dev/null +++ b/i18n/fa/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/dns.md b/i18n/fa/dns.md new file mode 100644 index 00000000..48581c70 --- /dev/null +++ b/i18n/fa/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.fa.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/fa/email-clients.md b/i18n/fa/email-clients.md new file mode 100644 index 00000000..f14610d3 --- /dev/null +++ b/i18n/fa/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### فایرفاکس Firefox + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/email.md b/i18n/fa/email.md new file mode 100644 index 00000000..018713f5 --- /dev/null +++ b/i18n/fa/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/encryption.md b/i18n/fa/encryption.md new file mode 100644 index 00000000..d254167c --- /dev/null +++ b/i18n/fa/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Encryption Software" +icon: material/file-lock +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/file-sharing.md b/i18n/fa/file-sharing.md new file mode 100644 index 00000000..2d22ffc6 --- /dev/null +++ b/i18n/fa/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/frontends.md b/i18n/fa/frontends.md new file mode 100644 index 00000000..e2a458be --- /dev/null +++ b/i18n/fa/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/index.md b/i18n/fa/index.md new file mode 100644 index 00000000..07466b4a --- /dev/null +++ b/i18n/fa/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.fa.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/kb-archive.md b/i18n/fa/kb-archive.md new file mode 100644 index 00000000..ef94741f --- /dev/null +++ b/i18n/fa/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/meta/brand.md b/i18n/fa/meta/brand.md new file mode 100644 index 00000000..07e4bb19 --- /dev/null +++ b/i18n/fa/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/meta/git-recommendations.md b/i18n/fa/meta/git-recommendations.md new file mode 100644 index 00000000..fa2e1142 --- /dev/null +++ b/i18n/fa/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/meta/uploading-images.md b/i18n/fa/meta/uploading-images.md new file mode 100644 index 00000000..61949c17 --- /dev/null +++ b/i18n/fa/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/meta/writing-style.md b/i18n/fa/meta/writing-style.md new file mode 100644 index 00000000..6915a7ff --- /dev/null +++ b/i18n/fa/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/mobile-browsers.md b/i18n/fa/mobile-browsers.md new file mode 100644 index 00000000..1d8dfb6b --- /dev/null +++ b/i18n/fa/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### فایرفاکس Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### فایرفاکس Firefox + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/multi-factor-authentication.md b/i18n/fa/multi-factor-authentication.md new file mode 100644 index 00000000..3bd4e5d3 --- /dev/null +++ b/i18n/fa/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/news-aggregators.md b/i18n/fa/news-aggregators.md new file mode 100644 index 00000000..c0de18bc --- /dev/null +++ b/i18n/fa/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/notebooks.md b/i18n/fa/notebooks.md new file mode 100644 index 00000000..8c47f01d --- /dev/null +++ b/i18n/fa/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/os/android-overview.md b/i18n/fa/os/android-overview.md new file mode 100644 index 00000000..bb93e22f --- /dev/null +++ b/i18n/fa/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/os/linux-overview.md b/i18n/fa/os/linux-overview.md new file mode 100644 index 00000000..731dfba8 --- /dev/null +++ b/i18n/fa/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## توصیه‌های عمومی + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/os/qubes-overview.md b/i18n/fa/os/qubes-overview.md new file mode 100644 index 00000000..557c3256 --- /dev/null +++ b/i18n/fa/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/passwords.md b/i18n/fa/passwords.md new file mode 100644 index 00000000..dbe30a96 --- /dev/null +++ b/i18n/fa/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/productivity.md b/i18n/fa/productivity.md new file mode 100644 index 00000000..63832903 --- /dev/null +++ b/i18n/fa/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/real-time-communication.md b/i18n/fa/real-time-communication.md new file mode 100644 index 00000000..9a51acf4 --- /dev/null +++ b/i18n/fa/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/router.md b/i18n/fa/router.md new file mode 100644 index 00000000..4677d1a6 --- /dev/null +++ b/i18n/fa/router.md @@ -0,0 +1,51 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/search-engines.md b/i18n/fa/search-engines.md new file mode 100644 index 00000000..1b19c469 --- /dev/null +++ b/i18n/fa/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/tools.md b/i18n/fa/tools.md new file mode 100644 index 00000000..1c4e0a77 --- /dev/null +++ b/i18n/fa/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/tor.md b/i18n/fa/tor.md new file mode 100644 index 00000000..0c8cf09d --- /dev/null +++ b/i18n/fa/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/video-streaming.md b/i18n/fa/video-streaming.md new file mode 100644 index 00000000..8cc0135f --- /dev/null +++ b/i18n/fa/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fa/vpn.md b/i18n/fa/vpn.md new file mode 100644 index 00000000..2d06ffdd --- /dev/null +++ b/i18n/fa/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN Services" +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.fa.txt" diff --git a/i18n/fr/404.md b/i18n/fr/404.md new file mode 100644 index 00000000..0907d1e3 --- /dev/null +++ b/i18n/fr/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Page introuvable + +Nous n'avons pas pu trouver la page que vous recherchiez ! Peut-être recherchiez-vous l'une d'entre elles ? + +- [Introduction à la modélisation des menaces](basics/threat-modeling.md) +- [Fournisseurs DNS recommandés](dns.md) +- [Les meilleurs navigateurs web pour ordinateurs de bureau](desktop-browsers.md) +- [Les meilleurs fournisseurs de VPN](vpn.md) +- [Le forum de Privacy Guides](https://discuss.privacyguides.net) +- [Notre blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/CODE_OF_CONDUCT.md b/i18n/fr/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/fr/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/fr/about/criteria.md b/i18n/fr/about/criteria.md new file mode 100644 index 00000000..78c645dc --- /dev/null +++ b/i18n/fr/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: Critères généraux +--- + +!!! example "Travail inachevé" + + La page suivante est inachevée et ne reflète pas l'ensemble des critères de nos recommandations à l'heure actuelle. Discussion antérieure sur ce sujet : [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Vous trouverez ci-dessous certains éléments qui doivent s'appliquer à toutes les soumissions à Privacy Guides. Chaque catégorie aura des exigences supplémentaires pour être incluse. + +## Divulgation financière + +Nous ne gagnons pas d'argent en recommandant certains produits, nous n'utilisons pas de liens affiliés et nous n'accordons pas de considération particulière aux donateurs du projet. + +## Directives générales + +Nous appliquons ces priorités lorsque nous envisageons de nouvelles recommandations : + +- **Sécurisé** : les outils doivent respecter les bonnes pratiques en matière de sécurité, le cas échéant. +- **Disponibilité des sources** : les projets à source ouverte sont généralement préférés aux solutions propriétaires équivalentes. +- **Multiplateforme** : nous préférons généralement que les recommandations soient multiplateformes, afin d'éviter d'être coincé chez un fournisseur. +- **Développement actif** : les outils que nous recommandons doivent être activement maintenus. Les projets non maintenus seront, dans la plupart des cas, supprimés. +- **Facilité d'utilisation** : les outils doivent être accessibles à la plupart des utilisateurs d'ordinateurs, sans qu'un bagage trop technique soit nécessaire. +- **Documenté** : ses outils doivent disposer d'une documentation claire et complète pour leur utilisation. + +## Soumissions par les développeurs + +Nous avons ces exigences à l'égard des développeurs qui souhaitent soumettre leur projet ou logiciel pour examen. + +- Vous devez indiquer votre affiliation, c'est-à-dire votre position au sein du projet soumis. + +- Vous devez avoir un livre blanc sur la sécurité s'il s'agit d'un projet qui implique la manipulation d'informations sensibles comme une messagerie, un gestionnaire de mots de passe, un stockage cloud chiffré, etc. + - Statut d'audit par une tierce partie. Nous voulons savoir si vous en avez un, ou si vous en prévoyez un. Si possible, veuillez mentionner qui mènera l'audit. + +- Vous devez expliquer ce que le projet apporte en matière de respect de la vie privée. + - Cela résout-il un nouveau problème ? + - Pourquoi devrait-on l'utiliser plutôt que d'autres solutions ? + +- Vous devez indiquer quel est le modèle de menace exact avec votre projet. + - Il doit être clair pour les utilisateurs potentiels ce que le projet peut fournir et ce qu'il ne peut pas fournir. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/about/donate.md b/i18n/fr/about/donate.md new file mode 100644 index 00000000..6fc4c7a8 --- /dev/null +++ b/i18n/fr/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Nous soutenir +--- + + +De nombreuses [personnes](https://github.com/privacyguides/privacyguides.org/graphs/contributors) ainsi qu'un [travail](https://github.com/privacyguides/privacyguides.org/pulse/monthly) conséquent sont nécessaires afin de maintenir Privacy Guides à jour et de transmettre nos connaissances concernant la vie privée et la surveillance de masse. Si vous aimez ce que nous faisons, envisagez de vous impliquer en [éditant le site](https://github.com/privacyguides/privacyguides.org) ou en [contribuant aux traductions](https://crowdin.com/project/privacyguides). + +Si vous souhaitez nous soutenir financièrement, la méthode la plus simple est de contribuer via le site web Open Collective, qui est géré par notre hébergeur fiscal. Open Collective accepte les paiements par carte de crédit/débit, PayPal et virements bancaires. + +[Faire un don sur OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Les dons qui nous sont faits via Open Collective sont généralement déductibles des impôts aux États-Unis, car notre hôte fiscal (la Fondation Open Collective) est une organisation enregistrée 501(c)3. Vous recevrez un reçu de la Fondation Open Collective après avoir fait votre don. Privacy Guides ne fournit pas de conseils financiers, et vous devez contacter votre conseiller fiscal pour savoir si cela s'applique à vous. + +Vous pouvez également nous soutenir via les sponsors GitHub. + +[Soutenez-nous sur GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Donateurs + +Un grand merci à tous ceux qui soutiennent notre mission ! :heart: + +*Remarque : Cette section charge un widget directement depuis Open Collective. Cette section ne reflète pas les dons effectués en dehors de l'Open Collective, et nous n'avons aucun contrôle sur l'ordre des donateurs présentés dans cette section.* + + + +## A Quoi Servent Vos Dons ? + +Privacy Guides est une **organisation à but non lucratif** . Nous utilisons les dons à des fins diverses, notamment : + +**Noms de Domaine** +: + +Nous avons quelques noms de domaine comme `privacyguides.org` qui nous coûtent environ 10 $ par an pour maintenir leur enregistrement. + +**Hébergement Web** +: + +Plusieurs centaines de gigaoctets de trafic sont générés sur ce site chaque mois. Nous faisons appel à différents fournisseurs de services pour gérer ce trafic. + +**Services En Ligne** +: + +Nous hébergeons [des services internet](https://privacyguides.net) pour tester et présenter différents produits qui respectent votre vie privée, que nous apprécions et que nous [recommandons](../tools.md). Certains sont mis à la disposition du public pour l'usage de notre communauté (SearXNG, Tor, etc.), et d'autres sont fournis aux membres de notre équipe (courriel, etc.). + +**Achats de Produits** +: + +Nous achetons occasionnellement des produits et des services dans le but de tester nos [outils recommandés](../tools.md). + +Nous travaillons toujours avec notre hôte fiscal (la Fondation Open Collective) pour recevoir des dons en crypto-monnaies. Pour l'instant, la comptabilité est irréalisable pour de nombreuses petites transactions, mais cela devrait changer à l'avenir. En attendant, si vous souhaitez faire un don important en crypto-monnaies (> 100 $), veuillez contacter [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/about/index.md b/i18n/fr/about/index.md new file mode 100644 index 00000000..f9ef3469 --- /dev/null +++ b/i18n/fr/about/index.md @@ -0,0 +1,63 @@ +--- +title: "À propos de Privacy Guides" +--- + +**Privacy Guides** est un site web à vocation sociale qui fournit des informations pour protéger la sécurité de vos données et votre vie privée. Nous sommes un collectif à but non lucratif entièrement géré par des [membres bénévoles de l'équipe](https://discuss.privacyguides.net/g/team) et des contributeurs. + +[:material-hand-coin-outline: Soutenir le projet](donate.md ""){.md-button.md-button--primary} + +## Notre équipe + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Page d'accueil](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Page d'accueil](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Page d'accueil](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +De plus, [de nombreuses personnes](https://github.com/privacyguides/privacyguides.org/graphs/contributors) ont apporté des contributions au projet. Vous pouvez aussi, nous sommes open source sur GitHub ! + +Les membres de notre équipe examinent toutes les modifications apportées au site et s'occupent des tâches administratives telles que l'hébergement et les finances, mais ils ne profitent pas personnellement des contributions apportées à ce site. Nos finances sont hébergées de manière transparente par la Fondation Open Collective 501(c)(3) sur [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Les dons à Privacy Guides sont généralement déductibles des impôts aux États-Unis. + +## Licence de site + +*Ce qui suit est un résumé lisible par l'homme de la [licence](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE) (et ne se substitue pas à celle-ci) :* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Sauf indication contraire, le contenu original de ce site web est mis à disposition sous la [licence publique internationale Creative Commons Attribution-NoDerivatives 4.0](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). Cela signifie que vous êtes libre de copier et de redistribuer le matériel sur n'importe quel support ou dans n'importe quel format, à n'importe quelle fin, même commerciale, pour autant que vous accordiez le crédit approprié à `Privacy Guides (www.privacyguides.org)` et que vous fournissiez un lien vers la licence. Vous **ne pouvez pas** utiliser la marque Privacy Guides dans votre propre projet sans l'approbation expresse de ce projet. Si vous remixez, transformez ou construisez sur le contenu de ce site web, vous n'êtes pas autorisé à distribuer le matériel modifié. + +Cette licence a été mise en place pour empêcher les gens de partager notre travail sans en donner le crédit approprié, et pour empêcher les gens de modifier notre travail d'une manière qui pourrait être utilisée pour induire les gens en erreur. Si vous trouvez les termes de cette licence trop restrictifs pour le projet sur lequel vous travaillez, veuillez nous contacter à l'adresse `jonah@privacyguides.org`. Nous serons heureux de fournir des options de licence alternatives pour les projets bien intentionnés dans le domaine de la vie privée ! + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/about/notices.md b/i18n/fr/about/notices.md new file mode 100644 index 00000000..0f33d67c --- /dev/null +++ b/i18n/fr/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Avis de non-responsabilité" +hide: + - toc +--- + +## Avertissement légal + +Privacy Guides n'est pas un cabinet d'avocats. À ce titre, le site web Privacy Guides et les contributeurs ne fournissent pas de conseils juridiques. Le contenu et les recommandations de notre site web et de nos guides ne constituent pas des conseils juridiques. Et le fait de contribuer au site web ou de communiquer avec Privacy Guides ou d'autres contributeurs au sujet de notre site web ne crée pas une relation avocat-client. + +La gestion de ce site web, comme toute entreprise humaine, comporte des incertitudes et des compromis. Nous espérons que ce site web vous aidera, mais il peut comporter des erreurs et ne peut pas répondre à toutes les situations. Si vous avez des questions sur votre situation, nous vous encourageons à faire vos propres recherches, à consulter d'autres experts et à participer à des discussions avec la communauté Privacy Guides. Si vous avez des questions d'ordre juridique, vous devez consulter votre propre conseiller juridique avant de poursuivre. + +Privacy Guides est un projet open-source dont la contribution est soumise à des licences comprenant des conditions qui, pour la protection du site web et de ses contributeurs, précisent que le projet et le site Privacy Guides sont proposés "en l'état", sans garantie, et déclinent toute responsabilité pour les dommages résultant de l'utilisation du site web ou des recommandations qu'il contient. Privacy Guides ne garantit en aucun cas et ne fait aucune déclaration concernant l'exactitude, les résultats probables ou la fiabilité de l'utilisation des éléments sur le site web ou autrement liés sur le site web ou sur tout autre site tiers lié à ce site. + +En outre, Privacy Guides ne garantit pas que ce site web sera constamment disponible, ou disponible tout court. + +## Licences + +Sauf indication contraire, tout le contenu de ce site web est mis à disposition gratuitement selon les termes de la [Creative Commons CC0 1.0 Universal](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +Cela n'inclut pas le code tiers intégré dans ce dépôt, ou le code pour lequel une licence de remplacement est indiquée. Les exemples suivants sont notables, mais cette liste n'est pas exhaustive : + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/mathjax.js) est sous licence [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/LICENSE.mathjax.txt). + +Certaines parties de cet avis ont été reprises du projet [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) sur GitHub. Cette ressource et cette page elle-même sont publiées sous [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +Cela signifie que vous pouvez utiliser le contenu lisible par l'homme de ce dépôt pour votre propre projet, conformément aux conditions décrites dans le texte universel CC0 1.0. Vous **ne pouvez pas** utiliser la marque Privacy Guides dans votre propre projet sans l'approbation expresse de ce projet. Les marques de commerce de Privacy Guides comprennent le mot-clé et le logo "Privacy Guides". Les marques déposées de Privacy Guides comprennent l'appellation « Privacy Guides » ainsi que le logo Shield. + +Nous estimons que les logos et autres images des `actifs` obtenus auprès de fournisseurs tiers sont soit du domaine public, soit **d'un usage raisonnable**. En résumé, la [doctrine d'usage raisonnable](https://fr.wikipedia.org/wiki/Fair_use) permet l'utilisation d'images protégées par le droit d'auteur afin d'identifier le sujet à des fins de commentaire public. Toutefois, ces logos et autres images peuvent encore être soumis aux lois sur les marques commerciales dans une ou plusieurs juridictions. Avant d'utiliser ce contenu, veuillez vous assurer qu'il permet d'identifier l'entité ou l'organisation propriétaire de la marque et que vous avez le droit de l'utiliser en vertu des lois applicables dans les circonstances de votre utilisation prévue. *Lorsque vous copiez le contenu de ce site web, vous êtes seul responsable de vous assurer que vous ne violez pas la marque ou le droit d'auteur de quelqu'un d'autre.* + +Lorsque vous contribuez à ce dépôt, vous le faites sous les licences mentionnées ci-dessus. + +## Utilisation acceptable + +Il est interdit d'utiliser ce site web d'une manière qui cause ou pourrait causer des dommages au site web ou compromettre la disponibilité ou l'accessibilité des guides de confidentialité, ou d'une manière qui serait illégale, frauduleuse ou nuisible, ou en relation avec un objectif ou une activité illégale, frauduleuse ou nuisible. + +Vous ne devez pas mener d'activités de collecte de données systématiques ou automatisées sur ou en relation avec ce site web sans le consentement écrit exprès d'Aragon Ventures LLC, y compris : + +* Analyses automatisées excessives +* Attaques par déni de service +* [Web scrapping](https://fr.wikipedia.org/wiki/Web_scraping) +* Extraction de données +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/about/privacy-policy.md b/i18n/fr/about/privacy-policy.md new file mode 100644 index 00000000..38de9feb --- /dev/null +++ b/i18n/fr/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Politique de confidentialité" +--- + +Privacy Guides est un projet communautaire géré par un certain nombre de bénévoles actifs. La liste actuelle des membres de notre équipe se trouve [ici sur GitHub](https://github.com/orgs/privacyguides/people). + +## Collecte et utilisation des données + +Le respect de la vie privée étant importante pour nous, nous ne traquons pas les personnes individuellement. En tant que visisteur sur notre site web : + +- Aucune information personnelle n'est collectée +- Aucune information telle que les cookies n'est stockée dans le navigateur +- Aucune information n'est partagée, envoyée ou vendue à des tiers +- Aucune information n'est partagée avec des sociétés de publicité +- Aucune information n'est exploitée et récoltée pour établir des tendances personnelles et comportementales +- Aucune information n'est monétisée + +Vous pouvez consulter les données que nous collectons sur notre page [statistiques](statistics.md). + +Nous avons mis en place une installation auto-hébergée de [Plausible Analytics](https://plausible.io) pour collecter certaines données d'utilisation anonymes à des fins statistiques. L'objectif est de suivre les tendances générales du trafic de notre site web, et non de suivre les visiteurs individuellement. Toutes les données sont regroupées uniquement. Aucune information personnelle n'est collectée. + +Les données collectées comprennent les sources de référence, les pages les plus consultées, la durée de la visite, les informations sur les appareils (type d'appareil, système d'exploitation, pays et navigateur) utilisés pendant la visite, etc. Vous pouvez en savoir plus sur la manière dont Plausible fonctionne et collecte les informations dans le respect de la vie privée [ici](https://plausible.io/data-policy). + +## Données que nous recueillons auprès des détenteurs d'un compte + +Sur certains sites web et services que nous fournissons, de nombreuses fonctionnalités peuvent nécessiter un compte. Par exemple, un compte peut être nécessaire pour publier et répondre à des sujets sur une plateforme de forum. + +Pour s'inscrire à la plupart des comptes, nous recueillons un nom, un nom d'utilisateur, une adresse électronique et un mot de passe. Si un site web requiert plus d'informations que ces seules données, cela sera clairement indiqué et noté dans une politique de confidentialité distincte pour chaque site. + +Nous utilisons les données de votre compte pour vous identifier sur le site web et pour créer des pages qui vous sont spécifiques, telles que votre page de profil. Nous utiliserons également les données de votre compte pour publier un profil public vous concernant sur nos services. + +Nous utilisons votre e-mail pour : + +- Vous informer de la publication de messages et d'autres activités sur les sites web ou les services. +- Réinitialisez votre mot de passe et contribuez à la sécurité de votre compte. +- Vous contacter dans des circonstances particulières liées à votre compte. +- Vous contacter au sujet de demandes légales, telles que les demandes de retrait DMCA. + +Sur certains sites web et services, vous pouvez fournir des informations supplémentaires pour votre compte, telles qu'une courte biographie, un avatar, votre localisation ou votre date d'anniversaire. Nous mettons ces informations à la disposition de tous ceux qui peuvent accéder au site web ou au service en question. Ces informations ne sont pas nécessaires pour utiliser l'un de nos services et peuvent être effacées à tout moment. + +Nous conserverons les données de votre compte tant que celui-ci restera ouvert. Après la fermeture d'un compte, nous pouvons conserver une partie ou la totalité des données de votre compte sous forme de sauvegardes ou d'archives pendant 90 jours au maximum. + +## Nous contacter + +L'équipe de Privacy Guides n'a généralement pas accès aux données personnelles en dehors d'un accès limité accordé via certains panneaux de modération. Pour toute question concernant vos données personnelles, vous pouvez nous contacter à cette adresse : + +```text +Jonah Aragon +Administrateur de services +jonah@privacyguides.org +``` + +Pour toute autre demande, vous pouvez contacter n'importe quel autre membre de notre équipe. + +De manière plus générale, pour les plaintes en vertu du RGPD. Vous pouvez les déposer auprès de vos autorités locales de surveillance de la protection des données. En France, c'est la Commission Nationale de l'Informatique et des Libertés qui s'occupent notamment de gérer ces plaintes. Ils fournissent un [modèle de lettre de plainte](https://www.cnil.fr/en/plaintes) à utiliser. + +## À propos de cette politique de confidentialité + +Nous publierons toute nouvelle version de cette déclaration [ici](privacy-policy.md). Il se peut que nous modifiions la manière dont nous annonçons les changements dans les futures versions de ce document. Nous pouvons également mettre à jour nos coordonnées à tout moment sans annoncer de changement. Veuillez vous référer à la [politique de confidentialité](privacy-policy.md) pour obtenir les dernières informations de contact à tout moment. + +Un [historique](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) de révision complet de cette page peut être trouvé sur GitHub. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/about/privacytools.md b/i18n/fr/about/privacytools.md new file mode 100644 index 00000000..fda4fd59 --- /dev/null +++ b/i18n/fr/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "FAQ PrivacyTools" +--- + +# Pourquoi nous avons abandonné PrivacyTools + +En septembre 2021, tous les contributeurs actifs ont accepté à l'unanimité de quitter PrivacyTools pour travailler sur ce site : Privacy Guides. Cette décision a été prise parce que le fondateur et contrôleur du nom de domaine de PrivacyTools avait disparu pendant une longue période et n'a pas pu être contacté. + +Ayant construit un site et un ensemble de services réputés sur PrivacyTools.io, cela a suscité de graves inquiétudes pour l'avenir de PrivacyTools, car toute perturbation future pourrait anéantir l'ensemble de l'organisation sans méthode de récupération. Cette transition a été communiquée à la communauté PrivacyTools de nombreux mois à l'avance par le biais de divers canaux, notamment son blog, Twitter, Reddit et Mastodon, afin de garantir que l'ensemble du processus se déroule aussi bien que possible. Nous avons fait cela pour nous assurer que personne n'était tenu dans l'ignorance, ce qui a été notre modus operandi depuis la création de notre équipe, et pour nous assurer que Privacy Guides était reconnu comme la même organisation fiable que PrivacyTools était avant la transition. + +Une fois le déménagement terminé, le fondateur de PrivacyTools est revenu et a commencé à diffuser des informations erronées sur le projet Privacy Guides. Ils continuent à diffuser des informations erronées en plus d'exploiter un parc de liens payants sur le domaine PrivacyTools. Nous avons créé cette page pour dissiper tout malentendu. + +## Qu'est-ce que PrivacyTools ? + +PrivacyTools a été créé en 2015 par "BurungHantu", qui voulait faire une ressource d'information sur la vie privée - des outils utiles suite aux révélations de Snowden. Le site est devenu un projet open-source florissant avec [de nombreux contributeurs](https://github.com/privacytools/privacytools.io/graphs/contributors), dont certains se sont vus confier diverses responsabilités organisationnelles, telles que l'exploitation de services en ligne comme Matrix et Mastodon, la gestion et l'examen des modifications apportées au site sur GitHub, la recherche de sponsors pour le projet, la rédaction d'articles de blog et l'exploitation de plateformes de sensibilisation aux médias sociaux comme Twitter, etc. + +À partir de 2019, BurungHantu s'est éloigné de plus en plus du développement actif du site web et des communautés, et a commencé à retarder les paiements dont il était responsable liés aux serveurs que nous exploitions. Pour éviter que notre administrateur système ne paie les coûts du serveur de sa propre poche, nous avons changé les méthodes de don indiquées sur le site, passant des comptes PayPal et crypto personnels de BurungHantu à une nouvelle page OpenCollective sur [31 octobre 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). Cela avait pour avantage de rendre nos finances totalement transparentes, une valeur à laquelle nous croyons fermement, et déductibles des impôts aux États-Unis, car elles étaient détenues par l'Open Collective Foundation 501(c)3. Ce changement a été accepté à l'unanimité par l'équipe et n'a pas été contesté. + +## Pourquoi nous sommes passés à autre chose + +En 2020, l'absence de BurungHantu s'est considérablement accentuée. À un moment, nous avons demandé que les serveurs de noms du domaine soient remplacés par des serveurs de noms contrôlés par notre administrateur système afin d'éviter toute perturbation future, et ce changement n'a été effectué que plus d'un mois après la demande initiale. Il disparaissait du chat public et des salles de chat privées de l'équipe sur Matrix pendant des mois, faisant occasionnellement une apparition pour donner un petit feedback ou promettre d'être plus actif avant de disparaître à nouveau. + +En octobre 2020, l'administrateur système de PrivacyTools (Jonah) [a quitté](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) le projet en raison de ces difficultés, cédant le contrôle à un autre contributeur de longue date. Jonah a opéré presque tous les services de PrivacyTools et a agi comme le chef de projet *de facto* pour le développement du site web en l'absence de BurungHantu, donc son départ a été un changement significatif pour l'organisation. À l'époque, en raison de ces changements organisationnels importants, BurungHantu a promis à l'équipe restante qu'il reviendrait prendre le contrôle du projet à l'avenir. ==L'équipe PrivacyTools l'a contacté via plusieurs méthodes de communication au cours des mois suivants, mais n'a reçu aucune réponse.== + +## Dépendance des noms de domaine + +Au début de l'année 2021, l'équipe de PrivacyTools s'est inquiétée de l'avenir du projet, car le nom de domaine devait expirer le 1er mars 2021. Le domaine a finalement été renouvelé par BurungHantu sans commentaire. + +Les préoccupations de l'équipe n'ont pas été prises en compte, et nous avons réalisé que ce problème se poserait chaque année : si le domaine avait expiré, il aurait pu être volé par des squatteurs ou des spammeurs, ce qui aurait ruiné la réputation de l'organisation. Nous aurions également eu du mal à joindre la communauté pour l'informer de ce qui s'est passé. + +Sans contact avec BurungHantu, nous avons décidé que le meilleur plan d'action serait de passer à un nouveau nom de domaine pendant que nous avions encore le contrôle garanti de l'ancien nom de domaine, quelque temps avant mars 2022. De cette façon, nous serions en mesure de rediriger proprement toutes les ressources PrivacyTools vers le nouveau site sans interruption de service. Cette décision a été prise plusieurs mois à l'avance et communiquée à l'ensemble de l'équipe dans l'espoir que BurungHantu prenne contact et assure son soutien continu au projet, car avec un nom de marque reconnaissable et de grandes communautés en ligne, s'éloigner de "PrivacyTools" était le résultat le moins souhaitable possible. + +À la mi-2021, l'équipe de PrivacyTools a contacté Jonah, qui a accepté de rejoindre l'équipe pour aider à la transition. + +## Appel à l'action de la communauté + +Fin juillet 2021, nous avons informé [ la communauté](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) PrivacyTools de notre intention de choisir un nouveau nom et de poursuivre le projet sur un nouveau domaine, qui sera [choisi](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) le 2 août 2022. En fin de compte, "Privacy Guides" a été choisi, avec le domaine `privacyguides.org` déjà détenu par Jonah pour un projet secondaire de 2020 qui n'a pas été développé. + +## Contrôle de r/privacytoolsIO + +En même temps que les problèmes du site privacytools.io, l'équipe de modération de r/privacytoolsIO était confrontée à des difficultés pour gérer le subreddit. Le subreddit a toujours été géré de manière indépendante du développement du site Web, mais BurungHantu en était également le principal modérateur, et il était le seul modérateur à bénéficier des privilèges de "contrôle total". u/trai_dep était le seul modérateur actif à l'époque, et [a posté](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) une demande aux administrateurs de Reddit le 28 juin 2021, demandant qu'on lui accorde le poste de modérateur principal et tous les privilèges de contrôle, afin d'apporter les changements nécessaires au Subreddit. + +Reddit exige que les subreddits aient des modérateurs actifs. Si le modérateur principal est inactif pendant une longue période (par exemple un an), le poste de modérateur principal peut être réattribué au modérateur suivant. Pour que cette demande ait été accordée, BurungHantu devait avoir été complètement absent de toute activité Reddit pendant une longue période, ce qui était cohérent avec ses comportements sur d'autres plateformes. + +> Si vous avez été retiré en tant que modérateur d'un sous-rédit via la demande Reddit, c'est parce que votre manque de réponse et votre manque d'activité ont qualifié le sous-rédit pour un transfert de r/redditrequest. +> +> r/redditrequest est le moyen utilisé par Reddit pour s'assurer que les communautés ont des modérateurs actifs et fait partie du [code de conduite des modérateurs](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Début de la transition + +Le 14 septembre 2021, nous [avons annoncé](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) le début de notre migration vers ce nouveau domaine : + +> [...] nous avons jugé nécessaire d'effectuer ce changement plus tôt que prévu afin que les gens soient informés de cette transition le plus tôt possible. Cela nous laisse suffisamment de temps pour effectuer la transition du nom de domaine, qui est actuellement redirigé vers www.privacyguides.org, et nous espérons que tout le monde aura le temps de remarquer le changement, de mettre à jour les signets et les sites web, etc. + +Ce changement [a entraîné :](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirection de www.privacytools.io vers [www.privacyguides.org](https://www.privacyguides.org). +- Archiver le code source sur GitHub pour préserver notre travail passé et le suivi de tickets, que nous avons continué à utiliser pendant des mois de développement futur de ce site. +- Publier des annonces dans notre sous-reddit et dans diverses autres communautés pour informer les gens du changement officiel. +- Fermer formellement les services privacytools.io, comme Matrix et Mastodon, et encourager les utilisateurs existants à migrer dès que possible. + +Les choses semblaient se dérouler sans problème, et la plupart de notre communauté active a fait le passage à notre nouveau projet exactement comme nous l'espérions. + +## Événements suivants + +Environ une semaine après la transition, BurungHantu est revenu en ligne pour la première fois depuis près d'un an, mais personne dans notre équipe n'était prêt à revenir à PrivacyTools en raison de son manque de fiabilité historique. Au lieu de s'excuser de son absence prolongée, il est immédiatement passé à l'offensive et a présenté le passage à Privacy Guides comme une attaque contre lui et son projet. Il a ensuite [supprimé](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) nombre de ces messages lorsque la communauté lui a fait remarquer qu'il avait été absent et avait abandonné le projet. + +À ce stade, BurungHantu a déclaré qu'il voulait continuer à travailler sur privacytools.io par lui-même et a demandé que nous supprimions la redirection de www.privacytools.io vers [www.privacyguides.org](https://www.privacyguides.org). Nous avons accepté et lui avons demandé de garder les sous-domaines de Matrix, Mastodon et PeerTube actifs pour que nous les gérions comme un service public pour notre communauté pendant au moins quelques mois, afin de permettre aux utilisateurs de ces plateformes de migrer facilement vers d'autres comptes. En raison de la nature fédérée des services que nous fournissions, ils étaient liés à des noms de domaine spécifiques, ce qui rendait la migration très difficile (et dans certains cas impossible). + +Malheureusement, parce que le contrôle du sous-breddit r/privacytoolsIO n'a pas été retourné à BurungHantu à sa demande (plus d'informations ci-dessous), ces sous-domaines ont été [coupés](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) au début d'octobre, mettant fin à toute possibilité de migration vers les utilisateurs utilisant toujours ces services. + +Suite à cela, BurungHantu a lancé de fausses accusations selon lesquelles Jonah aurait volé les dons du projet. BurungHantu avait plus d'un an depuis l'incident présumé pour informer la communauté, et pourtant, il n'en a informé personne avant la migration vers Privacy Guides. L'équipe [et la communauté](https://twitter.com/TommyTran732/status/1526153536962281474)ont demandé à plusieurs reprises à BurungHantu de fournir des preuves et de s'expliquer sur la raison de son silence, mais il ne l'a pas fait. + +BurungHantu a également publié [un message sur Twitter](https://twitter.com/privacytoolsIO/status/1510560676967710728) prétendant qu'un "avocat" l'avait contacté sur Twitter et lui donnait des conseils, dans une autre tentative de nous intimider pour que nous lui donnions le contrôle de notre subreddit, et dans le cadre de sa campagne de diffamation visant à brouiller les pistes concernant le lancement de Privacy Guides tout en prétendant être une victime. + +## PrivacyTools.io maintenant + +Depuis le 25 septembre 2022, nous voyons les plans de BurungHantu se dessiner sur privacytools.io, et c'est la raison pour laquelle nous avons décidé de créer cette page explicative aujourd'hui. Le site qu'il exploite semble être une version fortement optimisée pour le référencement du site qui recommande des outils en échange d'une compensation financière. Très récemment, IVPN et Mullvad, deux fournisseurs de VPN presque universellement [recommandés](../vpn.md) par la communauté de la protection de la vie privée et remarquables pour leur position contre les programmes d'affiliation ont été retirés de PrivacyTools. A leur place ? NordVPN, Surfshark, ExpressVPN, et hide.me; Des géantes sociétés de VPN avec des plateformes et des pratiques commerciales peu fiables, connues pour leur marketing agressif et leurs programmes d'affiliation. + +==**PrivacyTools est devenu exactement le type de site contre lequel nous [avons mis en garde](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) sur le blog PrivacyTools en 2019.**== Nous avons essayé de garder notre distance avec PrivacyTools depuis la transition, mais leur harcèlement continu à l'égard de notre projet et maintenant leur abus absurde de la crédibilité que leur marque a gagné depuis plus de 6 ans de contributions open source est extrêmement troublant à nos yeux. Ceux d'entre nous qui luttent vraiment pour la protection de la vie privée ne se battent pas les uns contre les autres et ne reçoivent pas leurs conseils des plus offrant. + +## r/privacytoolsIO maintenant + +Après le lancement de [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), il n'était pas pratique pour u/trai_dep de continuer à modérer les deux subreddits, et avec l'adhésion de la communauté à la transition, r/privacytoolsIO a été [transformé en](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) en un subreddit restreint dans un post du 1er novembre 2021 : + +> [...] La croissance de ce sous-reddit a été le résultat de grands efforts, sur plusieurs années, par l'équipe PrivacyGuides.org. Et par chacun d'entre vous. +> +> Un sous-reddit représente beaucoup de travail à administrer et à modérer. Comme un jardin, il nécessite un entretien patient et des soins quotidiens. Ce n'est pas une tâche pour les dilettantes ou les personnes qui ont du mal à s'engager. Il ne peut pas prospérer sous la houlette d'un jardinier qui l'abandonne pendant plusieurs années, puis se présente en exigeant la récolte de cette année en guise de tribut. C'est injuste pour l'équipe formée il y a des années. C'est injuste pour vous. [...] + +Les sous-reddits n'appartiennent à personne, et ils n'appartiennent surtout pas aux détenteurs de marques. Ils appartiennent à leurs communautés, et la communauté et ses modérateurs ont pris la décision de soutenir le déplacement vers r/PrivacyGuides. + +Dans les mois qui ont suivi, BurungHantu a menacé et supplié de rendre le contrôle du subreddit à son compte, en violation des [règles](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) de Reddit : + +> Les représailles d'un modérateur à l'égard des demandes de suppression sont interdites. + +Pour une communauté qui compte encore plusieurs milliers d'abonnés, nous estimons qu'il serait incroyablement irrespectueux de rendre le contrôle de cette énorme plateforme à la personne qui l'a abandonnée pendant plus d'un an et qui gère désormais un site web qui, selon nous, fournit des informations de très mauvaise qualité. Préserver les années de discussions passées dans cette communauté est plus important pour nous, et donc u/trai_dep et le reste de l'équipe de modération du subreddit a pris la décision de garder r/privacytoolsIO tel quel. + +## OpenCollective maintenant + +Notre plateforme de collecte de fonds, OpenCollective, est une autre source de discorde. Notre position est qu'OpenCollective a été mis en place par notre équipe et géré par notre équipe pour financer les services que nous exploitons actuellement et que PrivacyTools ne fait plus. Nous avons [contacté](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) tous nos donateurs au sujet de notre passage à Privacy Guides, et nous avons reçu le soutien unanime de nos sponsors et de notre communauté. + +Ainsi, les fonds dans OpenCollective appartiennent à Privacy Guides, ils ont été donnés à notre projet, et non au propriétaire d'un nom de domaine bien connu. Dans l'annonce faite aux donateurs le 17 septembre 2021, nous avons proposé un remboursement à tout donateur qui ne serait pas d'accord avec la position que nous avons adoptée, mais personne n'a accepté cette offre : + +> Si des sponsors ou des bailleurs de fonds sont en désaccord ou se sentent induits en erreur par ces événements récents et souhaitent demander un remboursement compte tenu de ces circonstances très inhabituelles, veuillez contacter notre administrateur de projet en envoyant un e-mail à jonah@triplebit.net. + +## Pour en savoir plus + +Ce sujet a fait l'objet de nombreuses discussions au sein de nos communautés à divers endroits, et il est probable que la plupart des personnes qui lisent cette page connaissent déjà les événements qui ont conduit au passage aux guides de confidentialité. Certains de nos précédents billets sur le sujet peuvent contenir des détails supplémentaires que nous avons omis ici par souci de brièveté. Ils ont été mis en lien ci-dessous dans un souci d'exhaustivité. + +- [28 juin 2021 demande de contrôle de r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [27 juillet 2021 : annonce de nos intentions de déménager sur le blog PrivacyTools, écrite par l'équipe](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [13 septembre 2021 : annonce du début de notre transition vers Privacy Guides sur r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Annonce du 17 septembre 2021 sur OpenCollective par Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [30 septembre 2021 Fil Twitter détaillant la plupart des événements décrits sur cette page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [1er octobre 2021, publication de u/dng99 constatant un échec du sous-domaine](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [2 avr 2022 réponse de u/dng99 à l'article de blog accusatoire de PrivacyTools](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [16 mai 2022 réponse de @TommyTran732 sur Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post sur le forum de Techlore par @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/about/services.md b/i18n/fr/about/services.md new file mode 100644 index 00000000..6f1fc168 --- /dev/null +++ b/i18n/fr/about/services.md @@ -0,0 +1,40 @@ +# Services de Privacy Guides + +Nous utilisons un certain nombre de services web pour tester des fonctionnalités et promouvoir des projets décentralisés, fédérés et/ou open-source. Bon nombre de ces services sont accessibles au public et sont détaillés ci-dessous. + +[:material-comment-alert: Signaler un problème](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domaine : [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Disponibilité : public +- Source : [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domaine : [code.privacyguides.dev](https://code.privacyguides.dev) +- Disponibilité : sur invitation seulement + L'accès peut être accordé sur demande à toute équipe travaillant sur un développement ou du contenu lié à *Privacy Guides*. +- Source : [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domaine : [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Disponibilité : sur invitation uniquement + L'accès peut être accordé sur demande aux membres de l'équipe de Privacy Guides, aux modérateurs de Matrix, aux administrateurs tiers de la communauté Matrix, aux opérateurs de robots Matrix et à d'autres personnes ayant besoin d'une présence fiable dans Matrix. +- Source : [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domaine : [search.privacyguides.net](https://search.privacyguides.net) +- Disponibilité : public +- Source : [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domaine : [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Disponibilité : semi-public + Nous hébergeons Invidious principalement pour servir les vidéos YouTube intégrées à notre site web. Cette instance n'est pas destinée à un usage général et peut être limitée à tout moment. +- Source : [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/about/statistics.md b/i18n/fr/about/statistics.md new file mode 100644 index 00000000..ddedefe5 --- /dev/null +++ b/i18n/fr/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Statistiques de trafic +--- + +## Statistiques du site web + + +
Statistiques alimentées par Plausible Analytics
+ + + + +## Statistiques du blog + + +
Statistiques alimentées par Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/advanced/communication-network-types.md b/i18n/fr/advanced/communication-network-types.md new file mode 100644 index 00000000..01cd10ba --- /dev/null +++ b/i18n/fr/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types de réseaux de communication" +icon: 'material/transit-connection-variant' +--- + +Il existe plusieurs architectures réseau couramment utilisées pour relayer des messages entre des personnes. Ces réseaux peuvent offrir des garanties différentes en matière de protection de la vie privée. C'est pourquoi il est utile de tenir compte de votre [modèle de menace](../basics/threat-modeling.md) lorsque vous décidez quelle application à utiliser. + +[Messageries instantanées recommandées](../real-time-communication.md ""){.md-button} + +## Réseaux Centralisés + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Les messageries centralisées sont celles où tous les participants se trouvent sur le même serveur ou réseau de serveurs, contrôlés par la même organisation. + +Certaines messageries auto-hébergées vous permettent de configurer votre propre serveur. L'auto-hébergement peut offrir des garanties de confidentialité supplémentaires, tel que l'absence de journaux d'utilisation ou un accès limité aux métadonnées (les données sur qui parle à qui). Les messageries centralisées auto-hébergées sont isolées et tout le monde doit être sur le même serveur pour communiquer. + +**Avantages :** + +- Les nouvelles fonctionnalités et les changements peuvent être mis en place plus rapidement. +- Il est plus facile de démarrer et de trouver des contacts. +- L'écosystème de fonctionnalités est plus mature et plus stable, car plus facile à programmer dans un logiciel centralisé. +- Les problèmes de confidentialité peuvent être réduits lorsque vous faites confiance à un serveur que vous hébergez vous-même. + +**Inconvénients :** + +- Peut inclure des [restrictions de contrôle ou d'accès](https://drewdevault.com/2018/08/08/Signal.html). Cela peut inclure des choses telles que : +- Être [interdit de connecter des clients tiers](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) au réseau centralisé, ce qui pourrait permettre une plus grande personnalisation ou une meilleure expérience. Ces modalités sont souvent définies dans les conditions d'utilisation. +- Documentation insuffisante ou inexistante pour les développeurs tiers. +- La [propriété](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), la politique de confidentialité et les opérations du service peuvent changer facilement lorsqu'une seule entité le contrôle, ce qui peut compromettre le service par la suite. +- L'auto-hébergement demande des efforts et des connaissances sur la manière de mettre en place un service. + +## Réseaux Fédérés + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Les messageries fédérées utilisent plusieurs serveurs indépendants et décentralisés capables de communiquer entre eux (le courrier électronique est un exemple de service fédéré). La fédération permet aux administrateurs système de contrôler leur propre serveur tout en faisant partie d'un réseau de communication plus vaste. + +Lorsqu'ils sont auto-hébergés, les membres d'un serveur fédéré peuvent découvrir et communiquer avec les membres d'autres serveurs, bien que certains serveurs puissent choisir de rester privés en étant non fédérés (par exemple, un serveur d'équipe de travail). + +**Avantages :** + +- Permet un meilleur contrôle de vos propres données lorsque vous utilisez votre propre serveur. +- Vous permet de choisir à qui confier vos données en choisissant entre plusieurs serveurs "publics". +- Permet souvent l'utilisation de clients tiers qui peuvent fournir une expérience plus naturelle, personnalisée ou accessible. +- Il est possible de vérifier que le logiciel du serveur correspond au code source public, en supposant que vous avez accès au serveur ou que vous faites confiance à la personne qui y a accès (par exemple, un membre de la famille). + +**Inconvénients :** + +- L'ajout de nouvelles fonctionnalités est plus complexe, car ces dernières doivent être normalisées et testées pour s'assurer qu'elles fonctionnent avec tous les serveurs du réseau. +- En raison du point précédent, les fonctionnalités peuvent manquer, être incomplètes ou fonctionner de manière inattendue par rapport aux plateformes centralisées, comme le relais des messages hors ligne ou la suppression des messages. +- Certaines métadonnées peuvent être disponibles (par exemple, des informations comme "qui parle à qui", mais pas le contenu réel du message si le chiffrement de bout en bout est utilisé). +- Les serveurs fédérés nécessitent généralement de faire confiance à l'administrateur de votre serveur. Il peut s'agir d'un amateur ou d'une personne qui n'est pas un "professionnel de la sécurité", et il se peut qu'il ne fournisse pas de documents aux normes comme une politique de confidentialité ou des conditions de service détaillant l'utilisation de vos données. +- Les administrateurs de serveurs choisissent parfois de bloquer d'autres serveurs, qui sont une source d'abus non modérés ou qui enfreignent les règles générales de comportement accepté. Cela entravera votre capacité à communiquer avec les membres de ces serveurs. + +## Réseaux Pair-à-Pair + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +Les messageries P2P se connectent à un [réseau distribué](https://fr.wikipedia.org/wiki/Réseau_distribué) de nœuds pour relayer un message au destinataire sans serveur tiers. + +Les clients (les pairs) se trouvent généralement les uns les autres grâce à l'utilisation d'un réseau de [calcul distribué](https://fr.wikipedia.org/wiki/Calcul_distribué). Citons par exemple les [Tables de Hachages Distribuées](https://fr.wikipedia.org/wiki/Table_de_hachage_distribuée) (THD), utilisées par les [Torrents](https://fr.wikipedia.org/wiki/BitTorrent) et [l'IPFS](https://fr.wikipedia.org/wiki/InterPlanetary_File_System). Une autre approche est celle des réseaux basés sur la proximité, où une connexion est établie par Wi-Fi ou Bluetooth (par exemple Briar ou le protocole de réseau social [Scuttlebutt](https://www.scuttlebutt.nz)). + +Lorsqu'un pair a trouvé une route vers son contact par l'une de ces méthodes, une connexion directe est établie entre eux. Bien que les messages soient généralement cryptés, un observateur peut toujours déduire l'emplacement et l'identité de l'expéditeur et du destinataire. + +Les réseaux P2P n'utilisent pas de serveurs, car les pairs communiquent directement entre eux, et ne peuvent donc pas être auto-hébergés. Cependant, certains services supplémentaires peuvent dépendre de serveurs centralisés, comme la découverte d'autres utilisateurs ou le relais des messages hors ligne, qui peuvent bénéficier de l'auto-hébergement. + +**Avantages :** + +- Minimum d'informations exposées à des tiers. +- Les plateformes P2P modernes implémentent l'E2EE par défaut. Il n'y a pas de serveurs qui pourraient potentiellement intercepter et déchiffrer vos transmissions, contrairement aux modèles centralisés et fédérés. + +**Inconvénients :** + +- Ensemble de fonctionnalités réduit : +- Les messages ne peuvent être envoyés que lorsque les deux pairs sont en ligne. Toutefois, votre client peut stocker les messages localement pour attendre le retour en ligne du contact. +- Augmente généralement l'utilisation de la batterie sur les appareils mobiles, car le client doit rester connecté au réseau distribué pour savoir qui est en ligne. +- Certaines fonctionnalités courantes de messageries peuvent ne pas être mises en œuvre ou de manière incomplète, comme la suppression des messages. +- Votre adresse IP et celle des contacts avec lesquels vous communiquez peuvent être exposées si vous n'utilisez pas le logiciel avec un VPN [](../vpn.md) ou [Tor](../tor.md). De nombreux pays disposent d'une forme de surveillance de masse et/ou de conservation des métadonnées. + +## Routage Anonyme + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +Une messagerie utilisant le [routage anonyme](https://doi.org/10.1007/978-1-4419-5906-5_628) cache soit l'identité de l'expéditeur, celle du destinataire, ou la preuve qu'ils aient communiqué. Idéalement, une messagerie devrait cacher les trois. + +Il existe de [nombreuses](https://doi.org/10.1145/3182658) façons différentes de mettre en œuvre le routage anonyme. L'une des plus célèbres est le [routage en oignon](https://en.wikipedia.org/wiki/Onion_routing) comme [Tor](https://fr.wikipedia.org/wiki/Tor_(réseau)), qui communique des messages chiffrés par le biais d'un [réseau superposé](https://fr.wikipedia.org/wiki/Réseau_superposé) qui masque l'emplacement de chaque nœud ainsi que le destinataire et l'expéditeur de chaque message. L'expéditeur et le destinataire n'interagissent jamais directement et ne se rencontrent que par l'intermédiaire d'un nœud de rendez-vous secret, de sorte qu'il n'y ait aucune fuite d'adresses IP ni de localisation physique. Les nœuds ne peuvent pas déchiffrer les messages ni la destination finale, seul le destinataire le peut. Chaque nœud intermédiaire ne peut déchiffrer qu'une partie qui indique où envoyer ensuite le message encore chiffré, jusqu'à ce qu'il arrive au destinataire qui peut le déchiffrer entièrement, d'où les "couches d'oignon." + +L'auto-hébergement d'un nœud dans un réseau de routage anonyme ne procure pas à l'hébergeur des avantages supplémentaires en matière de confidentialité, mais contribue plutôt à la résilience de l'ensemble du réseau contre les attaques d'identification pour le bénéfice de tous. + +**Avantages :** + +- Minimum d'informations exposées à des tiers. +- Les messages peuvent être relayés de manière décentralisée même si l'une des parties est hors ligne. + +**Inconvénients :** + +- Propagation des messages lente. +- Souvent limité à un nombre restreint de types de médias, principalement du texte, car le réseau est lent. +- Moins fiable si les nœuds sont sélectionnés par un routage aléatoire, certains nœuds peuvent être très éloignés de l'expéditeur et du récepteur, ce qui ajoute une latence ou même l'impossibilité de transmettre les messages si l'un des nœuds se déconnecte. +- Plus complexe à mettre en œuvre car la création et la sauvegarde sécurisée d'une clé cryptographique privé sont nécessaires. +- Comme pour les autres plateformes décentralisées, l'ajout de fonctionnalités est plus complexe pour les développeurs que sur une plateforme centralisée. Par conséquent, des fonctionnalités peuvent manquer ou être incomplètement mises en œuvre, comme le relais des messages hors ligne ou la suppression des messages. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/advanced/dns-overview.md b/i18n/fr/advanced/dns-overview.md new file mode 100644 index 00000000..53064da2 --- /dev/null +++ b/i18n/fr/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "Présentation de DNS" +icon: material/dns +--- + +Le [système de nom de domaine](https://fr.wikipedia.org/wiki/Domain_Name_System) est "l'annuaire de l'internet". Le DNS traduit les noms de domaine en adresses IP afin que les navigateurs et autres services puissent charger les ressources de l'internet, grâce à un réseau décentralisé de serveurs. + +## Qu'est-ce que le DNS ? + +Lorsque vous visitez un site web, une adresse numérique est renvoyée. Par exemple, lorsque vous visitez `privacyguides.org`, l'adresse `192.98.54.105` est renvoyée. + +Le DNS existe depuis [les premiers jours](https://fr.wikipedia.org/wiki/Domain_Name_System#Histoire) de l'Internet. Les demandes DNS faites à destination et en provenance des serveurs DNS sont généralement **non** chiffrées. Dans un environnement résidentiel, un client se voit attribuer des serveurs par le FAI via [DHCP](https://fr.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Les demandes DNS non chiffrées peuvent être facilement **surveillées** et **modifiées** en transit. Dans certaines régions du monde, les fournisseurs d'accès à Internet reçoivent l'ordre de procéder à un [ filtrage DNS primitif](https://en.wikipedia.org/wiki/DNS_blocking). Lorsque vous demandez l'adresse IP d'un domaine bloqué, le serveur peut ne pas répondre ou répondre avec une adresse IP différente. Le protocole DNS n'étant pas crypté, le FAI (ou tout opérateur de réseau) peut utiliser [DPI](https://fr.wikipedia.org/wiki/Deep_packet_inspection) pour surveiller les demandes. Les FAI peuvent également bloquer des requêtes sur la base de caractéristiques communes, quel que soit le serveur DNS utilisé. Un DNS non crypté utilise toujours le [port](https://fr.wikipedia.org/wiki/Port_(logiciel)) 53 et utilise toujours UDP. + +Ci-dessous, nous discutons et fournissons un tutoriel pour prouver ce qu'un observateur extérieur peut voir en utilisant le DNS normal non crypté et le [DNS crypté](#what-is-encrypted-dns). + +### DNS non chiffré + +1. En utilisant [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (qui fait partie du projet [Wireshark](https://fr. wikipedia. org/wiki/Wireshark)), nous pouvons surveiller et enregistrer le flux de paquets Internet. Cette commande enregistre les paquets qui répondent aux règles spécifiées : + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. Nous pouvons ensuite utiliser [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) ou [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) pour envoyer la recherche DNS aux deux serveurs. Les logiciels tels que les navigateurs web effectuent ces recherches automatiquement, à moins qu'ils ne soient configurés pour utiliser un DNS crypté. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Ensuite, nous voulons [ analyser](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) les résultats : + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +Si vous exécutez la commande Wireshark ci-dessus, le volet supérieur affiche les "[trames](https://en.wikipedia.org/wiki/Ethernet_frame)", et le volet inférieur affiche toutes les données relatives à la trame sélectionnée. Les solutions de filtrage et de surveillance d'entreprise (telles que celles achetées par les gouvernements) peuvent effectuer ce processus automatiquement, sans interaction humaine, et peuvent agréger ces trames pour produire des données statistiques utiles à l'observateur du réseau. + +| No. | Heure | Source | Destination | Protocole | Longueur | Info | +| --- | -------- | --------- | ----------- | --------- | -------- | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +Un observateur pourrait modifier n'importe lequel de ces paquets. + +## Qu'est-ce que le "DNS crypté" ? + +Le DNS crypté peut faire référence à un certain nombre de protocoles, les plus courants étant : + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) était l'une des premières méthodes de cryptage des requêtes DNS. DNSCrypt opère sur le port 443 et fonctionne avec les protocoles de transport TCP ou UDP. DNSCrypt n'a jamais été soumis à l'IETF (Internet Engineering Task Force) [](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) et n'est pas passé par le processus de demande de commentaires (RFC) [](https://en.wikipedia.org/wiki/Request_for_Comments) . Il n'a donc pas été largement utilisé en dehors de quelques implémentations [](https://dnscrypt.info/implementations). En conséquence, il a été largement remplacé par le plus populaire [DNS over HTTPS](#dns-over-https-doh). + +### DNS sur TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) est une autre méthode de cryptage des communications DNS qui est définie dans [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). La prise en charge a été implémentée pour la première fois dans Android 9, iOS 14, et sur Linux dans [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) dans la version 237. Ces dernières années, la préférence du secteur s'est déplacée de DoT vers DoH, car DoT est un protocole complexe [](https://dnscrypt.info/faq/) et sa conformité au RFC varie selon les implémentations existantes. Le DoT fonctionne également sur un port dédié 853 qui peut être facilement bloqué par des pare-feu restrictifs. + +### DNS sur HTTPS (DoH) + +[**DNS sur HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) tel que défini dans [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) regroupe les requêtes dans le protocole [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) et assure la sécurité avec HTTPS. La prise en charge a d'abord été ajoutée dans les navigateurs web tels que Firefox 60 et Chrome 83. + +L'implémentation native de DoH est apparue dans iOS 14, macOS 11, Microsoft Windows et Android 13 (cependant, elle ne sera pas activée [par défaut](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). Sous Linux le support sera assuré par [ l'implémentation dans systemd](https://github.com/systemd/systemd/issues/8639) donc [l'installation de logiciels tiers est encore nécessaire](../dns.md#linux). + +## Que peut voir un tiers ? + +Dans cet exemple, nous allons enregistrer ce qui se passe lorsque nous faisons une requête DoH : + +1. Tout d'abord, lancez `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1 + ``` + +2. Deuxièmement, faites une requête avec `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. Après avoir fait la demande, nous pouvons arrêter la capture de paquets avec CTRL + C. + +4. Analysez les résultats dans Wireshark : + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +Nous pouvons voir [l'établissement de la connexion](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) et [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) qui se produit avec toute connexion chiffrée. Lorsque l'on regarde les paquets de "données d'application" qui suivent, aucun d'entre eux ne contient le domaine que nous avons demandé ou l'adresse IP renvoyée. + +## Pourquoi **ne devrais-je pas** utiliser un DNS chiffré ? + +Dans les endroits où il existe un filtrage (ou une censure) de l'Internet, la visite de ressources interdites peut avoir ses propres conséquences que vous devez prendre en compte dans votre [modèle de menace](../basics/threat-modeling.md). Nous ne suggérons **pas** l'utilisation de DNS chiffrés à cette fin. Utilisez plutôt [Tor](https://torproject.org) ou un [VPN](../vpn.md). Si vous utilisez un VPN, vous devez utiliser les serveurs DNS de votre VPN. En utilisant un VPN, vous lui confiez déjà toute votre activité réseau. + +Lorsque nous effectuons une recherche DNS, c'est généralement parce que nous voulons accéder à une ressource. Nous examinerons ci-dessous certaines des méthodes susceptibles de divulguer vos activités de navigation, même lorsque vous utilisez un DNS chiffré : + +### Adresse IP + +Le moyen le plus simple de déterminer l'activité de navigation est de regarder les adresses IP auxquelles vos appareils accèdent. Par exemple, si l'observateur sait que `privacyguides.org` est à `198.98.54.105`, et que votre appareil demande des données à `198.98.54.105`, il y a de fortes chances que vous visitiez Privacy Guides. + +Cette méthode n'est utile que lorsque l'adresse IP appartient à un serveur qui n'héberge que quelques sites web. Elle n'est pas non plus très utile si le site est hébergé sur une plateforme partagée (par exemple, Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). Il n'est pas non plus très utile si le serveur est hébergé derrière un [proxy inverse](https://fr.wikipedia.org/wiki/Proxy_inverse), ce qui est très courant actuellement sur Internet. + +### Server Name Indication (SNI) + +La Server Name Indication (indication du nom du serveur) est généralement utilisée lorsqu'une adresse IP héberge de nombreux sites web. Il peut s'agir d'un service comme Cloudflare, ou d'une autre protection contre les [attaques par déni de service](https://fr.wikipedia.org/wiki/Attaque_par_déni_de_service). + +1. Recommencez à capturer avec `tshark`. Nous avons ajouté un filtre avec notre adresse IP pour que vous ne capturiez pas beaucoup de paquets : + + ```bash + tshark -w /tmp/pg.pcap port 443 et hôte 198.98.54.105 + ``` + +2. Ensuite, nous visitons [https://privacyguides.org](https://privacyguides.org). + +3. Après avoir visité le site web, nous voulons arrêter la capture de paquets avec CTRL + C. + +4. Ensuite, nous voulons analyser les résultats : + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + Nous verrons l'établissement de la connexion, suivi du TLS handshake pour le site web Privacy Guides. Au niveau de l'image 5, vous verrez un "Client Hello". + +5. Développez le triangle ▸ à côté de chaque champ : + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer : Handshake Protocol : Client Hello + ▸ Handshake Protocol : Client Hello + ▸ Extension : server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. Nous pouvons voir la valeur SNI qui révèle le site web que nous visitons. La commande `tshark` peut vous donner directement la valeur pour tous les paquets contenant une valeur SNI : + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +Cela signifie que même si nous utilisons des serveurs "DNS Chiffré", le domaine sera probablement divulgué par le SNI. Le protocole [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) apporte avec lui [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), qui empêche ce type de fuite. + +Des gouvernements, en particulier [la Chine](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) et [la Russie](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), ont déjà commencé à [bloquer](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) le protocole ou ont exprimé le souhait de le faire. Récemment, la Russie [a commencé à bloquer les sites web étrangers](https://github.com/net4people/bbs/issues/108) qui utilisent le standard [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3). En effet, le protocole [QUIC](https://fr.wikipedia.org/wiki/QUIC) qui fait partie de HTTP/3 exige que `ClientHello` soit également chiffré. + +### Online Certificate Status Protocol (OCSP) + +Une autre façon dont votre navigateur peut divulguer vos activités de navigation est avec [l'Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) (protocole de vérification de certificat en ligne). Lors de la visite d'un site Web HTTPS, le navigateur peut vérifier si le [certificat](https://fr.wikipedia.org/wiki/Certificat_%C3%A9lectronique) du site Web a été révoqué. Cela se fait généralement via le protocole HTTP, ce qui signifie qu'il **n'est pas** chiffré. + +La requête OCSP contient le certificat "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", qui est unique. Il est envoyé au "OCSP responder" afin de vérifier son statut. + +Nous pouvons simuler ce que ferait un navigateur en utilisant la commande [`openssl`](https://fr.wikipedia.org/wiki/OpenSSL). + +1. Obtenez le certificat du serveur et utilisez [`sed`](https://fr.wikipedia.org/wiki/Stream_Editor) pour ne garder que la partie importante et l'écrire dans un fichier : + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Obtenez le certificat intermédiaire. Les [Autorités de certification](https://fr.wikipedia.org/wiki/Autorité_de_certification) (CA) ne signent normalement pas directement un certificat ; elles utilisent ce que l'on appelle un certificat "intermédiaire". + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. Le premier certificat dans `pg_and_intermediate.cert` est en fait le certificat du serveur de l'étape 1. Nous pouvons utiliser à nouveau `sed` pour tout supprimer jusqu'à la première instance de END : + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Obtenir le répondeur OCSP pour le certificat du serveur : + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Notre certificat montre le répondeur du certificat Lets Encrypt. Si nous voulons voir tous les détails du certificat, nous pouvons utiliser : + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Démarrer la capture de paquets : + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Faites la demande OCSP : + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Ouvrez la capture : + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + Il y aura deux paquets avec le protocole "OCSP" : un "Demande" et un "Réponse". Pour la "Demande", nous pouvons voir le "numéro de série" en développant le triangle ▸ à côté de chaque champ : + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + Pour la "Réponse", nous pouvons également voir le "numéro de série" : + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Ou utilisez `tshark` pour filtrer les paquets du numéro de série : + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +Si l'observateur du réseau dispose du certificat public, qui est accessible au public, il peut faire correspondre le numéro de série à ce certificat et donc déterminer le site que vous visitez à partir de celui-ci. Le processus peut être automatisé et permet d'associer des adresses IP à des numéros de série. Il est également possible de vérifier les journaux de [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) (en anlais) pour le numéro de série. + +## Devrais-je utiliser un DNS chiffré ? + +Nous avons créé cet organigramme pour décrire quand vous *devriez* utiliser des DNS cryptés: + +``` mermaid +graph TB + Démarrage[Start] --> anonyme{Essayez-vous d'être
anonyme ?} + anonyme --> | Oui | tor(Utilisez Tor) + anonyme --> | Non | censure{Eviter la
censure ?} + censure --> | Oui | vpnOuTor(Utilisez
VPN ou Tor) + censure --> | Non | viePrivée{Protéger votre vie privée
du FAI ?} + p(vie privée) --> | Oui | vpnOuTor + p(vie privée) --> | Non | nuisible{FAI fait des
redirections
nuisibles ?} + nuisible --> | Oui | DNScryptés(Utilisez
DNS cryptés
avec application tierce) + nuisible --> | Non | DNSfai{FAI supporte les
DNS cryptés ?} + DNSfai --> | Oui | utilisezFAI(Utilisez
DNS cryptés
avec FAI) + DNSfai --> | Non | rien(Ne rien faire) +``` + +Le DNS chiffré avec des serveurs tiers ne doit être utilisé que pour contourner le [blocage DNS](https://en.wikipedia.org/wiki/DNS_blocking) de base lorsque vous êtes certain qu'il n'y aura pas de conséquences ou que vous êtes intéressés par un fournisseur qui effectue un filtrage rudimentaire. + +[Liste des serveurs DNS recommandés](../dns.md ""){.md-button} + +## Qu'est-ce que le DNSSEC ? + +[Domain Name System Security Extensions](https://fr.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (extension de SECurité du Système de Nom de Domaine) est une fonctionnalité du DNS qui authentifie les réponses aux recherches de noms de domaine. Il ne fournit pas de protection de la vie privée pour ces recherches, mais empêche les attaquants de manipuler ou d'empoisonner les réponses aux requêtes DNS. + +En d'autres termes, le DNSSEC signe numériquement les données afin de garantir leur validité. Afin de garantir une recherche sécurisée, la signature a lieu à chaque niveau du processus de consultation du DNS. Par conséquent, toutes les réponses du DNS sont fiables. + +Le processus de signature DNSSEC est similaire à celui d'une personne qui signe un document juridique avec un stylo ; cette personne signe avec une signature unique que personne d'autre ne peut créer, et un expert judiciaire peut examiner cette signature et vérifier que le document a été signé par cette personne. Ces signatures numériques garantissent que les données n'ont pas été altérées. + +DNSSEC met en œuvre une politique de signature numérique hiérarchique à travers toutes les couches du DNS. Par exemple, dans le cas d'une consultation de `privacyguides.org`, un serveur DNS racine signe une clé pour le serveur de noms `.org`, et le serveur de noms `.org` signe ensuite une clé pour le serveur de noms faisant autorité `privacyguides.org`. + +Adapté de [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) par Google et [DNSSEC : An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) par Cloudflare, tous deux sous licence [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## Qu'est-ce que la minimization QNAME ? + +Un QNAME est un "nom qualifié", par exemple `privacyguides.org`. La QNAME minimization réduit la quantité d'informations envoyées par le serveur DNS au [serveur de noms](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server) faisant autorité. + +Au lieu d'envoyer le domaine entier `privacyguides.org`, la QNAME minimization signifie que le serveur DNS demandera tous les enregistrements qui se terminent par `.org`. Une description technique plus détaillée est définie dans [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## Qu'est-ce que le sous-réseau client EDNS (ECS) ? + +Le [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) est une méthode permettant à un résolveur DNS récursif de spécifier un [sous-réseau](https://fr.wikipedia.org/wiki/Sous-réseau) pour l'hôte ou le [client](https://fr.wikipedia.org/wiki/Client_(informatique)) qui effectue la requête DNS. + +Il est destiné à "accélérer" la transmission des données en donnant au client une réponse qui appartient à un serveur proche de lui, comme un [réseau de diffusion de contenu](https://fr.wikipedia.org/wiki/Réseau_de_diffusion_de_contenu), souvent utilisé pour la diffusion de vidéos en continu et pour servir des applications Web JavaScript. + +Cette fonction a un coût en termes de confidentialité, car elle fournit au serveur DNS des informations sur la localisation du client. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/advanced/tor-overview.md b/i18n/fr/advanced/tor-overview.md new file mode 100644 index 00000000..bdca1681 --- /dev/null +++ b/i18n/fr/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Présentation de Tor" +icon: 'simple/torproject' +--- + +Tor est un réseau décentralisé, gratuit, conçu pour utiliser Internet avec le plus de confidentialité possible. S'il est utilisé correctement, le réseau permet une navigation et des communications privées et anonymes. + +## Construction d'un chemin + +Tor fonctionne en acheminant votre trafic à travers un réseau composé de milliers de serveurs gérés par des volontaires, appelés nœuds (ou relais). + +Chaque fois que vous vous connectez à Tor, il choisira trois nœuds pour construire un chemin vers Internet - ce chemin est appelé un "circuit". Chacun de ces nœuds a sa propre fonction: + +### Le nœud d'entrée + +Le noeud d'entrée, souvent appelé le noeud de garde, est le premier noeud auquel votre client Tor se connecte. Le nœud d'entrée est capable de voir votre adresse IP, mais il est incapable de voir à quoi vous vous connectez. + +Contrairement aux autres nœuds, le client Tor choisira aléatoirement un nœud d'entrée et restera avec lui pendant deux à trois mois pour vous protéger de certaines attaques.[^1] + +### Le nœud central + +Le noeud central est le second noeud auquel votre client Tor se connecte. Il peut voir de quel nœud provient le trafic - le nœud d'entrée - et vers quel nœud il se dirige ensuite. Le nœud central ne peut pas voir votre adresse IP ou le domaine auquel vous vous connectez. + +Pour chaque nouveau circuit, le nœud central est choisi au hasard parmi tous les nœuds Tor disponibles. + +### Le nœud de sortie + +Le nœud de sortie est le point où votre trafic web quitte le réseau Tor et est transféré vers la destination souhaitée. Le nœud de sortie ne peut pas voir votre adresse IP, mais il sait à quel site il se connecte. + +Le noeud de sortie sera choisi au hasard parmi tous les noeuds Tor disponibles et exécutés avec une balise "relais de sortie".[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Chemin du circuit Tor
+
+ +## Chiffrement + +Tor chiffre chaque paquet (un bloc de données transmises) trois fois avec les clés du nœud de sortie, du nœud central, et du nœud d'entrée, dans cet ordre. + +Une fois que Tor a construit un circuit, la transmission des données se fait comme suit: + +1. Premièrement: lorsque le paquet arrive au nœud d'entrée, la première couche de chiffrement est supprimée. Dans ce paquet chiffré, le nœud d'entrée trouvera un autre paquet chiffré avec l'adresse du nœud central. Le nœud d'entrée transmet ensuite le paquet au nœud central. + +2. Deuxièmement : lorsque le nœud central reçoit le paquet du nœud d'entrée, il supprime lui aussi une couche de chiffrement avec sa clé, et trouve cette fois un paquet chiffré avec l'adresse du nœud de sortie. Le nœud central transmet ensuite le paquet au nœud de sortie. + +3. Enfin, lorsque le nœud de sortie reçoit son paquet, il supprime la dernière couche de chiffrement avec sa clé. Le nœud de sortie verra l'adresse de destination et transmettra le paquet à cette adresse. + +Vous trouverez ci-dessous un autre schéma illustrant le processus. Chaque nœud supprime sa propre couche de chiffrement, et lorsque le serveur de destination renvoie les données, le même processus se déroule entièrement en sens inverse. Par exemple, le nœud de sortie ne sait pas qui vous êtes, mais il sait de quel nœud il provient. Il ajoute donc sa propre couche de chiffrement et renvoie le message. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Envoyer et recevoir des données à travers le réseau Tor
+
+ +Tor nous permet de nous connecter à un serveur sans que personne ne connaisse le chemin entier. Le nœud d'entrée sait qui vous êtes, mais pas où vous allez; le nœud central ne sait pas qui vous êtes ni où vous allez; et le nœud de sortie sait où vous allez, mais pas qui vous êtes. Comme le nœud de sortie est celui qui établit la connexion finale, le serveur de destination ne connaîtra jamais votre adresse IP. + +## Mises en garde  + +Bien que Tor offre de solides garanties de confidentialité, il faut être conscient que Tor n'est pas parfait: + +- Des adversaires bien financés ayant la capacité d'observer passivement la plupart du trafic réseau mondial ont une chance de désanonymiser les utilisateurs de Tor au moyen d'une analyse avancée du trafic. Tor ne vous protège pas non plus contre le risque de vous exposer par erreur, par exemple si vous partagez trop d'informations sur votre véritable identité. +- Les nœuds de sortie de Tor peuvent également surveiller le trafic qui passe par eux. Cela signifie que le trafic qui n'est pas chiffré, comme le trafic HTTP ordinaire, peut être enregistré et surveillé. Si ce trafic contient des informations permettant de vous identifier, il peut vous désanonymiser aux yeux de ce nœud de sortie. Par conséquent, nous recommandons d'utiliser HTTPS via Tor dans la mesure du possible. + +Si vous souhaitez utiliser Tor pour naviguer sur le web, nous ne recommandons que le navigateur Tor **officiel** - il est conçu pour empêcher la prise d'empreintes numériques. + +- [Navigateur Tor :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Ressources Supplémentaires + +- [Manuel d'utilisation du navigateur Tor](https://tb-manual.torproject.org) +- [Comment Tor fonctionne - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Services onion Tor - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.fr.txt" + +[^1]: Le premier relais de votre circuit est appelé "garde d'entrée" ou "garde". Il s'agit d'un relais rapide et stable qui reste le premier de votre circuit pendant 2 à 3 mois afin de vous protéger contre une attaque connue de rupture d'anonymat. Le reste de votre circuit change avec chaque nouveau site web que vous visitez, et tous ensemble ces relais fournissent les protections complètes de Tor en matière de vie privée. Pour en savoir plus sur le fonctionnement des relais de garde, consultez cet [article de blog](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) et ce [document](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) sur les gardes d'entrée. ([https://support.torproject.org/fr/tbb/tbb-2/](https://support.torproject.org/fr/tbb/tbb-2/)) + +[^2]: Balise de relai: une (dis-)qualification spéciale des relais pour les positions de circuit (par exemple, "Guard", "Exit", "BadExit"), les propriétés de circuit (par exemple, "Fast", "Stable") ou les rôles (par exemple, "Authority", "HSDir"), tels qu'attribués par les autorités de l'annuaire et définis plus précisément dans la spécification du protocole de l'annuaire. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/fr/android.md b/i18n/fr/android.md new file mode 100644 index 00000000..0fc683a6 --- /dev/null +++ b/i18n/fr/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Logo d'Android](assets/img/android/android.svg){ align=right } + +**Android Open Source Project** est un système d'exploitation mobile à code source ouvert dirigé par Google qui équipe la majorité des appareils mobiles dans le monde. La plupart des téléphones vendus avec Android sont modifiés pour inclure des intégrations et des applications invasives telles que Google Play Services. Vous pouvez donc améliorer considérablement votre vie privée sur votre appareil mobile en remplaçant l'installation par défaut de votre téléphone par une version d'Android dépourvue de ces fonctionnalités invasives. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Page d'accueil } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Code Source" } + +Voici les systèmes d'exploitation, les appareils et les applications Android que nous recommandons pour optimiser la sécurité et la confidentialité de votre appareil mobile. Pour en savoir plus sur Android : + +- [Présentation générale d'Android :material-arrow-right-drop-circle:](os/android-overview.md) +- [Pourquoi nous recommandons GrapheneOS plutôt que CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## Dérivés de AOSP + +Nous vous recommandons d'installer l'un de ces systèmes d'exploitation Android personnalisés sur votre appareil, classés par ordre de préférence, en fonction de la compatibilité de votre appareil avec ces systèmes d'exploitation. + +!!! note "À noter" + + Les appareils en fin de vie (tels que les appareils à "support étendu" de GrapheneOS ou de CalyxOS) ne disposent pas de correctifs de sécurité complets (mises à jour de micrologiciel) en raison de l'arrêt du support par le constructeur. Ces appareils ne peuvent pas être considérés comme totalement sûrs, quel que soit le logiciel installé. + +### GrapheneOS + +!!! recommendation + + ![Logo GrapheneOS](assets/img/android/grapheneos.svg#only-light){ align=right } + ![Logo GrapheneOS](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** est le meilleur choix en matière de confidentialité et de sécurité. + + GrapheneOS apporte des améliorations supplémentaires en matière de [renforcement de la sécurité](https://fr.wikipedia.org/wiki/Durcissement_%28informatique%29) et de confidentialité. Il dispose d'un [allocateur de mémoire renforcé](https://github.com/GrapheneOS/hardened_malloc), d'autorisations pour le réseau et les capteurs, et de diverses autres [fonctions de sécurité](https://grapheneos.org/features). GrapheneOS est également livré avec des mises à jour complètes du micrologiciel et des versions signées, de sorte que le démarrage vérifié est entièrement pris en charge. + + [:octicons-home-16: Page d'accueil ](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Code source" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribuer } + +GrapheneOS prend en charge [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), qui exécute les [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) entièrement sandboxed comme toute autre application normale. Cela signifie que vous pouvez profiter de la plupart des services Google Play, tels que [les notifications push](https://firebase.google.com/docs/cloud-messaging/), tout en vous donnant un contrôle total sur leurs autorisations et leur accès, et tout en les contenant à un [profil de travail](os/android-overview.md#work-profile) ou un [profil d'utilisateur](os/android-overview.md#user-profiles) spécifique de votre choix. + +Les téléphones Google Pixel sont les seuls appareils qui répondent actuellement aux [exigences de sécurité matérielle](https://grapheneos.org/faq#device-support) de GrapheneOS. + +### DivestOS + +!!! recommendation + + ![Logo DivestOS](assets/img/android/divestos.svg){ align=right } + + **DivestOS** est un léger dérivé de [LineageOS](https://lineageos.org/). + DivestOS hérite de nombreux [appareils pris en charge](https://divestos.org/index.php?page=devices&base=LineageOS) de LineageOS. Il a des versions signées, ce qui permet d'avoir un [démarrage vérifié](https://source.android.com/security/verifiedboot) sur certains appareils non-Pixel. + + [:octicons-home-16: Page d'accueil](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Service oignon" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Code source" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribuer } + +DivestOS dispose d'un système de [correction](https://gitlab.com/divested-mobile/cve_checker) automatique des vulnérabilités du noyau ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)), de moins de morceaux propriétaires et d'un fichier [hosts](https://divested.dev/index.php?page=dnsbl) personnalisé. Son WebView renforcé, [Mulch](https://gitlab.com/divested-mobile/mulch), permet [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) pour toutes les architectures et [un partitionnement de l'état du réseau](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), et reçoit des mises à jour hors bande. DivestOS inclut également les correctifs de noyau de GrapheneOS et active toutes les fonctions de sécurité de noyau disponibles via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). Tous les noyaux plus récents que la version 3.4 incluent une [désinfection](https://lwn.net/Articles/334747/) complète de la page et tous les ~22 noyaux compilés par Clang ont [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) activé. + +DivestOS met en œuvre certains correctifs de renforcement du système développés à l'origine pour GrapheneOS. DivestOS 16.0 et plus implémente les autorisations [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) et SENSORS de GrapheneOS, l'[allocateur de mémoire renforcé](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), la [constification](https://en.wikipedia.org/wiki/Java_Native_Interface) [JNI](https://en.wikipedia.org/wiki/Const_(computer_programming)), et des patchs de renforcement [bioniques](https://en.wikipedia.org/wiki/Bionic_(software)) partiels. Les versions 17.1 et supérieures offrent l'option de GrapheneOS pour [rendre aléatoire les adresses MAC](https://en.wikipedia.org/wiki/MAC_address#Randomization) entre réseaux, le contrôle [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) et les options de redémarrage/coupure Wi-Fi/coupure Bluetooth automatique [sur délai](https://grapheneos.org/features). + +DivestOS utilise F-Droid comme magasin d'applications par défaut. Normalement, nous recommandons d'éviter F-Droid en raison de ses nombreux [problèmes de sécurité](#f-droid). Cependant, le faire sur DivestOS n'est pas viable ; les développeurs mettent à jour leurs applications via leurs propres dépôts F-Droid ([Official DivestOS](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) et [WebView DivestOS](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). Nous recommandons de désactiver l'application officielle F-Droid et d'utiliser [Neo Store](https://github.com/NeoApplications/Neo-Store/) avec les dépôts DivestOS activés pour maintenir ces composants à jour. Pour les autres applications, nos méthodes recommandées pour les obtenir restent applicables. + +!!! warning "Avertissement" + + L'[état](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) des mises à jour du micrologiciel DivestOS et le contrôle de la qualité varient selon les appareils qu'il prend en charge. Nous recommandons toujours GrapheneOS en fonction de la compatibilité de votre appareil. Pour les autres appareils, DivestOS est une bonne alternative. + + Tous les appareils pris en charge ne disposent pas d'un démarrage vérifié, et certains le font mieux que d'autres. + +## Appareils Android + +Lorsque vous achetez un appareil, nous vous recommandons d'en prendre un aussi neuf que possible. Les logiciels et les micrologiciels des appareils mobiles ne sont pris en charge que pour une durée limitée. L'achat de nouveaux appareils permet donc de prolonger cette durée de vie autant que possible. + +Évitez d'acheter des téléphones auprès des opérateurs de réseaux mobiles. Ces derniers ont souvent un **chargeur d'amorçage verrouillé** et ne supportent pas le [déverrouillage constructeur](https://source.android.com/devices/bootloader/locking_unlocking). Ces variantes de téléphone vous empêcheront d'installer tout type de distribution Android alternative. + +Soyez très **prudent** lorsque vous achetez des téléphones d'occasion sur des marchés en ligne. Vérifiez toujours la réputation du vendeur. Si l'appareil est volé, il est possible que l'[IMEI soit mis sur liste noire](https://www.gsma.com/security/resources/imei-blacklisting/). Il y a également un risque d'être associé à l'activité de l'ancien propriétaire. + +Quelques conseils supplémentaires concernant les appareils Android et la compatibilité du système d'exploitation : + +- N'achetez pas d'appareils qui ont atteint ou sont sur le point d'atteindre leur fin de vie, des mises à jour supplémentaires du micrologiciel doivent être fournies par le fabricant. +- N'achetez pas de téléphones LineageOS ou /e/ OS préchargés ou tout autre téléphone Android sans prise en charge adéquate de [Démarrage Vérifié](https://source.android.com/security/verifiedboot) et sans mises à jour du micrologiciel. En outre, ces appareils ne vous permettent pas de vérifier s'ils ont été manipulés. +- En bref, si un appareil ou une distribution Android ne figure pas dans cette liste, il y a probablement une bonne raison. Consultez notre [forum](https://discuss.privacyguides.net/) pour en savoir plus ! + +### Google Pixel + +Les téléphones Google Pixel sont les **seuls** appareils dont nous recommandons l'achat. Les téléphones Pixel ont une sécurité matérielle plus forte que tous les autres appareils Android actuellement sur le marché, grâce à une prise en charge AVB adéquate pour les systèmes d'exploitation tiers et aux puces de sécurité personnalisées [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) de Google faisant office d'Elément Sécurisé. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + Les appareils **Google Pixel** sont connus pour avoir une bonne sécurité et prendre correctement en charge le [Démarrage Vérifié](https://source.android.com/security/verifiedboot), même lors de l'installation de systèmes d'exploitation personnalisés. + + À partir des **Pixel 6** et **6 Pro**, les appareils Pixel bénéficient d'un minimum de 5 ans de mises à jour de sécurité garanties, ce qui leur assure une durée de vie bien plus longue que les 2 à 4 ans généralement proposés par les constructeurs concurrents. + + [:material-shopping: Boutique](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Les Eléments Sécurisés comme le Titan M2 sont plus limités que le Trusted Execution Environment du processeur utilisé par la plupart des autres téléphones, car ils ne sont utilisés que pour le stockage des secrets, l'attestation matérielle et la limitation du débit, et non pour exécuter des programmes "de confiance". Les téléphones dépourvus d'un Elément Sécurisé doivent utiliser le TEE pour *toutes* ces fonctions, ce qui élargit la surface d'attaque. + +Les téléphones Google Pixel utilisent un OS TEE appelé Trusty qui est [open-source](https://source.android.com/security/trusty#whyTrusty), contrairement à de nombreux autres téléphones. + +L'installation de GrapheneOS sur un téléphone Pixel est facile avec leur [installateur web](https://grapheneos.org/install/web). Si vous ne vous sentez pas à l'aise pour le faire vous-même et que vous êtes prêt à dépenser un peu plus d'argent, consultez le site [NitroPhone](https://shop.nitrokey.com/shop) car ils sont préchargés avec GrapheneOS et viennent de la société réputée [Nitrokey](https://www.nitrokey.com/about). + +Quelques conseils supplémentaires pour l'achat d'un Google Pixel : + +- Si vous cherchez une bonne affaire pour un appareil Pixel, nous vous suggérons d'acheter un modèle "**a**", juste après la sortie du prochain produit phare de la marque. Les remises sont généralement disponibles parce que Google essaie d'écouler son stock. +- Tenez compte des offres spéciales et réductions proposées par les magasins physiques. +- Consultez les sites communautaires de bonnes affaires en ligne dans votre pays. Ils peuvent vous signaler les bonnes ventes. +- Google fournit une liste indiquant le [cycle de support](https://support.google.com/nexus/answer/4457705) pour chacun de ses appareils. Le prix par jour d'un appareil peut être calculé comme suit :\text{Coût} - \text {Date fin de vie}-\text{Date du jour}$, ce qui signifie que plus l'utilisation de l'appareil est longue, plus le coût par jour est faible. + +## Applications générales + +Nous recommandons une grande variété d'applications Android sur ce site. Les applications répertoriées ici sont exclusives à Android et améliorent ou remplacent les principales fonctionnalités du système. + +### Shelter + +!!! recommendation + + ![Logo Shelter](assets/img/android/shelter.svg){ align=right } + + **Shelter** est une application qui vous aide à tirer parti de la fonctionnalité Profil de Travail d'Android pour isoler ou dupliquer des applications sur votre appareil. + + Shelter prend en charge le blocage de la recherche de contacts entre profils et le partage de fichiers entre profils via le gestionnaire de fichiers par défaut ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Dépôt](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning "Avertissement" + + Shelter est recommandé par rapport à [Insular](https://secure-system.gitlab.io/Insular/) et [Island](https://github.com/oasisfeng/island) car il prend en charge le [blocage de la recherche de contact](https://secure-system.gitlab.io/Insular/faq.html). + + En utilisant Shelter, vous accordez une confiance totale à son développeur, car Shelter agit en tant qu'[Administrateur de l'appareil](https://developer.android.com/guide/topics/admin/device-admin) pour créer le Profil de Travail, et il a un accès étendu aux données stockées dans ce dernier. + +### Auditor + +!!! recommendation + + ![Logo d'Auditor](assets/img/android/auditor.svg#only-light){ align=right } + ![Logo d'Auditor](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** est une application qui exploite les fonctions de sécurité matérielle pour assurer le contrôle de l'intégrité des [appareils pris en charge](https://attestation.app/about#device-support). Actuellement, il ne fonctionne qu'avec GrapheneOS et le système d'exploitation d'origine de l'appareil. + + [:octicons-home-16: Page d'accueil](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Code source" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: Magasin d'application de GrapheneOS](https://github.com/GrapheneOS/Apps/releases) + +Auditor effectue l'attestation et la détection d'intrusion : + +- A l'aide d'un modèle de [Confiance lors de la première utilisation (TOFU - Trust On First Use)](https://en.wikipedia.org/wiki/Trust_on_first_use) entre un *auditeur* et un *audité*, la paire établit une clé privée dans le trousseau [matériel](https://source.android.com/security/keystore/) d'*Auditor*. +- L'*auditeur* peut être une autre instance de l'application Auditor ou le [Service d'Attestation à Distance](https://attestation.app). +- L'*auditeur* enregistre l'état et la configuration actuels de l'*audité*. +- En cas d'altération du système d'exploitation de l'*audité* après l'appairage, l'auditeur sera informé de la modification de l'état et des configurations de l'appareil. +- Vous serez alerté de ce changement. + +Aucune information personnelle identifiable n'est soumise au service d'attestation. Nous vous recommandons de vous inscrire avec un compte anonyme et d'activer l'attestation à distance pour un contrôle continu. + +Si votre [modèle de menace](basics/threat-modeling.md) nécessite une certaine confidentialité, vous pouvez envisager d'utiliser [Orbot](tor.md#orbot) ou un VPN pour cacher votre adresse IP au service d'attestation. Pour s'assurer de l'authenticité de votre matériel et de votre système d'exploitation, [effectuez une attestation locale](https://grapheneos.org/install/web#verifying-installation) immédiatement après l'installation de l'appareil et avant toute connexion à Internet. + +### Secure Camera + +!!! recommendation + + ![Logo de Secure Camera](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Logo de Secure Camera](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** est une application de caméra axée sur la confidentialité et la sécurité qui peut capturer des images, des vidéos et des QR codes. Les extensions du vendeur CameraX (Portrait, HDR, Night Sight, Face Retouch et Auto) sont également prises en charge sur les appareils disponibles. + + [:octicons-repo-16: Dépôt](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Code source" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: Magasin d'application de GrapheneOS](https://github.com/GrapheneOS/Apps/releases) + +Les principales caractéristiques de confidentialité comprennent : + +- Suppression automatique des métadonnées [Exif](https://en.wikipedia.org/wiki/Exif) (activée par défaut) +- Utilisation de la nouvelle API [Media](https://developer.android.com/training/data-storage/shared/media), donc les [autorisations de stockage](https://developer.android.com/training/data-storage) ne sont pas nécessaires +- L'autorisation microphone n'est pas nécessaire, sauf si vous souhaitez enregistrer des sons + +!!! note "À noter" + + Les métadonnées ne sont pour le moment pas supprimées des fichiers vidéo, mais cela est prévu. + + Les métadonnées d'orientation de l'image ne sont pas supprimées. Si vous activez la fonction de localisation (dans Secure Camera), elle ne **sera pas** non plus supprimée. Si vous voulez la supprimer ultérieurement, vous devrez utiliser une application externe telle que [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Logo de Secure PDF Viewer](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Logo de Secure PDF Viewer](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** est un visualiseur de PDF basé sur [pdf.js](https://en.wikipedia.org/wiki/PDF.js) qui ne nécessite aucune autorisation. Le PDF est introduit dans une [webview](https://developer.android.com/guide/webapps/webview) [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)). Cela signifie qu'il n'a pas besoin d'autorisation directe pour accéder au contenu ou aux fichiers. + + [Content-Security-Policy](https://fr.wikipedia.org/wiki/Content_Security_Policy) est utilisé pour faire en sorte que les propriétés JavaScript et de style dans la WebView soient entièrement statiques. + + [:octicons-repo-16: Dépôt](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Code source" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: Magasin d'application de GrapheneOS](https://github.com/GrapheneOS/Apps/releases) + +## Obtenir des applications + +### Magasin d'applications GrapheneOS + +Le magasin d'applications de GrapheneOS est disponible sur [GitHub](https://github.com/GrapheneOS/Apps/releases). Il prend en charge Android 12 et plus et est capable de se mettre à jour. Le magasin d'applications contient des applications autonomes construites par le projet GrapheneOS, telles que [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), et [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). Si vous recherchez ces applications, nous vous recommandons vivement de les obtenir à partir du magasin d'applications de GrapheneOS plutôt que du Play Store, car les applications de leur magasin sont signées par la signature du projet GrapheneOS à laquelle Google n'a pas accès. + +### Aurora Store + +Le Google Play Store nécessite un compte Google pour se connecter, ce qui n'est pas idéal pour la confidentialité. Vous pouvez contourner ce problème en utilisant un client alternatif, tel que Aurora Store. + +!!! recommendation + + ![Logo Aurora Store](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** est un client Google Play Store qui ne nécessite pas de compte Google, de services Google Play ou microG pour télécharger des applications. + + [:octicons-home-16: Page d'accueil](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store ne vous permet pas de télécharger des applications payantes grâce à sa fonction de compte anonyme. Vous pouvez éventuellement vous connecter avec votre compte Google sur Aurora Store pour télécharger les applications que vous avez achetées, ce qui donne accès à la liste des applications que vous avez installées à Google, mais vous bénéficiez toujours de l'avantage de ne pas avoir besoin du client Google Play complet et des services Google Play ou microG sur votre appareil. + +### Manuellement avec les notifications RSS + +Pour les applications publiées sur des plateformes telles que GitHub et GitLab, vous pouvez ajouter un flux RSS à votre [agrégateur d'actualités](/news-aggregators) qui vous aidera à suivre les nouvelles versions. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![Notes de version APK](./assets/img/android/rss-changes-light.png#only-light) ![Notes de version APK](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +Sur GitHub, en prenant l'exemple de [Secure Camera](#secure-camera), vous naviguez vers sa [page de publications](https://github.com/GrapheneOS/Camera/releases) et ajoutez `.atom` à l'URL : + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +Sur GitLab, en prenant l'exemple de [Aurora Store](#aurora-store) , vous naviguez vers son [dépôt de projet](https://gitlab.com/AuroraOSS/AuroraStore) et ajoutez `/-/tags?format=atom` à l'URL : + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Vérifier les empreintes numériques des APK + +Si vous téléchargez des fichiers APK à installer manuellement, vous pouvez vérifier leur signature à l'aide de l'outil [`apksigner`](https://developer.android.com/studio/command-line/apksigner), qui fait partie des [build-tools](https://developer.android.com/studio/releases/build-tools) d'Android. + +1. Installez [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Téléchargez les [outils de ligne de commande d'Android Studio](https://developer.android.com/studio#command-tools). + +3. Extrayez l'archive téléchargée : + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Exécutez la commande de vérification de la signature : + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. Les hachés obtenus peuvent ensuite être comparés avec une autre source. Certains développeurs, comme Signal, [montrent les empreintes numériques](https://signal.org/android/apk/) sur leur site web. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![Logo F-Droid](assets/img/android/f-droid.svg){ align=right width=120px } + +==Nous ne recommandons **pas** actuellement F-Droid comme moyen d'obtenir des applications.== F-Droid est souvent recommandé comme une alternative à Google Play, en particulier dans la communauté de la vie privée. La possibilité d'ajouter des dépôts tiers et de ne pas être confiné au jardin clos de Google a conduit à sa popularité. F-Droid dispose en outre de [versions reproductibles](https://f-droid.org/en/docs/Reproducible_Builds/) pour certaines applications et est dédié aux logiciels libres et open-source. Cependant, il y a des [problèmes notables](https://privsec.dev/posts/android/f-droid-security-issues/) avec le client officiel F-Droid, leur contrôle de qualité, et la façon dont ils construisent, signent, et livrent les paquets. + +En raison de leur processus de construction d'applications, les applications du dépôt officiel de F-Droid sont souvent en retard sur les mises à jour. Les mainteneurs de F-Droid réutilisent également les identifiants des paquets tout en signant les applications avec leurs propres clés, ce qui n'est pas idéal car cela donne à l'équipe F-Droid une confiance ultime. + +D'autres dépôts tiers populaires tels que [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) atténuent certains de ces problèmes. Le dépôt IzzyOnDroid récupère les versions directement depuis GitHub et constitue la meilleure alternative aux dépôts des développeurs. Cependant, ce n'est pas quelque chose que nous pouvons recommander, car les applications sont généralement [retirées](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) de ce dépôt lorsqu'elles arrivent dans le dépôt principal de F-Droid. Bien que cela soit logique (puisque le but de ce dépôt particulier est d'héberger des applications avant qu'elles ne soient acceptées dans le dépôt principal de F-Droid), cela peut vous laisser avec des applications installées qui ne reçoivent plus de mises à jour. + +Cela dit, les dépôts [F-Droid](https://f-droid.org/en/packages/) et [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) abritent d'innombrables applications. Ils peuvent donc être un outil utile pour rechercher et découvrir des applications open-source que vous pouvez ensuite télécharger via le Play Store, Aurora Store ou en obtenant l'APK directement auprès du développeur. Il est important de garder à l'esprit que certaines applications de ces dépôts n'ont pas été mises à jour depuis des années et peuvent s'appuyer sur des bibliothèques non prises en charge, entre autres, ce qui constitue un risque potentiel pour la sécurité. Vous devez faire preuve de discernement lorsque vous recherchez de nouvelles applications par cette méthode. + +!!! note "À noter" + + Dans certains cas rares, le développeur d'une application ne la distribue que par le biais de F-Droid ([Gadgetbridge](https://gadgetbridge.org/) en est un exemple). Si vous avez vraiment besoin d'une telle application, nous vous recommandons d'utiliser [Neo Store](https://github.com/NeoApplications/Neo-Store/) au lieu de l'application officielle F-Droid pour l'obtenir. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Systèmes d'exploitation + +- Doit être un logiciel open source. +- Doit prendre en charge le verrouillage du chargeur d'amorçage avec prise en charge d'une clé AVB personnalisée. +- Doit recevoir les mises à jour majeures d'Android dans le mois suivant leur publication. +- Doit recevoir les mises à jour des fonctionnalités d'Android (version mineure) dans les 14 jours suivant leur publication. +- Doit recevoir les correctifs de sécurité réguliers dans les 5 jours suivant leur publication. +- Ne doit **pas** être fourni "rooté". +- Ne doit **pas** activer Google Play Services par défaut. +- Ne doit **pas** nécessiter une modification du système pour prendre en charge les Google Play Services. + +### Appareils + +- Doit prendre en charge au moins l'un des systèmes d'exploitation personnalisés que nous recommandons. +- Doit être actuellement vendu neuf en magasin. +- Doit recevoir un minimum de 5 ans de mises à jour de sécurité. +- Doit disposer d'un matériel dédié aux éléments sécurisés. + +### Applications + +- Les applications de cette page ne doivent pas être applicables à une autre catégorie de logiciels sur le site. +- Les applications générales doivent étendre ou remplacer les fonctionnalités de base du système. +- Les applications doivent être régulièrement mises à jour et entretenues. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/assets/img/account-deletion/exposed_passwords.png b/i18n/fr/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/fr/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/fr/assets/img/android/rss-apk-dark.png b/i18n/fr/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/fr/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/fr/assets/img/android/rss-apk-light.png b/i18n/fr/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/fr/assets/img/android/rss-apk-light.png differ diff --git a/i18n/fr/assets/img/android/rss-changes-dark.png b/i18n/fr/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/fr/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/fr/assets/img/android/rss-changes-light.png b/i18n/fr/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/fr/assets/img/android/rss-changes-light.png differ diff --git a/i18n/fr/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/fr/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..dfc36b34 --- /dev/null +++ b/i18n/fr/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Votre + + Appareil + + + + Envoi de données à un site Web + + + + + Réception de données d'un site Web + + + + + Votre + + Appareil + + + + Entrée + + + + + Milieu + + + + + Sortie + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entrée + + + + + Milieu + + + + + Sortie + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fr/assets/img/how-tor-works/tor-encryption.svg b/i18n/fr/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..ab96c4bb --- /dev/null +++ b/i18n/fr/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Votre + + Appareil + + + + Envoi de données à un site Web + + + + + Réception de données d'un site Web + + + + + Votre + + Appareil + + + + Entrée + + + + + Milieu + + + + + Sortie + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entrée + + + + + Milieu + + + + + Sortie + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fr/assets/img/how-tor-works/tor-path-dark.svg b/i18n/fr/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..858b0b36 --- /dev/null +++ b/i18n/fr/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Votre + Appareil + + + + Entrée + + + + + Milieu + + + + + Sortie + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fr/assets/img/how-tor-works/tor-path.svg b/i18n/fr/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..56128803 --- /dev/null +++ b/i18n/fr/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Votre + Appareil + + + + Entrée + + + + + Milieu + + + + + Sortie + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fr/assets/img/multi-factor-authentication/fido.png b/i18n/fr/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..3b4057bc Binary files /dev/null and b/i18n/fr/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/fr/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/fr/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..37487048 Binary files /dev/null and b/i18n/fr/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/fr/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/fr/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/fr/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/fr/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/fr/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/fr/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/fr/basics/account-creation.md b/i18n/fr/basics/account-creation.md new file mode 100644 index 00000000..cef533bc --- /dev/null +++ b/i18n/fr/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Création de Compte" +icon: 'material/account-plus' +--- + +Souvent, les gens s'inscrivent à des services sans réfléchir. Il s'agit peut-être d'un service de streaming qui vous permet de regarder la nouvelle émission dont tout le monde parle, ou d'un compte qui vous permet de bénéficier d'une réduction dans votre fast-food préféré. Quoi qu'il en soit, vous devez tenir compte des implications pour vos données, maintenant et plus tard. + +Chaque nouveau service que vous utilisez comporte des risques. Les fuites de données, la divulgation d'informations sur les clients à des tiers, l'accès à des données par des employés véreux sont autant de possibilités qui doivent être envisagées avant de founir vos informations. Vous devez être sûr que vous pouvez faire confiance au service, c'est pourquoi nous ne recommandons pas de stocker des données précieuses sur autre chose que les produits les plus matures et les plus éprouvés. Il s'agit généralement de services qui fournissent E2EE et qui ont fait l'objet d'un audit cryptographique. Un audit renforce l'assurance que le produit a été conçu sans problèmes de sécurité flagrants causés par un développeur inexpérimenté. + +Il peut également être difficile de supprimer les comptes sur certains services. Il est parfois possible [d'écraser les données](account-deletion.md#overwriting-account-information) associées à un compte, mais dans d'autres cas, le service conservera un historique complet des modifications apportées au compte. + +## Conditions Générales d'Utilisation & Politique de Confidentialité + +Les CGU sont les règles que vous acceptez de suivre lorsque vous utilisez le service. Dans les grands services, ces règles sont souvent appliquées par des systèmes automatisés. Parfois, ces systèmes automatisés peuvent faire des erreurs. Par exemple, vous pouvez être banni ou bloqué de votre compte sur certains services pour avoir utilisé un VPN ou numéro VOIP. Il est souvent difficile de faire appel de ces interdictions, et cela implique également une procédure automatisée, qui n'aboutit pas toujours. C'est l'une des raisons pour lesquelles nous ne suggérons pas d'utiliser Gmail pour la messagerie électronique, par exemple. L'e-mail est essentiel pour accéder à d'autres services auxquels vous avez peut-être souscrit. + +La Politique de Confidentialité est la manière dont le service indique qu'il utilisera vos données. Elle mérite d'être lue pour que vous compreniez comment vos données seront utilisées. Une entreprise ou une organisation peut ne pas être légalement obligée de suivre tout ce qui est contenu dans la politique (cela dépend de la juridiction). Nous vous recommandons d'avoir une idée de la législation locale et de ce qu'elle autorise un prestataire à collecter. + +Nous vous recommandons de rechercher des termes particuliers tels que "collecte de données", "analyse de données", "cookies", "annonces", "publicité" ou services "tiers". Parfois, vous aurez la possibilité de refuser la collecte ou le partage de vos données, mais il est préférable de choisir un service qui respecte votre vie privée dès le départ. + +Vous faites également confiance à l'entreprise ou à l'organisation pour se conformer à sa propre politique de confidentialité. + +## Méthodes d'authentification + +Il existe généralement plusieurs façons de créer un compte, chacune ayant ses propres avantages et inconvénients. + +### E-mail et mot de passe + +Le moyen le plus courant de créer un nouveau compte est d'utiliser une adresse e-mail et un mot de passe. Lorsque vous utilisez cette méthode, vous devriez utiliser un gestionnaire de mots de passe et suivre les [bonnes pratiques](passwords-overview.md) concernant les mots de passe. + +!!! tip "Conseil" + + Vous pouvez également utiliser votre gestionnaire de mots de passe pour gérer d'autres méthodes d'authentification ! Il suffit d'ajouter la nouvelle entrée et de remplir les champs appropriés. Vous pouvez ajouter des notes pour des choses comme des questions de sécurité ou une clé de secours. + +Vous serez responsable de la gestion de vos identifiants de connexion. Pour plus de sécurité, vous pouvez configurer [MFA](multi-factor-authentication.md) sur vos comptes. + +[Gestionnaires de mots de passe recommandés](../passwords.md ""){.md-button} + +#### Alias d'e-mail + +Si vous ne voulez pas donner votre véritable adresse e-mail à un service, vous avez la possibilité d'utiliser un alias. Nous les avons décrits plus en détail sur notre page de recommandation des services d'e-mail. Essentiellement, les services d'alias vous permettent de créer de nouvelles adresses e-mail qui transmettent tous les courriers à votre adresse principale. Cela peut permettre d'éviter le pistage entre les services et vous aider à gérer les e-mail de marketing qui accompagnent parfois le processus d'inscription. Ceux-ci peuvent être filtrés automatiquement en fonction de l'alias auquel ils sont envoyés. + +Si un service est piraté, vous pouvez commencer à recevoir des e-mails d'hameçonnage ou de spam à l'adresse que vous avez utilisée pour vous inscrire. L'utilisation d'alias uniques pour chaque service peut aider à identifier exactement quel service a été piraté. + +[Services d'alias d'e-mail recommandés](../email.md#email-aliasing-services ""){.md-button} + +### Authentification unique + +!!! note "À noter" + + Nous parlons de l'authentification unique pour l'usage personnel, pas pour les entreprises. + +L'authentification unique (SSO) est une méthode d'authentification qui vous permet de vous inscrire à un service sans partager beaucoup d'informations, voire aucune. Chaque fois que vous voyez quelque chose du type "Continuer avec *nom du fournisseur*" sur un formulaire d'inscription, il s'agit de SSO. + +Lorsque vous choisissez l'authentification unique sur un site web, la page de connexion de votre fournisseur d'authentification unique s'affiche et votre compte est ensuite connecté. Votre mot de passe ne sera pas communiqué, mais certaines informations de base le seront (vous pouvez les consulter lors de la demande de connexion). Ce processus est nécessaire chaque fois que vous voulez vous connecter au même compte. + +Les principaux avantages sont les suivants : + +- **Sécurité**: aucun risque d'être impliqué dans une [fuite de données](https://fr.wikipedia.org/wiki/Violation_de_donn%C3%A9es) car le site ne stocke pas vos informations d'identification. +- **Facilité d'utilisation**: plusieurs comptes sont gérés par un seul login. + +Mais il y a des inconvénients : + +- **Vie privée**: un fournisseur de SSO connaîtra les services que vous utilisez. +- **Centralisation**: si votre compte SSO est compromis ou si vous n'êtes pas en mesure de vous y connecter, tous les autres comptes qui y sont connectés sont affectés. + +Le SSO peut être particulièrement utile dans les situations où vous pouvez bénéficier d'une intégration plus poussée entre les services. Par exemple, l'un de ces services peut offrir le SSO pour les autres. Notre recommandation est de limiter le SSO aux seuls endroits où vous en avez besoin et de protéger le compte principal avec [MFA](multi-factor-authentication.md). + +Tous les services qui utilisent le SSO seront aussi sécurisé que votre compte SSO. Par exemple, si vous souhaitez sécuriser un compte à l'aide d'une clé matérielle mais que ce service ne prend pas en charge les clés matérielles, vous pouvez sécuriser votre compte SSO à l'aide d'une clé matérielle et disposer ainsi d'un MFA matériel sur tous vos comptes. Il convient toutefois de noter qu'une authentification faible sur votre compte SSO signifie que tout compte lié à cette connexion sera également faiblement sécurisé. + +### Numéro de téléphone + +Nous vous recommandons d'éviter les services qui exigent un numéro de téléphone pour l'inscription. Un numéro de téléphone peut vous identifier auprès de plusieurs services et, en fonction des accords de partage des données, cela rendra votre navigation plus facile à suivre, en particulier si l'un de ces services a une fuite, car le numéro de téléphone est souvent **non** chiffré. + +Vous devriez éviter de donner votre vrai numéro de téléphone si vous le pouvez. Certains services autorisent l'utilisation de numéros VOIP, mais ceux-ci déclenchent souvent des systèmes de détection des fraudes, entraînant le blocage du compte, ce que nous ne recommandons pas pour les comptes importants. + +Dans de nombreux cas, vous devrez fournir un numéro à partir duquel vous pourrez recevoir des SMS ou des appels, en particulier lorsque vous effectuez des achats à l'étranger, au cas où votre commande rencontrerait un problème lors du contrôle aux frontières. Il est courant que les services utilisent votre numéro comme méthode de vérification ; ne vous faites pas bloquer un compte important parce que vous avez voulu être malin et donner un faux numéro ! + +### Nom d'utilisateur et mot de passe + +Certains services vous permettent de vous inscrire sans utiliser d'adresse électronique et vous demandent seulement de définir un nom d'utilisateur et un mot de passe. Ces services peuvent offrir un anonymat accru lorsqu'ils sont associés à un VPN ou à Tor. Gardez à l'esprit que pour ces comptes, il n'y aura très probablement **aucun moyen de récupérer votre compte** au cas où vous oublieriez votre nom d'utilisateur ou votre mot de passe. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/basics/account-deletion.md b/i18n/fr/basics/account-deletion.md new file mode 100644 index 00000000..e248e616 --- /dev/null +++ b/i18n/fr/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Suppression de compte" +icon: 'material/account-remove' +--- + +Au fil du temps, il est facile d'accumuler un certain nombre de comptes en ligne, dont beaucoup ne sont peut-être plus utilisés. La suppression de ces comptes inutilisés est une étape importante dans la récupération de votre vie privée, car les comptes inactifs sont vulnérables aux fuites de données. Il y a une fuite des données lorsque la sécurité d'un service est compromise et que des informations protégées sont consultées, transmises ou volées par des acteurs non autorisés. Les fuites de données sont malheureusement [très fréquentes](https://haveibeenpwned.com/PwnedWebsites) de nos jours, et donc le meilleur moyen de minimiser l'impact qu'elles ont sur votre vie et de pratiquer une bonne hygiène numérique. L'objectif de ce guide est donc de vous aider à traverser le processus fastidieux de la suppression d'un compte, souvent rendu difficile à cause du [dark pattern](https://www.deceptive.design/), une pratique que certains services utilisent afin que vous abandonniez l'idée de supprimer votre compte. + +## Recherche d'anciens comptes + +### Gestionnaire de mots de passe + +Si vous disposez d'un gestionnaire de mots de passe que vous avez utilisé pendant toute votre vie numérique, cette partie sera très facile. Souvent, ils incluent une fonctionnalité intégrée pour détecter si vos informations d'identification ont été exposées dans une fuite de données - comme le [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/) de Bitwarden. + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Même si vous n'avez pas explicitement utilisé un gestionnaire de mots de passe auparavant, il y a de fortes chances que vous ayez utilisé celui de votre navigateur ou de votre téléphone sans même vous en rendre compte. Par exemple : [Firefox Password Manager](https://support.mozilla.org/fr/kb/gestionnaire-mots-passe), [Google Password Manager](https://passwords.google.com/intro) et [Edge Password Manager](https://support.microsoft.com/fr-fr/microsoft-edge/enregistrer-ou-oublier-des-mots-de-passe-dans-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Les systèmes d'exploitation aussi, disposent souvent d'un gestionnaire de mots de passe qui peut vous aider à récupérer les mots de passe que vous avez oubliés : + +- Windows [Credential Manager](https://support.microsoft.com/fr-fr/windows/acc%C3%A8s-au-gestionnaire-d-informations-d-identification-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/fr-fr/HT211145) +- iOS [Passwords](https://support.apple.com/fr-fr/HT211146) +- Linux, Gnome Keyring, accessible par [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.fr) ou [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager). + +### Email + +Si vous n'avez pas utilisé de gestionnaire de mots de passe dans le passé ou si vous pensez avoir des comptes qui n'ont jamais été ajoutés à votre gestionnaire de mots de passe, une autre option consiste à rechercher le ou les comptes de messagerie sur lesquels vous pensez vous être inscrit. Sur votre client de messagerie, recherchez des mots-clés tels que "vérifier" ou "bienvenue". Presque à chaque fois que vous créez un compte en ligne, le service envoie un lien de vérification ou un message d'introduction à votre adresse électronique. Cela peut être un bon moyen de retrouver d'anciens comptes oubliés. + +## Suppression des anciens comptes + +### Se connecter + +Pour supprimer vos anciens comptes, vous devez d'abord vous assurer que vous pouvez vous y connecter. Une fois encore, si le compte est enregistré dans votre gestionnaire de mots de passe, cette étape est facile. Si ce n'est pas le cas, vous pouvez essayer de deviner votre mot de passe. Dans le cas contraire, il existe généralement des options permettant de récupérer l'accès à votre compte, souvent disponibles par le biais d'un lien "mot de passe oublié" sur la page de connexion. Il est également possible que les comptes que vous avez abandonnés aient déjà été supprimés - il arrive que certains services suppriment tous les anciens comptes. + +Lorsque vous tentez de vous reconnecter, si le site renvoie un message d'erreur indiquant que cette adresse électronique n'est pas associée à un compte, ou si vous ne recevez pas de lien de réinitialisation après plusieurs tentatives, c'est que vous n'avez probablement pas de compte sous cette adresse électronique et devez en essayer une autre. Si vous n'arrivez pas à trouver l'adresse électronique que vous avez utilisée ou si vous n'avez plus accès à cette adresse, vous pouvez essayer de contacter l'assistance clientèle du service. Malheureusement, il n'y a aucune garantie que vous puissiez récupérer l'accès à votre compte. + +### RGPD (résidents de l'Espace Économique Européen uniquement) + +Les résidents de l'EEE disposent de droits supplémentaires concernant l'effacement des données spécifiés dans l'article [Article 17](https://www.gdpr.org/regulation/article-17.html) du RGPD. Si vous êtes concerné, lisez la politique de confidentialité de chaque service pour trouver des informations sur la manière d'exercer votre droit à l'effacement. La lecture de la politique de confidentialité peut s'avérer importante, car certains services proposent une option "Supprimer le compte" qui ne fait que le désactiver, vous devez dans ce cas prendre des mesures supplémentaires pour réellement supprimer votre compte. Parfois, la suppression effective peut impliquer de remplir des questionnaires, d'envoyer un courriel au responsable de la protection des données du service ou même de prouver que vous résidez dans l'EEE. Si vous envisagez de procéder de cette manière, n'écrasez **pas** les informations du compte - votre identité en tant que résident de l'EEE peut être requise. Notez que l'emplacement du service n'a pas d'importance ; le RGPD s'applique à toute personne desservant des utilisateurs européens. Si le service ne respecte pas votre droit à l'effacement, vous pouvez contacter votre [autorité nationale de protection des données](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) et vous pouvez avoir droit à une compensation monétaire. L'autorité nationale de protection des données en France est la [Commission Nationale de l'Informatique et des Libertés (CNIL)](https://www.cnil.fr/). Des modèles de courrier pour des clôtures de compte ou de suppression de données sont accessibles sur leur [site](https://www.cnil.fr/fr/modeles/courrier). Pour en savoir plus sur votre droit à l'effacement, voici un [article](https://www.cnil.fr/fr/le-droit-leffacement-supprimer-vos-donnees-en-ligne) de la CNIL. + +### Remplacer les informations de compte + +Dans certaines situations où vous prévoyez d'abandonner un compte, il peut être judicieux de modifier les informations du compte avec de fausses données. Une fois que vous vous êtes assuré que vous pouvez vous connecter, remplacez toutes les informations de votre compte par des informations falsifiées. La raison en est que de nombreux sites conservent les informations que vous aviez auparavant, même après la suppression du compte. L'idée est qu'ils écrasent les informations précédentes avec les données les plus récentes que vous avez saisies. Cependant, il n'y a aucune garantie qu'il n'y aura pas de sauvegardes avec les informations précédentes. + +Pour l'email du compte, créez un nouveau compte email alternatif via le fournisseur de votre choix ou créez un alias en utilisant un [service d'alias d'emails](/email/#email-aliasing-services). Vous pouvez ensuite supprimer cette adresse électronique une fois que vous avez terminé. Nous vous déconseillons d'utiliser des fournisseurs d'emails temporaires, car il est souvent possible de réactiver des emails temporaires. + +### Suppression + +Vous pouvez consulter [JustDeleteMe](https://justdeleteme.xyz/fr) pour obtenir des instructions sur la suppression du compte d'un service en particulier. Certains sites proposent gracieusement une option "Supprimer le compte", tandis que d'autres vont jusqu'à vous obliger à parler au service assistant. Le processus de suppression peut varier d'un site à l'autre, la suppression du compte peut être impossible sur certains. + +Pour les services qui ne permettent pas la suppression du compte, la meilleure chose à faire est de falsifier toutes vos informations comme indiqué précédemment et de renforcer la sécurité du compte. Pour ce faire, activez le [MFA](multi-factor-authentication.md) et toutes les fonctions de sécurité supplémentaires proposées par le site web. De même, changez le mot de passe avec un mot de passe généré de manière aléatoire qui correspond à la taille maximale autorisée par le site web (un [gestionnaire de mots de passe](/passwords/#local-password-managers) peut être utile pour cela). + +Si vous êtes convaincu que toutes les informations auxquelles vous tenez ont été supprimées, vous pouvez oublier ce compte en toute sécurité. Si ce n'est pas le cas, il peut être judicieux de conserver les informations d'identification avec vos autres mots de passe et de vous reconnecter occasionnellement pour réinitialiser le mot de passe. + +Même lorsque vous êtes en mesure de supprimer un compte, il n'y a aucune garantie que toutes vos informations seront supprimées. Certaines entreprises sont tenues par la loi de conserver certaines informations, notamment lorsqu'elles sont liées à des transactions financières. Vous n'avez pratiquement aucun contrôle sur ce qui arrive à vos données lorsqu'il s'agit des sites web et des services cloud. + +## Éviter la création de nouveaux comptes + +Comme le dit le vieil adage, "Mieux vaut prévenir que guérir". Chaque fois que vous êtes tenté de vous inscrire à un nouveau service ou site web, demandez-vous : "En ai-je vraiment besoin ? Puis-je accomplir ce dont j'ai besoin sans compte ?" Il est souvent beaucoup plus difficile de supprimer un compte que d'en créer un. Et même après avoir supprimé ou modifié les informations sur votre compte, il se peut qu'il existe une version en cache provenant d'un tiers, comme [Internet Archive](https://archive.org/). Évitez la tentation quand vous le pouvez - votre futur vous en remerciera ! + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/basics/common-misconceptions.md b/i18n/fr/basics/common-misconceptions.md new file mode 100644 index 00000000..f14eb538 --- /dev/null +++ b/i18n/fr/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Idées Reçues" +icon: 'material/robot-confused' +--- + +## "Les logiciels libres et open-source sont toujours sécurisés" ou "Les logiciels propriétaires sont plus sécurisé" + +Ces mythes découlent d'un certain nombre de préjugés, mais le fait que le code source soit disponible ou non et la manière dont les logiciels sont concédés sous licence n'affectent en rien leur sécurité. ==Les logiciels open-source ont le *potentiel* d'être plus sécurisé que les logiciels propriétaires, mais il n'y a absolument aucune garantie que ce soit le cas.== Lorsque vous évaluez un logiciel, vous devez examiner la réputation et la sécurité de chaque outil individuellement. + +Les logiciels libres *peuvent* être audités par des tiers et sont souvent plus transparents sur les vulnérabilités potentielles que leurs homologues propriétaires. Ils vous permettent également d'examiner le code et de désactiver vous-même toute fonctionnalité suspecte. Cependant, *à moins que vous ne le fassiez*, il n'y a aucune garantie que le code ait jamais été évalué, en particulier pour les petits projets. Le processus de développement ouvert a aussi parfois été exploité pour introduire de nouvelles vulnérabilités même dans des projets importants.[^1] + +Par ailleurs, les logiciels propriétaires sont moins transparents, mais cela ne signifie pas qu'ils ne sont pas sécurisés. Des projets logiciels propriétaires majeurs peuvent être audités en interne et par des agences tierces, et des chercheurs indépendants en sécurité peuvent toujours trouver des vulnérabilités avec des techniques telles que la rétro-ingénierie. + +Pour éviter les décisions biaisées, il est *essentiel* que vous évaluiez les normes de confidentialité et de sécurité des logiciels que vous utilisez. + +## "Déplacer la confiance peut améliorer la vie privée" + +Nous parlons souvent de "déplacement de confiance" lorsque nous abordons des solutions telles que les VPN (qui déplacent la confiance que vous accordez à votre Fournisseur d'Accès Internet vers le fournisseur de VPN). Bien que cela protège vos données de navigation de votre FAI *spécifiquement*, le fournisseur de VPN que vous choisissez a toujours accès à vos données de navigation : Vos données ne sont pas complètement protégées de toutes les parties. Cela signifie que : + +1. Vous devez faire preuve de prudence lorsque vous choisissez un fournisseur auquel accorder votre confiance. +2. Vous devez toujours utiliser d'autres techniques, comme E2EE, pour protéger complètement vos données. Le simple fait de se méfier d'un fournisseur pour faire confiance à un autre ne sécurise pas vos données. + +## "Les solutions axées sur la protection de la vie privée sont intrinsèquement dignes de confiance" + +Se concentrer uniquement sur les politiques de confidentialité et le marketing d'un outil ou d'un fournisseur peut vous aveugler face à ses faiblesses. Lorsque vous recherchez une solution plus privée, vous devez déterminer quel est le problème sous-jacent et trouver des solutions techniques à ce problème. Par exemple, vous voudrez peut-être éviter Google Drive, qui donne à Google l'accès à toutes vos données. Le problème sous-jacent dans ce cas est l'absence d'E2EE, vous devez donc vous assurer que le fournisseur vers lequel vous passez met effectivement en œuvre E2EE, ou utiliser un outil (comme [Cryptomator](../encryption.md#cryptomator-cloud)) qui fournit E2EE sur n'importe quel fournisseur de cloud. Le passage à un fournisseur "soucieux de la protection de la vie privée" (qui ne met pas en œuvre E2EE) ne résout pas votre problème : il ne fait que déplacer la confiance de Google vers ce fournisseur. + +Les politiques de confidentialité et les pratiques commerciales des fournisseurs que vous choisissez sont très importantes, mais doivent être considérées comme secondaires par rapport aux garanties techniques de votre vie privée : Vous ne devriez pas faire confiance à un autre fournisseur lorsque la confiance en un fournisseur n'est pas du tout requise. + +## "Plus c'est complexe mieux c'est" + +Nous voyons souvent des personnes décrire des modèles de menace pour protéger leurs vies privées qui sont trop complexes. Souvent, ces solutions incluent des problèmes tels que de nombreux comptes de messagerie différents ou des configurations compliquées avec de nombreuses pièces mobiles et conditions. Les réponses sont généralement des réponses à la question "Quelle est la meilleure façon de faire *X*?" + +Trouver la "meilleure" solution pour soi ne signifie pas nécessairement que l'on recherche une solution infaillible avec des dizaines de conditions - ces solutions sont souvent difficiles à utiliser de manière réaliste. Comme nous l'avons vu précédemment, la sécurité se fait souvent au détriment de la commodité. Nous vous donnons ci-dessous quelques conseils : + +1. ==Les actions doivent servir un objectif particulier:== réfléchissez à la manière de faire ce que vous voulez avec le moins d'actions possible. +2. ==Supprimer les points d'échec humains:== nous échouons, nous nous fatiguons et nous oublions des choses. Pour maintenir la sécurité, évitez de vous appuyer sur des conditions et des processus manuels dont vous devez vous souvenir. +3. ==Utilisez le bon niveau de protection pour ce que vous voulez faire.== Nous voyons souvent des recommandations de solutions soi-disant à l'épreuve des forces de l'ordre et des assignations/mandats. Celles-ci nécessitent souvent des connaissances spécialisées et ne sont généralement pas ce que les gens recherchent. Il ne sert à rien de construire un modèle de menace complexe pour l'anonymat si vous pouvez être facilement désanonymisé par un simple oubli. + +Alors, à quoi ça pourrait ressembler ? + +Les modèles de menace les plus clairs sont ceux où les gens *savent qui vous êtes* et ceux où ils ne le savent pas. Il y aura toujours des situations où vous devrez déclarer votre nom légal et d'autres où vous n'aurez pas à le faire. + +1. **Identité connue** - Une identité connue est utilisée pour les endroits où vous devez déclarer votre nom. Il existe de nombreux documents juridiques et contrats de ce type pour lesquels une identité légale est requise. Il peut s'agir de l'ouverture d'un compte bancaire, de la signature d'un bail immobilier, de l'obtention d'un passeport, de déclarations douanières lors de l'importation d'articles ou de toute autre démarche auprès de votre gouvernement. Ces éléments conduisent généralement à des informations d'identification telles que des cartes de crédit, des vérifications de la solvabilité, des numéros de compte et éventuellement des adresses physiques. + + Nous ne suggérons pas l'utilisation d'un VPN ou de Tor pour toutes ces choses, car votre identité est déjà connue par d'autres moyens. + + !!! tip "Conseil" + + Lorsque vous effectuez des achats en ligne, l'utilisation d'une [consigne à colis](https://en.wikipedia.org/wiki/Parcel_locker) peut contribuer à préserver la confidentialité de votre adresse physique. + +2. **Identité inconnue** - Une identité inconnue pourrait être un pseudonyme stable que vous utilisez régulièrement. Il n'est pas anonyme car il ne change pas. Si vous faites partie d'une communauté en ligne, vous souhaiterez peut-être conserver un personnage que les autres connaissent. Ce pseudonyme n'est pas anonyme car, s'il est surveillé suffisamment longtemps, les détails concernant le propriétaire peuvent révéler d'autres informations, telles que sa façon d'écrire, ses connaissances générales sur des sujets d'intérêt, etc. + + Vous pouvez utiliser un VPN pour masquer votre adresse IP. Les transactions financières sont plus difficiles à masquer : Vous pouvez envisager d'utiliser des crypto-monnaies anonymes, comme [Monero](https://www.getmonero.org/). L'utilisation de monnaies alternatives peut également contribuer à masquer l'origine de votre monnaie. En règle générale, les centres d'échange exigent que le processus [KYC](https://fr.wikipedia.org/wiki/Know_your_customer) (connaissance du client) soit complété avant de vous autoriser à échanger de la monnaie fiduciaire contre tout type de cryptomonnaie. Les options de rencontres locales peuvent également être une solution, mais elles sont souvent plus coûteuses et nécessitent parfois un processus KYC. + +3. **Identité anonyme** - Même avec de l'expérience, les identités anonymes sont difficiles à maintenir sur de longues périodes. Il doit s'agir d'identités à court terme et de courte durée qui font l'objet d'une rotation régulière. + + L'utilisation de Tor peut y contribuer. Il convient également de noter qu'un plus grand anonymat est possible grâce à la communication asynchrone : La communication en temps réel est vulnérable à l'analyse des habitudes de frappe (c'est-à-dire plus d'un paragraphe de texte, diffusé sur un forum, par e-mail, etc.) + +--8<-- "includes/abbreviations.fr.txt" + +[^1]: Un exemple notable est l'[incident de 2021 dans lequel des chercheurs de l'Université du Minnesota ont introduit trois vulnérabilités dans le projet de développement du noyau Linux](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/fr/basics/common-threats.md b/i18n/fr/basics/common-threats.md new file mode 100644 index 00000000..a6e3a11c --- /dev/null +++ b/i18n/fr/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Menaces courantes" +icon: 'material/eye-outline' +--- + +Pour faire simple, nous classons nos recommandations dans ces catégories générales de [menaces](threat-modeling.md) ou d'objectifs qui s'appliquent à la plupart des gens. ==Vous pouvez vous sentir concerné par une, plusieurs, toutes, ou bien aucune de ces possibilités==. Les outils et les services que vous utilisez dépendent également de vos objectifs. Il est possible que vous ayez des menaces spécifiques ne rentrant dans aucune de ces catégories, ce qui est tout à fait normal ! L'important est de bien comprendre les avantages et les inconvénients des outils que vous choisissez d'utiliser, car pratiquement aucun d'entre eux ne vous protégera contre toutes les menaces possibles. + +- :material-incognito: Anonymat - Séparer votre activité en ligne de votre identité réelle, vous vous protégez des personnes qui tentent de découvrir explicitement *votre* identité +- :material-target-account: Attaques Ciblées - Se protéger contre les pirates informatiques dévoués ou d'autres agents malintentionnés essayant d'accéder spécifiquement à *vos* données ou appareils +- :material-bug-outline: Attaques Passives - Se protéger des logiciels malveillants, des fuites de données, et autres attaques qui sont faites contre des groupes de personnes +- :material-server-network: Fournisseurs de Services - Protéger vos données des fournisseurs de services, en utilisant par exemple un chiffrement de bout en bout rendant vos données illisibles par le serveur +- :material-eye-outline: Surveillance de Masse - Protection contre les agences gouvernementales, organisations, sites web et services qui collaborent pour suivre vos activités en ligne +- :material-account-cash: Capitalisme de Surveillance - Se protéger des grands réseaux publicitaires comme Google et Facebook, ainsi que d'une myriade d'autres collecteurs de données tiers +- :material-account-search: Exposition Publique - Limiter les informations en ligne vous concernant, accessibles par les moteurs de recherche ou par le grand public +- :material-close-outline: Censure - Éviter les accès censurés à l'information et d'être soi-même censuré lorsqu'on discute en ligne + +Certaines de ces menaces peuvent peser plus que d'autres en fonction de vos préoccupations. Par exemple, un développeur de logiciels ayant accès à des données précieuses ou critiques peut être principalement concerné par les :material-target-account: Attaques Ciblées. Mais de plus, il veut probablement empêcher ses données personnelles d'être récupérées par des programmes de :material-eye-outline: Surveillance de Masse. De même, une « personne lambda » peut être principalement concernée par l':material-account-search: Exposition Publique de ses données personnelles, mais devrait tout de même se méfier des problèmes de sécurité tels que les :material-bug-outline: Attaques Passives comme les logiciels malveillants affectant ses appareils. + +## Anonymat et vie privée + +:material-incognito: Anonymat + +L'anonymat et le concept de vie privée sont deux concepts radicalement différents. Avoir une vie privée en ligne est un ensemble de choix que vous faites sur la façon dont vos données sont utilisées et partagées, alors que l'anonymat est la dissociation complète de vos activités en ligne de votre identité réelle. + +Les lanceurs d'alerte et les journalistes, par exemple, peuvent avoir un modèle de menace beaucoup plus extrême nécessitant un anonymat total. Il ne s'agit pas seulement de cacher ce qu'ils font, les données dont ils disposent ou de ne pas se faire pirater par des hackers ou des gouvernements, mais aussi de cacher entièrement qui ils sont. Ils sont prêts à sacrifier tout type de commodité s'il s'agit de protéger leur anonymat, leur vie privée ou leur sécurité, car leur vie pourrait en dépendre. La plupart des gens n'ont pas besoin d'aller si loin. + +## Sécurité et vie privée + +:material-bug-outline: Attaques passives + +La sécurité et la vie privée sont souvent confondues, car vous avez besoin de sécurité pour obtenir tout semblant de vie privée. Utiliser des outils qui semblent respecter votre vie privée est futile s'ils peuvent facilement être exploités par des attaquants pour publier vos données plus tard. Cependant, l'inverse n'est pas nécessairement vrai ; le service le plus sécurisé au monde *ne respecte pas nécessairement* votre vie privée. Le meilleur exemple est de confier des données à Google qui, compte tenu de leur envergure, ont connu un minimum d'incidents de sécurité grâce à l'emploi d'experts en sécurité de premier plan pour sécuriser leur infrastructure. Même si Google fournit un service très sécurisé, rares sont ceux qui considèrent que leurs données restent privées en utilisant leurs outils gratuits (Gmail, YouTube, etc). + +En matière de sécurité des applications, nous ne savons généralement pas (et parfois ne pouvons pas) savoir si le logiciel que nous utilisons est malveillant, ou pourrait un jour le devenir. Même avec les développeurs les plus dignes de confiance, il n'y a généralement aucune garantie que leur logiciel ne présente pas une vulnérabilité grave qui pourrait être exploitée ultérieurement. + +Pour minimiser les dommages potentiels qu'un logiciel malveillant peut causer, vous devez employer la sécurité par compartimentation. Il peut s'agir d'utiliser des ordinateurs différents pour des tâches différentes, d'utiliser des machines virtuelles pour séparer différents groupes d'applications connexes ou d'utiliser un système d'exploitation sécurisé mettant l'accent sur le principe de [sandboxing](https://fr.wikipedia.org/wiki/Sandbox_(s%C3%A9curit%C3%A9_informatique)) (ou « bac à sable » en français) des applications et du [mandatory access control](https://fr.wikipedia.org/wiki/Contr%C3%B4le_d'acc%C3%A8s_obligatoire) (ou « Contrôle d'accès obligatoire » en français). + +!!! tip "Conseil" + + Les systèmes d'exploitation mobiles sont généralement plus sûrs que les systèmes d'exploitation de bureau en ce qui concerne le sandboxing des applications. + + Les systèmes d'exploitation de bureau sont généralement à la traîne en ce qui concerne le sandboxing. ChromeOS possède des capacités de sandboxing similaires à celles d'Android, et macOS dispose d'un contrôle complet des autorisations système (et les développeurs peuvent opter pour le sandboxing pour les applications). Cependant, ces systèmes d'exploitation transmettent des informations d'identification à leurs constructeurs respectifs. Linux a tendance à ne pas soumettre d'informations aux fournisseurs de systèmes, mais il a une mauvaise protection contre les exploits et les applications malveillantes. Ce problème peut être quelque peu atténué avec des distributions spécialisées qui font un usage intensif des machines virtuelles ou des conteneurs, comme Qubes OS. + +:material-target-account: Attaques ciblées + +Les attaques ciblées contre une personne spécifique sont plus difficiles à gérer. Les voies d'attaque les plus courantes sont l'envoi de documents malveillants par courrier électronique, l'exploitation de vulnérabilités dans le navigateur et les systèmes d'exploitation, et les attaques physiques. Si cela vous préoccupe, il vous sera nécessaire de recourir à des stratégies plus avancées d'atténuation des menaces. + +!!! tip "Conseil" + + **Les navigateurs web**, **les clients de messagerie électronique** et **les applications de bureautique** exécutent généralement volontairement, et par conception, du code non fiable qui vous est envoyé par des tiers. L'exécution de plusieurs machines virtuelles pour séparer les applications de ce type de votre système hôte ainsi que les unes des autres est une technique que vous pouvez utiliser pour éviter qu'un code d'exploitation dans ces applications ne compromette le reste de votre système. Les technologies comme Qubes OS ou Microsoft Defender Application Guard sur Windows fournissent des méthodes pratiques pour le faire de manière transparente, par exemple. + +Si vous êtes préoccupé par les **attaques physiques** vous devriez utiliser un système d'exploitation avec une implémentation de démarrage vérifié sécurisé, à la manière d'Android, d'iOS, de macOS ou de [Windows (avec TPM)](https://docs.microsoft.com/fr-fr/windows/security/information-protection/secure-the-windows-10-boot-process). Vous devriez également vous assurer que votre disque est chiffré et que le système d'exploitation utilise un TPM, une [Enclave sécurisée](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) ou un [Element sécurisé](https://developers.google.com/android/security/android-ready-se) pour limiter le taux de tentatives de saisie de la phrase de passe. Vous devriez éviter de partager votre ordinateur avec des personnes en qui vous n'avez pas confiance, car la plupart des systèmes d'exploitation de bureau ne chiffrent pas les données séparément par utilisateur. + +## Protection de ses données des fournisseurs de services + +:material-server-network: Fournisseurs de service + +Nous vivons dans un monde où presque tout est connecté à Internet. Nos messages « privés », e-mails et nos interactions sociales sont généralement stockés sur un serveur quelque part. Généralement, lorsque vous envoyez un message à quelqu'un, ce message est alors stocké en clair sur un serveur, et lorsque votre ami souhaite lire le message, le serveur le lui montre. + +Le problème évident avec cela est que le fournisseur de services (ou un pirate informatique qui a compromis le serveur) peut consulter vos conversations "privées" quand et comme il le souhaite, sans jamais que vous ne le sachiez. Cela s'applique à de nombreux services courants tels que la messagerie SMS, Telegram, Discord, etc. + +Heureusement, le chiffrement de bout en bout peut atténuer ce problème en rendant illisibles les communications entre vous et vos destinataires avant même qu'elles ne soient envoyées au serveur. La confidentialité de vos messages est garantie, tant que le prestataire de services n'a pas accès aux clés privées d'une des deux personnes. + +!!! note "Note sur le chiffrement basé sur le web" + + Dans la pratique, l'efficacité des différentes mises en œuvre du chiffrement de bout en bout varie. Des applications telles que [Signal](../real-time-communication.md#signal) s'exécutent nativement sur votre appareil, et chaque copie de l'application est la même sur différentes installations. Si le fournisseur de services venait à ouvrir une porte dérobée dans son application pour tenter de voler vos clés privées, cela pourrait être détecté ultérieurement par rétro-ingénierie. + + D'autre part, les implémentations de chiffrement de bout en bout basées sur le web, telles que l'application web de Proton Mail ou le coffre-fort web de Bitwarden, reposent sur le serveur qui sert dynamiquement du code JavaScript au navigateur pour gérer les opérations cryptographiques. Un serveur malveillant pourrait cibler une personne spécifique et lui envoyer un code JavaScript malveillant pour voler sa clé de chiffrement, et il serait extrêmement difficile pour l'utilisateur de s'en rendre compte. Même si cette personne s'aperçoit de la tentative de vol de sa clé, il serait incroyablement difficile de prouver que c'est le fournisseur qui tente de le faire, car le serveur peut choisir de servir différents clients web à différentes personnes. + + Par conséquent, lorsque vous comptez sur le chiffrement de bout en bout, vous devriez choisir d'utiliser des applications natives plutôt que des clients web, dans la mesure du possible. + +Même avec le chiffrement de bout en bout, les fournisseurs de services peuvent toujours vous profiler sur la base des **métadonnées**, qui ne sont généralement pas protégées. Si le fournisseur de services ne peut pas lire vos messages pour savoir ce que vous dites, il peut néanmoins observer des choses comme les personnes avec lesquelles vous parlez, la fréquence de vos messages et les heures où vous êtes généralement actif. La protection des métadonnées est assez rare, et vous devriez prêter une attention particulière à la documentation technique du logiciel que vous utilisez pour voir s'il y a une minimisation ou une protection des métadonnées, si cela vous préoccupe. + +## Programmes de surveillance de masse + +:material-eye-outline: Surveillance de masse + +La surveillance de masse est un effort visant à surveiller le "comportement, de nombreuses activités ou les informations" d'une population entière (ou d'une fraction substantielle d'une population).[^1] Elle fait souvent référence à des programmes gouvernementaux, tels que ceux [divulgués par Edward Snowden en 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). Cependant, elle peut également être réalisée par des entreprises, soit pour le compte d'agences gouvernementales, soit de leur propre initiative. + +!!! abstract "Atlas de la surveillance" + + Si vous souhaitez en savoir plus sur les méthodes de surveillance et la manière dont elles sont mises en œuvre dans les villes aux États-Unis, vous pouvez également consulter l'[Atlas de la Surveillance](https://atlasofsurveillance.org/) de l'[Electronic Frontier Foundation](https://www.eff.org/). + + En France, vous pouvez consulter le site [Technolopolice](https://technopolice.fr/villes/) géré par l'association à but non lucratif La Quadrature du Net. + +Les gouvernements justifient souvent les programmes de surveillance de masse comme des moyens nécessaires pour combattre le terrorisme et prévenir la criminalité. Cependant, en violation des droits de l'homme, ces programmes de surveillance sont, entre autres, le plus souvent utilisés pour cibler de manière disproportionnée les minorités et les dissidents politiques. + +!!! quote "ACLU : [*La leçon du 11 septembre en matière de vie privée : La surveillance de masse n'est pas la voie à suivre*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + Face aux [révélations d'Edward Snowden sur des programmes gouvernementaux tels que [PRISM](https://fr.wikipedia.org/wiki/PRISM_%28programme_de_surveillance%29) et [Upstream](https://fr.wikipedia.org/wiki/Upstream_collection)], les responsables des services de renseignement ont également admis que la NSA collectait secrètement depuis des années des enregistrements sur pratiquement tous les appels téléphoniques des Américains - qui appelle qui, quand ces appels sont passés et la durée de ces appels. Ce type d'informations, lorsqu'il est amassé par la NSA quotidiennement, peut révéler des détails terriblement sensibles sur la vie des gens en associant ces données : s'ils ont appelé un pasteur, une clinique d'avortement, un centre d'addiction ou une ligne d'assistance contre le suicide par exemple. + +Malgré la surveillance de masse croissante aux États-Unis, le gouvernement a constaté que les programmes de surveillance de masse comme la section 215 ont eu "peu de valeur unique" en ce qui concerne l'arrêt de crimes réels ou de complots terroristes, les efforts faisant largement double emploi avec les programmes de surveillance ciblée du FBI.[^2] + +Vous pouvez être pisté de plusieurs manières en ligne : + +- Votre adresse IP +- Les cookies de votre navigateur +- Les données que vous soumettez aux sites web +- L'empreinte numérique de votre navigateur ou de votre appareil +- La corrélation des modes de paiement + +\[Cette liste n'est pas exhaustive]. + +Si vous êtes préoccupé par les programmes de surveillance de masse, vous pouvez utiliser des stratégies comme cloisonner vos identités virtuelles, vous fondre dans la masse des utilisateurs, ou, dans la mesure du possible, simplement éviter de renseigner des informations qui pourraient permettre de vous identifier. + +:material-account-cash: Capitalisme de surveillance + +> Le capitalisme de surveillance est un système économique centré sur la collecte et la marchandisation des données personnelles dont le principal but est de faire du profit.[^3] + +Pour de nombreuses personnes, le pistage et la surveillance par des sociétés privées constituent une préoccupation croissante. Les réseaux publicitaires omniprésents, tels que ceux exploités par Google et Facebook, s'étendent sur internet bien au-delà des sites qu'ils contrôlent et suivent vos actions tout le long de votre navigation. L'utilisation d'outils tels que des bloqueurs de contenu pour limiter les requêtes du réseau vers leurs serveurs, et la lecture des politiques de confidentialité des services que vous utilisez peuvent vous aider à éviter de nombreux adversaires de base (bien que cela ne puisse pas empêcher complètement le pistage).[^4] + +En outre, même les entreprises n'appartenant pas au secteur de l'*Industrie Publicitaire (AdTech)* ou du pistage peuvent partager vos informations avec des [data brokers](https://en.wikipedia.org/wiki/Information_broker) (ou « courtiers en données » en français) (tels que Cambridge Analytica, Experian ou Datalogix) ou d'autres parties. Vous ne pouvez pas automatiquement supposer que vos données sont en sécurité simplement parce que le service que vous utilisez n'a pas un modèle économique typique de l'AdTech ou du pistage. La meilleure protection contre la collecte de données par les entreprises est de chiffrer ou d'obscurcir vos données dans la mesure du possible, afin qu'il soit plus difficile pour les différents fournisseurs de corréler les données entre elles et d'établir un profil sur vous. + +## Limiter l'information publique + +:material-account-search: Exposition publique + +La meilleure façon de préserver la confidentialité de vos données est tout simplement de ne pas les mettre en ligne. La suppression des informations indésirables que vous trouvez sur vous en ligne est l'une des meilleures premières mesures que vous pouvez prendre pour retrouver votre vie privée. + +- [Consultez notre guide sur la suppression de compte :material-arrow-right-drop-circle:](account-deletion.md) + +Il est très important de vérifier les paramètres de confidentialité de votre compte pour limiter la diffusion de ces données sur les sites dans lesquels vous partagez des informations. Par exemple, activez le "mode privé" sur vos comptes si vous en avez la possibilité : cela garantit que votre compte n'est pas indexé par les moteurs de recherche et qu'il ne peut pas être consulté sans votre permission. + +Si vous avez déjà soumis vos véritables informations à des sites qui ne devraient pas les avoir, envisagez d'utiliser des tactiques de désinformation, comme la soumission d'informations fictives liées à cette identité en ligne. Vos vraies informations seront alors indiscernables des fausses informations. + +## Éviter la censure + +:material-close-outline: Censure + +La censure en ligne peut être exercée (à des degrés divers) par des acteurs tels que des gouvernements totalitaires, des administrateurs de réseaux et des fournisseurs de services. Ces efforts pour contrôler la communication et restreindre l'accès à l'information seront toujours incompatibles avec le droit humain à la liberté d'expression.[^5] + +La censure sur les plateformes privées est de plus en plus courante, car des plateformes comme Twitter et Facebook cèdent à la demande du public, aux pressions du marché et à celles des agences gouvernementales. Les pressions gouvernementales peuvent prendre la forme de demandes secrètes adressées aux entreprises, comme la Maison Blanche [demandant le retrait](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) d'une vidéo provocante sur YouTube, ou de demandes manifestes, comme le gouvernement chinois exigeant des entreprises qu'elles adhèrent à un régime de censure strict. + +Les personnes concernées par la menace de la censure peuvent utiliser des technologies comme [Tor](../advanced/tor-overview.md) pour la contourner, et soutenir des plateformes de communication résistantes à la censure comme [Matrix](../real-time-communication.md#element), qui ne dispose pas d'une autorité centralisée pouvant fermer des comptes de manière arbitraire. + +!!! tip "Conseil" + + S'il peut être facile d'échapper à la censure en soi, cacher le fait que vous le faites peut être très problématique. + + Vous devez prendre en compte quels aspects du réseau votre adversaire peut observer, et si vous avez une possibilité de déni plausible pour vos actions. Par exemple, l'utilisation de [DNS chiffrés](../advanced/dns-overview.md#what-is-encrypted-dns) peut vous aider à contourner les systèmes de censure rudimentaires basés sur les DNS, mais elle ne peut pas vraiment cacher ce que vous visitez à votre FAI. Un VPN ou Tor peut aider à cacher ce que vous visitez aux administrateurs du réseaux, mais ne peut pas cacher que vous utilisez ces réseaux. Les transports enfichables (tels que Obfs4proxy, Meek ou Shadowsocks) peuvent vous aider à contourner les pare-feu qui bloquent les protocoles VPN courants ou Tor, mais vos tentatives de contournement peuvent toujours être détectées par des méthodes telles que le sondage ou [l'inspection approfondie des paquets](https://fr.wikipedia.org/wiki/Deep_packet_inspection). + +Vous devez toujours tenir compte des risques encourus en essayant de contourner la censure, des conséquences potentielles et du degré de sophistication de votre adversaire. Soyez très prudent dans le choix de vos logiciels et prévoyez un plan de secours au cas où vous seriez pris. + +--8<-- "includes/abbreviations.fr.txt" + +[^1]: Commission de surveillance de la vie privée et des libertés civiles des États-Unis : [Rapport sur le programme d'enregistrements téléphoniques mené en vertu de la section 215](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^2]: Conseil de surveillance de la vie privée et des libertés civiles des États-Unis : [*Rapport sur le programme d'enregistrements téléphoniques mené en vertu de la section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipédia : [*Capitalisme de surveillance*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Énumérer la méchanceté](https://www.ranum.com/security/computer_security/editorials/dumb/)" (ou "énumérer toutes les mauvaises choses que nous connaissons") comme le font de nombreux bloqueurs de publicités et programmes antivirus, ne permet pas de vous protéger correctement contre les menaces nouvelles et inconnues, car elles n'ont pas encore été ajoutées à la liste des filtres. Vous devriez également utiliser d'autres techniques d'atténuation. +[^5]: Nations Unies : [*Déclaration universelle des droits de l'homme*](https://www.un.org/fr/about-us/universal-declaration-of-human-rights). diff --git a/i18n/fr/basics/email-security.md b/i18n/fr/basics/email-security.md new file mode 100644 index 00000000..512ee5b0 --- /dev/null +++ b/i18n/fr/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Sécurité des Emails +icon: material/email +--- + +Le courrier électronique est une forme de communication non sécurisée par défaut. Vous pouvez améliorer la sécurité de votre courrier électronique avec des outils tels que OpenPGP, qui ajoute un chiffrement de bout en bout à vos messages, mais OpenPGP présente toujours un certain nombre d'inconvénients par rapport au chiffrement dans d'autres applications de messagerie, et certaines données de courrier électronique ne peuvent jamais être chiffrées de manière inhérente en raison de la manière dont le courrier électronique est conçu. + +Par conséquent, il est préférable d'utiliser le courrier électronique pour recevoir des courriels transactionnels (notifications, courriels de vérification, réinitialisation de mot de passe, etc.) provenant des services auxquels vous vous inscrivez en ligne, et non pour communiquer avec d'autres personnes. + +## Aperçu du chiffrement des e-mails + +La méthode standard pour ajouter du E2EE aux emails entre différents fournisseurs mails est d'utiliser OpenPGP. Il existe différentes implémentations de la norme OpenPGP, les plus courantes étant [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) et [OpenPGP.js](https://openpgpjs.org). + +Il existe une autre norme populaire auprès des entreprises, appelée [S/MIME](https://en.wikipedia.org/wiki/S/MIME), mais elle nécessite un certificat émis par une [Autorité de Certification](https://en.wikipedia.org/wiki/Certificate_authority) (toutes ne délivrent pas de certificats S/MIME). Elle est prise en charge par [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) et [Outlook sur le Web ou Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Même si vous utilisez OpenPGP, il ne prend pas en charge la [confidentialité persistante](https://en.wikipedia.org/wiki/Forward_secrecy), ce qui signifie que si votre clé privée ou celle du destinataire est volée, tous les messages précédents chiffrés avec cette clé seront exposés. C'est pourquoi nous recommandons, dans la mesure du possible, les [messageries instantanées](../real-time-communication.md) qui mettent en œuvre la confidentialité persistante par rapport aux emails pour les communications de personne à personne. + +### Quels clients mails supportent le E2EE ? + +Les fournisseurs d'emails qui vous permettent d'utiliser les protocoles d'accès standard comme IMAP et SMTP peuvent être utilisés avec n'importe lequel des [clients mail que nous recommandons](../email-clients.md). En fonction de la méthode d'authentification, cela peut entraîner une diminution de la sécurité si le fournisseur ou le client mail ne prend pas en charge OATH ou une application passerelle, car [l'authentification multi-facteurs](/basics/multi-factor-authentication/) n'est pas possible avec l'authentification par mot de passe simple. + +### Comment Puis-Je Protéger Mes Clés Privées? + +Une carte à puce (telle qu'une [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) ou [Nitrokey](https://www.nitrokey.com)) fonctionne en recevant un email chiffré d'un appareil (téléphone, tablette, ordinateur, etc.) exécutant un client mail/webmail. Le message est ensuite déchiffré par la carte à puce et le contenu déchiffré est renvoyé à l'appareil. + +Il est avantageux que le déchiffrement se fasse sur la carte à puce afin d'éviter d'exposer votre clé privée à un dispositif compromis. + +## Aperçu des Métadonnées des Emails + +Les métadonnées des emails sont stockées dans [l'en-tête de message](https://en.wikipedia.org/wiki/Email#Message_header) de l'email et comprennent certains en-têtes visibles que vous avez peut-être vus, tels que : `À`, `De`, `Cc`, `Date`, `Sujet`. Il existe également un certain nombre d'en-têtes cachés inclus par de nombreux clients et fournisseurs de messagerie qui peuvent révéler des informations sur votre compte. + +Le logiciel client peut utiliser les métadonnées de l'email pour montrer de qui provient un message et à quelle heure il a été reçu. Les serveurs peuvent l'utiliser pour déterminer où un email doit être envoyé, parmi [d'autres objectifs](https://en.wikipedia.org/wiki/Email#Message_header) qui ne sont pas toujours transparents. + +### Qui Peut Voir Les Métadonnées Des Emails? + +Les métadonnées des emails sont protégées des observateurs extérieurs par le protocole [TLS Opportuniste](https://en.wikipedia.org/wiki/Opportunistic_TLS). Elles peuvent néanmoins être vues par votre logiciel client mail (ou webmail) et par tout serveur relayant le message de votre part à ses destinataires, y compris votre fournisseur mails. Parfois, les serveurs mails font également appel à des services tiers pour se protéger des spams, qui ont généralement aussi accès à vos messages. + +### Pourquoi les métadonnées ne peuvent-elles pas être E2EE? + +Les métadonnées des emails sont essentielles à la fonctionnalité la plus élémentaire d'un email (d'où il vient et où il doit aller). À l'origine, l'E2EE n'était pas intégré dans les protocoles d'emails, mais nécessitait un logiciel complémentaire comme OpenPGP. Comme les messages OpenPGP doivent toujours fonctionner avec les fournisseurs d'emails traditionnels, il ne peut pas chiffrer les métadonnées du mail, mais seulement le corps du message lui-même. Cela signifie que, même en utilisant OpenPGP, des observateurs extérieurs peuvent voir de nombreuses informations sur vos messages, comme l'identité de l'expéditeur, l'objet du message, le moment de l'envoi, etc. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/basics/multi-factor-authentication.md b/i18n/fr/basics/multi-factor-authentication.md new file mode 100644 index 00000000..75df6d71 --- /dev/null +++ b/i18n/fr/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Authentification multi-facteurs" +icon: 'material/two-factor-authentication' +--- + +L'**Authentification Multi-Facteurs** (**MFA**) est un mécanisme de sécurité qui exige des étapes supplémentaires au-delà de la saisie du nom d'utilisateur (ou de l'email) et du mot de passe. La méthode la plus courante est celle des codes à durée limitée que vous pouvez recevoir par SMS ou par une application. + +Normalement, si un pirate informatique (ou un adversaire) est capable de trouver votre mot de passe, il aura alors accès au compte auquel ce mot de passe appartient. Un compte avec MFA oblige le pirate informatique à avoir à la fois le mot de passe (quelque chose que vous *connaissez*) et un appareil que vous possédez (quelque chose que vous *avez*), comme votre téléphone. + +Les méthodes MFA varient en termes de sécurité, mais elles reposent sur le principe suivant : plus il est difficile pour un hacker d'accéder à votre méthode MFA, mieux c'est. Parmi les méthodes MFA (de la plus faible à la plus forte), citons les SMS, les codes par e-mail, les notifications push des applications, TOTP, Yubico OTP et FIDO. + +## Comparaison des méthodes de MFA + +### MFA SMS ou Email + +La réception de codes OTP par SMS ou e-mail est l'un des moyens les plus faibles pour sécuriser vos comptes avec MFA. L'obtention d'un code par e-mail ou SMS retire de l'idée "quelque chose que vous *avez*", parce qu'il existe une variété de façons dont un pirate informatique pourrait [prendre le contrôle de votre numéro de téléphone](https://en.wikipedia.org/wiki/SIM_swap_scam) ou accéder à votre e-mail sans avoir physiquement accès à aucun de vos appareils. Si une personne non autorisée a accès à votre e-mail, ils seraient en mesure d'utiliser cet accès à la fois pour réinitialiser votre mot de passe et pour recevoir le code d'authentification, en leur donnant un accès complet à votre compte. + +### Notifications push + +La MFA par notification push prend la forme d'un message envoyé à une application sur votre téléphone vous demandant de confirmer les nouvelles connexions de compte. Cette méthode est bien meilleure que le SMS ou l'e-mail, car un attaquant ne pourrait généralement pas obtenir ces notifications push sans avoir un appareil déjà connecté, ce qui signifie qu'il devrait d'abord compromettre l'un de vos autres appareils. + +Nous faisons tous des erreurs, et il y a le risque que vous acceptiez la tentative de connexion par accident. Les autorisations de connexion par notification push sont généralement envoyées à *tous* vos appareils en même temps, ce qui élargit la disponibilité du code MFA si vous avez de nombreux appareils. + +La sécurité de la MFA par notification push dépend à la fois de la qualité de l'application, du composant serveur et de la confiance du développeur qui la produit. L'installation d'une application peut également vous obliger à accepter des privilèges envahissants qui donnent accès à d'autres données sur votre appareil. Une application individuelle nécessite également que vous ayez une application spécifique pour chaque service qui peut ne pas nécessiter l'ouverture d'un mot de passe. contrairement à une bonne application de générateur TOTP. + +### Mot de passe unique basé sur le temps (TOTP) + +TOTP est l'une des formes les plus courantes de MFA. Lorsque vous configurez un TOTP, vous devez généralement scanner un code QR [](https://fr.wikipedia.org/wiki/Code_QR) qui établit un "[secret partagé](https://fr.wikipedia.org/wiki/Secret_partag%C3%A9)" avec le service que vous avez l'intention d'utiliser. Le secret partagé est sécurisé à l'intérieur des données de l'application d'authentification, et est parfois protégé par un mot de passe. + +Le code limité dans le temps est alors dérivé du secret partagé et de l'heure courante. Comme le code n'est valable que pour une courte période, sans accès au secret partagé, un adversaire ne peut pas générer de nouveaux codes. + +Si vous disposez d'une clé de sécurité matérielle avec support TOTP (comme une YubiKey avec [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), nous vous recommandons de stocker vos "secrets partagés" sur le matériel. Un matériel tel que la YubiKey a été développé dans l'intention de rendre le "secret partagé" difficile à extraire et à copier. Une clé YubiKey n'est pas non plus connectée à Internet, contrairement à un téléphone équipé d'une application TOTP. + +Contrairement à [WebAuthn](#fido-fast-identity-online), TOTP n'offre aucune protection contre les attaques d'[hammeçonnage](https://en.wikipedia.org/wiki/Phishing) ou de réutilisation. Si un adversaire obtient de vous un code valide, il peut l'utiliser autant de fois qu'il le souhaite jusqu'à son expiration (généralement 60 secondes). + +Un adversaire pourrait créer un site web imitant un service officiel afin de vous inciter à donner votre nom d'utilisateur, votre mot de passe et votre code TOTP actuel. Si l'adversaire utilise ensuite ces informations d'identification enregistrées, il peut être en mesure de se connecter au service réel et de détourner le compte. + +Bien qu'imparfait, TOTP est suffisamment sûr pour la plupart des gens, et lorsque [les clés de sécurité matérielles](../multi-factor-authentication.md#hardware-security-keys) ne sont pas prises en charge [les applications d'authentification](../multi-factor-authentication.md#authenticator-apps) restent une bonne option. + +### Clés de Sécurité Matérielles + +La clé YubiKey stocke les données sur une puce à semi-conducteurs inviolable à laquelle il est [impossible d'accéder](https://security.stackexchange.com/a/245772) de manière non destructive sans un processus coûteux et un laboratoire d'expertise. + +Ces clés sont généralement multifonctionnelles et fournissent un certain nombre de méthodes d'authentification. Vous trouverez ci-dessous les plus courantes. + +#### Yubico OTP + +Le protocole OTP de Yubico est un protocole d'authentification généralement mis en œuvre dans les clés de sécurité matérielles. Lorsque vous décidez d'utiliser l'OTP de Yubico, la clé génère un identifiant public, un identifiant privé et une clé secrète qui sont ensuite téléchargés sur le serveur OTP de Yubico. + +Lorsque vous vous connectez à un site web, il vous suffit de toucher physiquement la clé de sécurité. La clé de sécurité émule un clavier et imprime un mot de passe unique dans le champ mot de passe. + +Le service transmettra ensuite le mot de passe unique au serveur Yubico OTP pour validation. Un compteur est incrémenté à la fois sur la clé et sur le serveur de validation de Yubico. L'OTP ne peut être utilisé qu'une seule fois, et lorsqu'une authentification réussie se produit, le compteur est augmenté, ce qui empêche la réutilisation de l'OTP. Yubico fournit un [document détaillé](https://developers.yubico.com/OTP/OTPs_Explained.html) sur le processus. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +L'utilisation de l'OTP de Yubico présente certains avantages et inconvénients par rapport à TOTP. + +Le serveur de validation Yubico est un service basé sur le cloud, et vous placez la confiance dans Yubico pour stocker les données en toute sécurité et ne pas vous profiler. L'identifiant public associé à l'OTP de Yubico est réutilisé sur tous les sites web et pourrait constituer un autre moyen pour des tiers de vous profiler. Comme TOTP, Yubico OTP ne fournit pas de résistance au phishing. + +Si votre modèle de menace exige que vous ayez des identités différentes sur différents sites Web, **ne pas** utiliser Yubico OTP avec la même clé de sécurité matérielle entre ces sites Web car l'identifiant public est unique à chaque clé de sécurité. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) comprend un certain nombre de normes, d'abord l'U2F puis, plus tard, la [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) qui comprend la norme Web [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F et FIDO2 font référence au [Protocole client à authentificateur](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), qui est le protocole entre la clé de sécurité et l'ordinateur, comme un ordinateur portable ou un téléphone. Il complète WebAuthn qui est le composant utilisé pour s'authentifier avec le site Web (la « partie utilisatrice ») sur lequel vous essayez de vous connecter. + +WebAuthn est la forme la plus sûre et la plus privée d'authentification par second facteur. Bien que l'expérience d'authentification soit similaire à celle de Yubico OTP, la clé n'imprime pas un mot de passe à usage unique et ne le valide pas auprès d'un serveur tiers. Il utilise plutôt la [cryptographie asymétrique](https://en.wikipedia.org/wiki/Public-key_cryptography) pour l'authentification. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +Lorsque vous créez un compte, la clé publique est envoyée au service, puis lorsque vous vous connectez, le service vous demande de "signer" certaines données avec votre clé privée. L'avantage de cette méthode est qu'aucune donnée de mot de passe n'est jamais stockée par le service, et qu'il n'y a donc rien qu'un adversaire puisse voler. + +Cette présentation aborde l'histoire de l'authentification par mot de passe, les pièges (tels que la réutilisation du mot de passe), et discute des normes FIDO2 et [WebAuthn](https://webauthn.guide) . + +
+ +
+ +FIDO2 et WebAuthn présentent des propriétés de sécurité et de confidentialité supérieures à celles de toute autre méthode MFA. + +Généralement pour les services web, il est utilisé avec WebAuthn qui fait partie des [recommandations W3C](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). Il utilise l'authentification asymétrique et est plus sécurisé que les secrets partagés utilisés dans les méthodes OTP de Yubico et TOTP, car il inclut le nom d'origine (habituellement le nom de domaine) lors de l'authentification. L'attestation est fournie pour vous protéger des attaques de phishing, car elle vous aide à déterminer que vous utilisez le service authentique et non une fausse copie. + +Contrairement à Yubico OTP, WebAuthn n'utilise pas d'identifiant public, de sorte que la clé est **non** identifiable sur différents sites web. Il n'utilise pas non plus de serveur cloud tiers pour l'authentification. Toute la communication se fait entre la clé et le site web auquel vous vous connectez. FIDO utilise également un compteur qui est incrémenté lors de l'utilisation afin d'empêcher la réutilisation de session et les clés clonées. + +Si un site Web ou un service prend en charge WebAuthn pour l'authentification, il est fortement recommandé de l'utiliser plutôt que toute autre forme de MFA. + +## Recommandations générales + +Nous avons les recommandations générales suivantes : + +### Quelle méthode choisir ? + +Lors de la configuration de votre méthode MFA, gardez à l'esprit qu'elle est aussi sécurisée que votre méthode d'authentification la plus faible que vous utilisez. Cela signifie qu'il est important que vous n'utilisiez que la meilleure méthode d'MFA disponible. Par exemple, si vous utilisez déjà TOTP, vous devez désactiver les MFA par e-mail et les SMS. Si vous utilisez déjà FIDO2/WebAuthn, vous ne devez pas utiliser Yubico OTP ou TOTP sur votre compte. + +### Sauvegardes + +Vous devriez toujours avoir des sauvegardes pour votre méthode MFA. Les clés de sécurité matérielle peuvent être perdues, volées ou simplement cesser de fonctionner au fil du temps. Il est recommandé d'avoir une paire de clés de sécurité matérielle avec le même accès à vos comptes au lieu d'une seule. + +Lorsque vous utilisez TOTP avec une application d'authentification, assurez-vous de sauvegarder vos clés de récupération ou l'application elle-même, ou copiez les « secrets partagés » vers une autre instance de l'application sur un autre téléphone ou vers un conteneur chiffré (par exemple [VeraCrypt](../encryption.md#veracrypt)). + +### Configuration Initiale + +Lors de l'achat d'une clé de sécurité, il est important de modifier les informations d'identification par défaut, de configurer la protection par mot de passe de la clé et d'activer la confirmation tactile si votre clé la prend en charge. Les produits tels que la clé YubiKey ont plusieurs interfaces avec des informations d'identification distinctes pour chacune d'entre elles, vous devez donc passer en revue chaque interface et mettre en place une protection. + +### E-mail et SMS + +Si vous devez utiliser le courrier électronique pour MFA, assurez-vous que le compte de courrier électronique est lui-même sécurisé avec une méthode MFA appropriée. + +Si vous utilisez la MFA par SMS, utilisez un opérateur qui ne changera pas votre numéro de téléphone pour une nouvelle carte SIM sans accès au compte, ou utilisez un numéro VoIP dédié d'un fournisseur offrant une sécurité similaire pour éviter une attaque par [échange de carte SIM](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[Outils de MFA que nous recommandons](../multi-factor-authentication.md ""){.md-button} + +## Plus d'endroits pour configurer MFA + +Au-delà de la simple sécurisation des connexions à votre site web, l'authentification multifactorielle peut être utilisée pour sécuriser vos connexions locales, vos clés SSH ou même vos bases de données de mots de passe. + +### Windows + +Yubico dispose d'un [fournisseur d'identifiants](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) dédié qui ajoute l'authentification à épreuve-réponse pour le flux de connexion nom d'utilisateur + mot de passe pour les comptes Windows locaux. Si vous avez une YubiKey avec le support d'authentification de Challenge-Response, jetez un œil au [Guide de configuration de Yubico pour Windows](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), qui vous permettra de configurer la MFA sur votre ordinateur Windows. + +### macOS + +macOS dispose d'un [support natif](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) pour l'authentification par carte à puce (PIV). Si vous avez une carte à puce ou une clé de sécurité matérielle qui prend en charge l'interface PIV telle que la YubiKey, nous vous recommandons de suivre la documentation de votre fournisseur de sécurité de carte à puce/matérielle et de configurer l'authentification à second facteur pour votre ordinateur macOS. + +Yubico a un guide [Utiliser votre YubiKey comme une Smart Card dans macOS](https://support.yubico.com/hc/en-us/articles/360016649059) qui peut vous aider à configurer votre YubiKey sur macOS. + +Une fois votre carte à puce/clé de sécurité configurée, nous vous recommandons d'exécuter cette commande dans le terminal : + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +Cette commande empêchera un adversaire de contourner le MFA au démarrage de l'ordinateur. + +### Linux + +!!! warning "Avertissement" + + Si le nom d'hôte de votre système change (par exemple à cause du DHCP), vous ne pourrez pas vous connecter. Il est essentiel que vous configuriez un nom d'hôte approprié pour votre ordinateur avant de suivre ce guide. + +Le module `pam_u2f` sous Linux peut fournir une authentification à deux facteurs pour se connecter sur la plupart des distributions Linux populaires. Si vous avez une clé de sécurité matérielle qui prend en charge U2F, vous pouvez configurer l'authentification MFA pour votre connexion. Yubico a un guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) qui devrait fonctionner sur n'importe quelle distribution. Les commandes du gestionnaire de paquets - telles que `apt-get`- et les noms de paquets peuvent toutefois différer. Ce guide ne s'applique **pas** à Qubes OS. + +### Qubes OS + +Qubes OS prend en charge l'authentification Challenge-Response avec YubiKeys. Si vous avez une YubiKey avec un support d'authentification Challenge-Response, jetez un coup d'oeil à la documentation de Qubes OS [YubiKey](https://www.qubes-os.org/doc/yubikey/) si vous voulez configurer la MFA sur Qubes OS. + +### SSH + +#### Clés de sécurité matérielles + +La MFA par SSH peut être configuré en utilisant plusieurs méthodes d'authentification différentes qui sont populaires avec les clés de sécurité matérielle. Nous vous recommandons de consulter la [documentation](https://developers.yubico.com/SSH/) de Yubico sur la manière de la configurer. + +#### Mot de passe unique basé sur le temps (TOTP) + +La MFA par SSH peut également être configurée en utilisant TOTP. DigitalOcean fourni un tutoriel [Comment configurer l'authentification multifacteurs pour SSH sur Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). La plupart des éléments devraient être les mêmes quelle que soit la distribution, mais les commandes du gestionnaire de paquets - telles que `apt-get`- et les noms des paquets peuvent différer. + +### KeePass (et KeePassXC) + +Les bases de données KeePass et KeePassXC peuvent être sécurisées en utilisant Challenge-Response ou HOTP comme second facteur d'authentification. Yubico a fourni un tutoriel pour KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) et il y en a également un autre sur le site [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) . + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/basics/passwords-overview.md b/i18n/fr/basics/passwords-overview.md new file mode 100644 index 00000000..4f6fc80f --- /dev/null +++ b/i18n/fr/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction aux mots de passe" +icon: 'material/form-textbox-password' +--- + +Les mots de passe sont un élément essentiel de notre vie numérique quotidienne. Nous les utilisons pour protéger nos comptes, nos appareils et nos secrets. Bien qu'ils soient souvent la seule chose qui nous sépare d'un adversaire qui en veut à nos informations privées, ils ne font pas l'objet d'une réflexion approfondie, ce qui conduit souvent les gens à utiliser des mots de passe faciles à deviner ou à forcer. + +## Bonnes pratiques + +### Utiliser des mots de passe uniques pour chaque service + +Imaginez ceci : vous vous inscrivez à un compte avec le même e-mail et le même mot de passe sur plusieurs services en ligne. Si l'un de ces fournisseurs de services est malveillant ou si son service subit une fuite de données qui expose votre mot de passe dans un format non chiffré, il suffit à un acteur malveillant d'essayer cette combinaison d'e-mail et de mot de passe sur plusieurs services populaires jusqu'à ce qu'il obtienne un résultat. La force de ce mot de passe n'a pas d'importance, car ils l'ont déjà. + +C'est ce qu'on appelle le [bourrage d'identifiants](https://en.wikipedia.org/wiki/Credential_stuffing), et c'est l'une des façons les plus courantes dont vos comptes peuvent être compromis par des cybercriminels. Pour éviter cela, assurez-vous de ne jamais réutiliser vos mots de passe. + +### Utilisez des mots de passe générés de manière aléatoire + +==Vous ne devez **jamais** compter sur vous-même pour trouver un bon mot de passe.== Nous vous recommandons d'utiliser [des mots de passe générés de manière aléatoire](#passwords) ou [des phrases secrètes de type "diceware"](#diceware-passphrases) avec une entropie suffisante pour protéger vos comptes et vos appareils. + +Tous nos [gestionnaires de mots de passe recommandés](../passwords.md) comprennent un générateur de mots de passe intégré que vous pouvez utiliser. + +### Rotation des mots de passe + +Vous devez éviter de changer trop souvent les mots de passe que vous devez retenir (comme le mot de passe principal de votre gestionnaire de mots de passe), sauf si vous avez des raisons de penser qu'ils ont été compromis, car le fait de les changer trop souvent vous expose au risque de les oublier. + +En ce qui concerne les mots de passe que vous n'avez pas à retenir (comme les mots de passe stockés dans votre gestionnaire de mots de passe), si votre [modèle de menace](threat-modeling.md) le demande, nous vous recommandons de passer en revue les comptes importants (en particulier les comptes qui n'utilisent pas l'authentification multi-facteurs) et de changer leur mot de passe tous les deux mois, au cas où ils auraient été compromis dans le cadre d'une fuite de données qui n'a pas encore été rendue publique. La plupart des gestionnaires de mots de passe vous permettent de fixer une date d'expiration pour votre mot de passe afin d'en faciliter la gestion. + +!!! tip "Vérifier les fuites de données" + + Si votre gestionnaire de mots de passe vous permet de vérifier les mots de passe compromis, assurez-vous de le faire et changez rapidement tout mot de passe qui pourrait avoir été exposé dans une fuite de données. Vous pouvez également suivre le flux [Dernières Brèches de Have I Been Pwned](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) à l'aide d'un [agrégateur d'actualités](../news-aggregators.md). + +## Créer des mots de passe forts + +### Mots de passe + +De nombreux services imposent certains critères en ce qui concerne les mots de passe, notamment une longueur minimale ou maximale, ainsi que les caractères spéciaux qui peuvent être utilisés le cas échéant. Vous devez utiliser le générateur de mots de passe intégré à votre gestionnaire de mots de passe pour créer des mots de passe aussi longs et complexes que le service le permet en incluant des lettres majuscules et minuscules, des chiffres et des caractères spéciaux. + +Si vous avez besoin d'un mot de passe que vous pouvez mémoriser, nous vous recommandons la [phrase secrète diceware](#diceware-passphrases). + +### Phrases secrètes Diceware + +Diceware est une méthode permettant de créer des phrases secrètes faciles à retenir, mais difficiles à deviner. + +Les phrases secrètes Diceware sont une excellente option lorsque vous devez mémoriser ou saisir manuellement vos informations d'identification, par exemple pour le mot de passe principal de votre gestionnaire de mots de passe ou le mot de passe de chiffrement de votre appareil. + +Un exemple de phrase secrète diceware est `viewable fastness reluctant squishy seventeen shown pencil`. + +Pour générer une phrase secrète diceware à l'aide de vrais dés, suivez ces étapes : + +!!! note "À noter" + + Ces instructions supposent que vous utilisez la [grande liste de mots de l'EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) pour générer la phrase secrète, ce qui nécessite cinq lancers de dés par mot. D'autres listes de mots peuvent nécessiter plus ou moins de lancers par mot, et peuvent nécessiter un nombre différent de mots pour obtenir la même entropie. + +1. Lancez cinq fois un dé à six faces, en notant le nombre après chaque lancer. + +2. Par exemple, disons que vous avez obtenu `2-5-2-6-6`. Cherchez dans la [grande liste de mots de l'EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) le mot qui correspond à `25266`. + +3. Vous trouverez le mot `encrypt`. Notez ce mot. + +4. Répétez ce processus jusqu'à ce que votre phrase secrète comporte autant de mots que nécessaire, que vous devez séparer par un espace. + +!!! warning "Avertissement" + + Vous ne devez **pas** relancer les mots jusqu'à ce que vous obteniez une combinaison de mots qui vous plaît. Le processus doit être complètement aléatoire. + +Si vous n'avez pas accès à de vrais dés ou si vous préférez ne pas en utiliser, vous pouvez utiliser le générateur de mots de passe intégré à votre gestionnaire de mots de passe, car la plupart d'entre eux ont la possibilité de générer des phrases secrètes diceware en plus des mots de passe ordinaires. + +Nous vous recommandons d'utiliser la [grande liste de mots de l'EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) pour générer vos phrases secrètes diceware, car elle offre exactement la même sécurité que la liste originale, tout en contenant des mots plus faciles à mémoriser. Il existe également [d'autres listes de mots dans différentes langues](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), si vous ne souhaitez pas que votre phrase secrète soit en anglais. + +??? note "Explication de l'entropie et de la force des phrases secrètes diceware" + + Pour démontrer la force des phrases secrètes diceware, nous utiliserons la phrase secrète de sept mots mentionnée plus haut (`viewable fastness reluctant squishy seventeen shown pencil`) et la [grande liste de mots de l'EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) comme exemple. + + L'une des mesures permettant de déterminer la force d'une phrase secrète est son degré d'entropie. L'entropie par mot dans une phrase secrète est calculée comme suit : $\text{log}_2(\text{WordsInList})$ et l'entropie globale de la phrase secrète est calculée comme suit : $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Par conséquent, chaque mot de la liste susmentionnée génère ~12,9 bits d'entropie ($\text{log}_2(7776)$), et une phrase secrète de sept mots dérivée de cette liste a ~90,47 bits d'entropie ($\text{log}_2(7776^7)$). + + La [grande liste de mots de l'EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contient 7776 mots uniques. Pour calculer le nombre de phrases secrètes possibles, il suffit de faire $\text{WordsInList}^\text{WordsInPhrase}$, ou dans notre cas, $7776^7$. + + Mettons tout cela en perspective : Une phrase secrète de sept mots utilisant la [grande liste de mots de l'EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) est l'une des ~1 719 070 799 748 422 500 000 000 000 phrases secrètes possibles. + + En moyenne, il faut essayer 50 % de toutes les combinaisons possibles pour deviner votre phrase. En gardant cela à l'esprit, même si votre adversaire est capable de faire ~1 000 000 000 000 de suppositions par seconde, il lui faudrait toujours ~27 255 689 ans pour deviner votre phrase secrète. C'est le cas même si les choses suivantes sont vraies : + + - Votre adversaire sait que vous avez utilisé la méthode du diceware. + - Votre adversaire connaît la liste de mots spécifique que vous avez utilisée. + - Votre adversaire sait combien de mots contient votre phrase secrète. + +Pour résumer, les phrases secrètes diceware sont votre meilleure option lorsque vous avez besoin d'une phrase à la fois facile à retenir *et* exceptionnellement forte. + +## Stockage des mots de passe + +### Gestionnaires de mots de passe + +La meilleure façon de stocker vos mots de passe est d'utiliser un gestionnaire de mots de passe. Ils vous permettent de stocker vos mots de passe dans un fichier ou dans le cloud et de les protéger avec un seul mot de passe principal. Ainsi, vous n'aurez à retenir qu'un seul mot de passe fort, qui vous permettra d'accéder aux autres. + +Il existe de nombreuses options intéressantes, qu'elles soient basées sur le cloud ou locales. Choisissez l'un de nos gestionnaires de mots de passe recommandés et utilisez-le pour établir des mots de passe forts pour tous vos comptes. Nous vous recommandons de sécuriser votre gestionnaire de mots de passe avec une [phrase secrète diceware](#diceware-passphrases) composée d'au moins sept mots. + +[Liste des gestionnaires de mots de passe recommandés](../passwords.md ""){.md-button} + +!!! warning "Ne placez pas vos mots de passe et vos codes TOTP dans le même gestionnaire de mots de passe" + + Lorsque vous utilisez des codes TOTP comme [authentification à multi-facteurs](../multi-factor-authentication.md), la meilleure pratique de sécurité consiste à conserver vos codes TOTP dans une [application séparée](../multi-factor-authentication.md#authenticator-apps). + + Le stockage de vos codes TOTP au même endroit que vos mots de passe, bien que pratique, réduit les comptes à un seul facteur dans le cas où un adversaire aurait accès à votre gestionnaire de mots de passe. + + En outre, nous ne recommandons pas de stocker des codes de récupération à usage unique dans votre gestionnaire de mots de passe. Ils doivent être stockés séparément, par exemple dans un conteneur chiffré sur un dispositif de stockage hors ligne. + +### Sauvegardes + +Vous devriez conserver une sauvegarde [chiffrée](../encryption.md) de vos mots de passe sur plusieurs dispositifs de stockage ou sur un fournisseur de stockage cloud. Cela peut vous aider à accéder à vos mots de passe si quelque chose arrive à votre appareil principal ou au service que vous utilisez. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/basics/threat-modeling.md b/i18n/fr/basics/threat-modeling.md new file mode 100644 index 00000000..68ac24a6 --- /dev/null +++ b/i18n/fr/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Modélisation des menaces" +icon: 'material/target-account' +--- + +Trouver le bon équilibre entre la sécurité, la confidentialité et la commodité est l'une des premières et plus difficiles tâches que vous aurez à accomplir dans votre parcours pour regagner votre vie privée en ligne. Tout est une histoire de compromis : plus quelque chose est sécurisé, plus il est limité ou peu pratique, etc. Souvent, les gens trouvent que le problème avec les outils qui leurs sont recommandés est qu'ils sont trop difficiles à utiliser ! + +Si vous vouliez utiliser les outils les **plus** sécurisés actuellement disponibles, vous devriez sacrifier *beaucoup* de commodité. Et même dans ce cas, ==rien n'est jamais totalement sécurisé.== On parle de sécurité **élevée**, mais jamais de sécurité **totale**. C'est pourquoi les modèles de menace sont importants. + +**Alors, quels sont ces modèles de menace ?** + +==Un modèle de menace est une liste des menaces les plus probables pour votre sécurité/vie privée.== Puisqu'il est impossible de se protéger contre **toutes** les attaques(ants), vous devriez vous concentrer sur les menaces **les plus probables**. En matière de sécurité informatique, une menace est un événement potentiel qui pourrait saper vos efforts pour protéger votre vie privée et votre sécurité. + +En vous concentrant sur les menaces qui comptent pour vous, vous affinez votre réflexion sur la protection dont vous avez besoin, ce qui vous permet de choisir les outils qui conviennent le mieux. + +## Création de votre modèle de menace + +Pour identifier ce qui pourrait arriver aux choses auxquelles vous tenez et déterminer de qui vous devez les protéger, vous devez répondre à ces cinq questions : + +1. Qu'est-ce que je veux protéger ? +2. De qui je veux le protéger ? +3. Quelle est la probabilité que je doive le protéger ? +4. Quelles sont les conséquences si j'échoue ? +5. Jusqu'à quel point suis-je prêt à me donner du mal pour essayer de prévenir les conséquences potentielles ? + +### Qu'est-ce que je veux protéger ? + +Un "actif" est quelque chose que vous valorisez et que vous voulez protéger. Dans le contexte de la sécurité numérique, ==un actif est généralement un type d'information.== Par exemple, vos e-mails, vos listes de contacts, vos messages instantanés, votre emplacement et vos fichiers sont tous des actifs possibles. Vos appareils eux-mêmes peuvent également constituer des actifs. + +*Dressez la liste de vos actifs : les données que vous conservez, où elles sont conservées, qui y a accès et ce qui empêche les autres d'y accéder.* + +### De qui je veux le protéger ? + +Pour répondre à cette question, il est important d'identifier qui pourrait vouloir vous cibler, vous ou vos informations. ==Une personne ou une entité qui représente une menace pour vos actifs est un “adversaire.”== Des exemples d'adversaires potentiels sont votre patron, votre ancien partenaire, une entreprise concurrentielle, votre gouvernement ou un pirate informatique sur un réseau public. + +*Dressez une liste de vos adversaires, ou de ceux qui pourraient vouloir s'emparer de vos actifs. Votre liste peut comprendre des particuliers, une agence gouvernementale ou des sociétés.* + +Selon l'identité de vos adversaires, dans certaines circonstances, cette liste peut être quelque chose que vous souhaitez détruire après avoir terminé ce plan de sécurité. + +### Quelle est la probabilité que je doive le protéger ? + +==Le risque est la probabilité qu'une menace particulière contre un actif particulier se produise réellement. Il va de pair avec la capacité. Si votre opérateur de téléphonie mobile a la capacité d'accéder à toutes vos données, le risque qu'il publie vos données privées en ligne pour nuire à votre réputation est faible. + +Il est important de faire la distinction entre ce qui pourrait se produire et la probabilité que cela se produise. Par exemple, votre bâtiment risque de s'effondrer, mais le risque que cela se produise est bien plus grand à San Francisco (où les tremblements de terre sont fréquents) qu'à Stockholm (où ils ne le sont pas). + +L'évaluation des risques est un processus à la fois personnel et subjectif. De nombreuses personnes jugent certaines menaces inacceptables, quelle que soit la probabilité qu'elles se produisent, car la simple présence de la menace, quelle que soit la probabilité, n'en vaut pas la peine. Dans d'autres cas, les gens ignorent les risques élevés parce qu'ils ne considèrent pas la menace comme un problème. + +*Notez les menaces que vous allez prendre au sérieux et celles qui sont peut-être trop rares ou trop inoffensives (ou trop difficiles à combattre) pour que vous vous en préoccupiez.* + +### Quelles sont les conséquences si j'échoue ? + +Il existe de nombreuses façons pour un adversaire d'accéder à vos données. Par exemple, un adversaire peut lire vos communications privées lorsqu'elles passent par le réseau, ou il peut supprimer ou corrompre vos données. + +==Les motifs des adversaires diffèrent considérablement, tout comme leurs tactiques.== Un gouvernement qui tente d'empêcher la diffusion d'une vidéo montrant des violences policières peut se contenter de supprimer ou de réduire la disponibilité de cette vidéo. En revanche, un adversaire politique pourrait vouloir accéder à un contenu secret et le publier à votre insu. + +Préparer un plan de sécurité implique de comprendre à quelle point les conséquences pourraient être mauvaises si un adversaire réussissait à accéder à l'un de vos actifs. Pour le déterminer, vous devez tenir compte du potentiel de votre adversaire. Par exemple, votre opérateur de téléphonie mobile a accès à tous vos relevés téléphoniques. Un pirate sur un réseau Wi-Fi ouvert peut accéder à vos communications non chiffrées. Votre gouvernement a peut-être des capacités plus importantes. + +*Écrivez ce que votre adversaire pourrait vouloir faire avec vos données privées.* + +### Jusqu'à quel point suis-je prêt à me donner du mal pour essayer de prévenir les conséquences potentielles ? + +==Il n'y a pas d'option parfaite pour la sécurité.== Tout le monde n'a pas les mêmes priorités, préoccupations, ou accès aux ressources. Votre évaluation des risques vous permettra de planifier la stratégie qui vous convient le mieux, en conciliant commodité, coût et respect de la vie privée. + +Par exemple, un avocat représentant un client dans une affaire de sécurité nationale peut être prêt à faire plus d'efforts pour protéger les communications relatives à cette affaire, par exemple en utilisant un e-mail chiffré, qu'une mère qui envoie régulièrement à sa fille des vidéos de chats amusants. + +*Notez les options dont vous disposez pour atténuer les menaces qui vous sont propres. Notez si vous avez des contraintes financières, techniques ou sociales.* + +### Essayez vous-même : protéger vos biens + +Ces questions peuvent s'appliquer à une grande variété de situations, en ligne et hors ligne. Pour illustrer de manière générique le fonctionnement de ces questions, établissons un plan pour assurer la sécurité de votre maison et de vos biens. + +**Que voulez-vous protéger ? (ou, *que possédez-vous qui mérite d'être protégé ?*)** +: + +Vos actifs peuvent comprendre des bijoux, des appareils électroniques, des documents importants ou des photos. + +**De qui voulez-vous les protéger ?** +: + +Vos adversaires peuvent être des cambrioleurs, des colocataires ou des invités. + +**Quelle est la probabilité que je doive les protéger ?** +: + +Votre quartier a-t-il des antécédents de cambriolages ? Vos colocataires/invités sont-ils dignes de confiance ? Quelles sont les capacités de vos adversaires ? Quels sont les risques à prendre en compte ? + +**Quelles sont les conséquences si j'échoue ?** +: + +Avez-vous quelque chose dans votre maison que vous ne pouvez pas remplacer ? Avez-vous le temps ou l'argent pour remplacer ces choses ? Avez-vous une assurance qui couvre les biens volés à votre domicile ? + +**Jusqu'à quel point suis-je prêt à me donner du mal pour essayer de prévenir ces conséquences ?** +: + +Êtes-vous prêt à acheter un coffre-fort pour les documents sensibles ? Pouvez-vous vous permettre d'acheter une serrure de haute qualité ? Avez-vous le temps d'ouvrir un coffre-fort à votre banque locale et d'y conserver vos objets de valeur ? + +Ce n'est qu'après vous être posé ces questions que vous serez en mesure d'évaluer les mesures à prendre. Si vos biens ont de la valeur, mais que la probabilité d'une effraction est faible, alors vous ne voudrez peut-être pas investir trop d'argent dans un verrou. Mais si la probabilité d'une effraction est élevée, vous voudrez vous procurer la meilleure serrure du marché et envisager d'ajouter un système de sécurité. + +L'élaboration d'un plan de sécurité vous aidera à comprendre les menaces qui vous sont propres et à évaluer vos actifs, vos adversaires et les capacités de ces derniers, ainsi que la probabilité des risques auxquels vous êtes confrontés. + +## Pour en savoir plus + +Pour les personnes qui cherchent à améliorer leur vie privée et leur sécurité en ligne, nous avons dressé une liste des menaces courantes auxquelles nos visiteurs sont confrontés ou des objectifs qu'ils poursuivent, afin de vous donner de l'inspiration et de démontrer la base de nos recommandations. + +- [Objectifs et menaces courants :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: votre plan de sécurité](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/basics/vpn-overview.md b/i18n/fr/basics/vpn-overview.md new file mode 100644 index 00000000..f1e17ec9 --- /dev/null +++ b/i18n/fr/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: Vue d'Ensemble VPN +icon: material/vpn +--- + +Les Réseaux Privés Virtuels sont un moyen d'étendre l'extrémité de votre réseau à une sortie située ailleurs dans le monde. Un Fournisseur d'Accès Internet (FAI) peut voir le flux du trafic internet qui entre et sort de votre dispositif de terminaison de réseau (c'est-à-dire la box/modem). + +Les protocoles de chiffrement tels que HTTPS sont couramment utilisés sur internet, ils peuvent donc ne pas être en mesure de voir exactement ce que vous publiez ou lisez, mais ils peuvent avoir une idée [des domaines que vous visitez](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +Un VPN peut vous aider car il peut déplacer la confiance offerte à votre FAI vers un serveur situé ailleurs dans le monde. Par conséquent, le FAI ne voit que le fait que vous êtes connecté à un VPN et rien sur l'activité que vous lui transmettez. + +## Devrais-je utiliser un VPN ? + +**Oui**, sauf si vous utilisez déjà Tor. Un VPN fait deux choses: déplacer les risques de votre Fournisseur d'Accès à Internet vers lui-même et cacher votre adresse IP d'un service tiers. + +Les VPN ne peuvent pas chiffrer les données en dehors de la connexion entre votre appareil et le serveur VPN. Les fournisseurs de VPN peuvent voir et modifier votre trafic de la même manière que votre FAI pourrait le faire. Et il n'existe aucun moyen de vérifier de quelque manière que ce soit la politique de "non journalisation" d'un fournisseur de VPN. + +Cependant, ils cachent votre IP réelle d'un service tiers, à condition qu'il n'y ait pas de fuites d'IP. Ils vous aident à vous fondre dans la masse et à atténuer le suivi par IP. + +## Quand ne devrais-je pas utiliser un VPN ? + +L'utilisation d'un VPN dans les cas où vous utilisez votre [identité connue](common-threats.md#common-misconceptions) ne sera probablement pas utile. + +Cela peut déclencher des systèmes de détection de spam et de fraude, par exemple si vous vous connectez au site web de votre banque. + +## Qu'en est-il du chiffrement ? + +Le chiffrement offert par les fournisseurs VPN se situe entre vos appareils et leurs serveurs. Il garantit que ce lien spécifique est sécurisé. Il s'agit d'une avancée par rapport à l'utilisation de proxys non chiffrés où un adversaire sur le réseau peut intercepter les communications entre vos appareils et lesdits proxys et les modifier. Cependant, le chiffrement entre vos applications ou navigateurs et les fournisseurs de services n'est pas géré par ce chiffrement. + +Pour que ce que vous faites sur les sites web que vous visitez reste privé et sécurisé, vous devez utiliser le protocole HTTPS. Cela protégera vos mots de passe, jetons de session et requêtes du fournisseur VPN. Envisagez d'activer "HTTPS partout" dans votre navigateur pour atténuer les attaques de rétrogradation comme [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Devrais-je utiliser un DNS chiffré avec un VPN ? + +À moins que votre fournisseur VPN n'héberge les serveurs DNS chiffrés, **non**. L'utilisation de DOH/DOT (ou de toute autre forme de DNS chiffré) avec des serveurs tiers ne fera qu'ajouter des entités supplémentaires auxquelles il faudra faire confiance, et ne fait **absolument rien** pour améliorer votre confidentialité/sécurité. Votre fournisseur de VPN peut toujours voir quels sites web vous visitez en se basant sur les adresses IP et d'autres méthodes. Au lieu de faire uniquement confiance à votre fournisseur de VPN, vous faites maintenant confiance à la fois au fournisseur de VPN et au fournisseur de DNS. + +Une raison courante de recommander le DNS chiffré est qu'il permet de lutter contre l'usurpation DNS. Cependant, votre navigateur devrait déjà vérifier la présence de [certificats TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) avec **HTTPS** et vous en avertir. Si vous n'utilisez pas **HTTPS**, alors un adversaire peut toujours modifier n'importe quoi d'autre que vos requêtes DNS et le résultat final sera peu différent. + +Inutile de dire que **vous ne devriez pas utiliser de DNS chiffré avec Tor**. Toutes vos requêtes DNS seraient ainsi dirigées vers un seul circuit, ce qui permettrait au fournisseur de DNS chiffré de vous désanonymiser. + +## Devrais-je utiliser Tor *et* un VPN? + +En utilisant un VPN avec Tor, vous créez essentiellement un nœud d'entrée permanent, souvent avec une trace financière attachée. Cela ne vous apporte aucun avantages supplémentaires, tout en augmentant considérablement la surface d'attaque de votre connexion. Si vous souhaitez cacher votre utilisation de Tor à votre FAI ou à votre gouvernement, Tor a une solution intégrée pour cela : les passerelles Tor. [En savoir plus sur les passerelles Tor et pourquoi l'utilisation d'un VPN n'est pas nécessaire](../advanced/tor-overview.md). + +## Et si j'ai besoin d'anonymat ? + +Les VPNs ne peuvent pas fournir d'anonymat. Votre fournisseur de VPN verra toujours votre adresse IP réelle, et dispose souvent d'une trace financière qui peut être liée directement à vous. Vous ne pouvez pas compter sur des politiques de "non journalisation" pour protéger vos données. Utilisez plutôt [Tor](https://www.torproject.org/fr/). + +## Qu'en est-il des fournisseurs de VPN qui proposent des nœuds Tor ? + +N'utilisez pas cette fonctionnalité. L'intérêt d'utiliser Tor est que vous ne faites pas confiance à votre fournisseur de VPN. Actuellement Tor ne supporte que le protocole [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol). [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (utilisé dans [WebRTC](https://en.wikipedia.org/wiki/WebRTC) pour le partage de la voix et de la vidéo, le nouveau protocole [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3), etc...), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) et les autres paquets seront abandonnés. Pour compenser cela, les fournisseurs de VPN acheminent généralement tous les paquets non TCP par leur serveur VPN (votre premier saut). C'est le cas de [Proton VPN](https://protonvpn.com/support/tor-vpn/). De plus, lorsque vous utilisez cette configuration Tor par VPN, vous n'avez pas le contrôle sur d'autres fonctionnalités importantes de Tor telles que [Adresse de Destination Isolée](https://www.whonix.org/wiki/Stream_Isolation) (utilisation d'un circuit Tor différent pour chaque domaine que vous visitez). + +Cette fonctionnalité doit être considérée comme un moyen pratique d'accéder au réseau Tor, et non comme un moyen de rester anonyme. Pour un véritable anonymat, utilisez le navigateur Tor, TorSocks, ou une passerelle Tor. + +## Quand les VPNs sont-ils utiles ? + +Un VPN peut toujours vous être utile dans divers scénarios, tels que : + +1. Cacher votre trafic de **seulement** votre Fournisseur d'Accès Internet. +1. Cacher vos téléchargements (tels que les torrents) à votre FAI et aux organisations anti-piratage. +1. Cacher votre adresse IP des sites web et services tiers, empêchant le suivi basé sur l'adresse IP. + +Pour des situations comme celles-ci, ou si vous avez une autre raison impérieuse, les fournisseurs de VPN que nous avons listés ci-dessus sont ceux que nous pensons être les plus dignes de confiance. Cependant, l'utilisation d'un fournisseur de VPN signifie toujours que vous *faites confiance* à ce fournisseur. Dans presque tous les autres cas, vous devriez utiliser un outil sécurisé **par conception** tel que Tor. + +## Sources et Lectures Complémentaires + +1. [VPN - un Récit Très Précaire](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) par Dennis Schubert +1. [Présentation du Réseau Tor](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Ai-je besoin d'un VPN ?"](https://www.doineedavpn.com), un outil développé par IVPN pour défier le marketing agressif des autres VPNs en aidant les individus à décider si un VPN leur convient. + +## Informations VPN Liées + +- [Le Problème avec les sites d'évaluation des VPNs et de la Vie Privée](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Enquête sur les Applications VPN Gratuites](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Les propriétaires inconnus des VPNs dévoilés : 101 produits VPN gérés par seulement 23 sociétés](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [Cette société chinoise est secrètement à l'origine de 24 applications populaires qui cherchent à obtenir des autorisations dangereuses](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/calendar.md b/i18n/fr/calendar.md new file mode 100644 index 00000000..de9deaea --- /dev/null +++ b/i18n/fr/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Synchronisation de calendrier" +icon: material/calendar +--- + +Les calendriers contiennent certaines de vos données les plus sensibles ; utilisez des produits qui mettent en œuvre l'E2EE au repos pour empêcher un fournisseur de les lire. + +## Tutanota + +!!! recommendation + + ![Logo Tutanota](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Logo Tutanota](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** propose un calendrier gratuit et chiffré sur l'ensemble de ses plateformes prises en charge. Les fonctionnalités incluent: E2EE automatique de toutes les données, fonctionnalités de partage, fonctionnalité d'import/export, authentification multifacteur, et [plus](https://tutanota.com/calendar-app-comparison/). + + Les calendriers multiples et la fonctionnalité de partage étendue sont réservés aux abonnés payants. + + [:octicons-home-16: Page d'accueil](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Code source" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribuer } + + ??? downloads "Téléchagements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** est un service de calendrier chiffré disponible pour les membres de Proton via des clients web ou mobiles. Les fonctionnalités incluent: E2EE automatique de toutes les données, des fonctions de partage, la fonctionnalité d'import/export, et [plus](https://proton.me/fr/support/proton-calendar-guide). Les abonnés au service gratuit n'ont accès qu'à un seul calendrier, tandis que les abonnés payants peuvent créer jusqu'à 20 calendriers. Les fonctionnalités de partage avancées sont également limitées aux abonnés payants. + + [:octicons-home-16: Page d'accueil](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Code source" } + + ??? downloads "Téléchagements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Qualifications minimales + +- Doit synchroniser et stocker les informations avec E2EE pour s'assurer que les données ne sont pas visibles par le fournisseur de services. + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Doit s'intégrer aux applications natives de gestion des contacts et de calendrier du système d'exploitation, le cas échéant. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/cloud.md b/i18n/fr/cloud.md new file mode 100644 index 00000000..dbebe3f7 --- /dev/null +++ b/i18n/fr/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Stockage cloud" +icon: material/file-cloud +--- + +De nombreux fournisseurs de stockage cloud nécessitent que vous leur fassiez entièrement confiance pour ne pas consulter vos fichiers. Les alternatives énumérées ci-dessous éliminent le besoin de confiance en vous mettant en position de contrôle de vos données ou en implémentant le chiffrement de bout en bout (E2EE). + +Si ces alternatives ne répondent pas à vos besoins, nous vous suggérons de vous tourner vers un [Logiciel de Chiffrement](encryption.md). + +??? question "Vous cherchez Nextcloud ?" + + Nextcloud est [toujours un outil recommandé](productivity.md) pour l'auto-hébergement d'une suite de gestion de fichiers, mais nous ne recommandons pas de fournisseurs de stockage Nextcloud tiers pour le moment, car nous ne recommandons pas la fonctionnalité E2EE intégrée de Nextcloud pour les utilisateurs moyens. + +## Proton Drive + +!!! recommendation + + ![Logo Proton Drive](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** est un service de stockage de fichiers E2EE proposé par le célèbre fournisseur de courriers électroniques chiffrés [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Page d'accueil](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Code source" } + + ??? downloads "Téléchagements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Les clients mobiles de Proton Drive ont été publiés en décembre 2022 et ne sont pas encore open-source. Proton a toujours retardé la publication de son code source jusqu'à la sortie initiale du produit, et [prévoit de](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) publier le code source d'ici la fin 2023. Les clients de bureau de Proton Drive sont toujours en cours de développement. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Exigences minimales + +- Doit imposer le chiffrement de bout en bout. +- Doit avoir une offre gratuite ou une période d'essai pour les tests. +- Doit prendre en charge l'authentification multifactorielle TOTP ou FIDO2, ou les connexions Passkey. +- Doit offrir une interface web prennant en charge les fonctionnalités de base de gestion des fichiers. +- Doit permettre d'exporter facilement tous les fichiers/documents. +- Doit utiliser un chiffrement standard et audité. + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Les clients doivent être open-source. +- Les clients doivent être audités dans leur intégralité par un tiers indépendant. +- Doit offrir des clients natifs pour Linux, Android, Windows, macOS et iOS. + - Ces clients doivent s'intégrer aux outils natifs du système d'exploitation pour les fournisseurs de stockage cloud, comme l'intégration de l'application Fichiers sur iOS, ou la fonctionnalité DocumentsProvider sur Android. +- Doit permettre de partager facilement des fichiers avec d'autres utilisateurs. +- Doit offrir au moins une fonctionnalité de base d'aperçu et d'édition de fichiers sur l'interface web. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/data-redaction.md b/i18n/fr/data-redaction.md new file mode 100644 index 00000000..9854f359 --- /dev/null +++ b/i18n/fr/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Rédaction de données et de métadonnées" +icon: material/tag-remove +--- + +Lorsque vous partagez des fichiers, veillez à supprimer les métadonnées associées. Les fichiers d'image comprennent généralement des données [Exif](https://en.wikipedia.org/wiki/Exif) . Les photos comportent parfois même des coordonnées GPS dans les métadonnées du fichier. + +## Bureau + +### MAT2 + +!!! recommendation + + ![Logo MAT2](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** est un logiciel gratuit, qui permet de supprimer les métadonnées des types de fichiers image, audio, torrent et document. Il fournit à la fois un outil en ligne de commande et une interface utilisateur graphique via une [extension pour Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), le gestionnaire de fichiers par défaut de [GNOME](https://www.gnome.org), et [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), le gestionnaire de fichiers par défaut de [KDE](https://kde.org). + + Sous Linux, un outil graphique tiers [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) fonctionnant avec MAT2 existe et est [disponible sur Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Dépôt](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Code source" } + + ??? downloads "Téléchagements" + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![Logo ExifEraser](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** est une application moderne d'effacement des métadonnées d'image sans autorisation pour Android. + + Il prend actuellement en charge les fichiers JPEG, PNG et WebP. + + [:octicons-repo-16: Dépôt](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Code source" } + + ??? downloads "Téléchagements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +Les métadonnées qui sont effacées dépendent du type de fichier de l'image : + +* **JPEG**: Les métadonnées ICC Profile, Exif, Photoshop Image Resources et XMP/ExtendedXMP seront effacées si elles existent. +* **PNG**: Les métadonnées ICC Profile, Exif et XMP seront effacées si elles existent. +* **WebP**: les métadonnées ICC Profile, Exif et XMP seront effacées si elles existent. + +Après avoir traité les images, ExifEraser vous fournit un rapport complet sur ce qui a été exactement supprimé de chaque image. + +L'application offre plusieurs façons d'effacer les métadonnées des images. À savoir : + +* Vous pouvez partager une image depuis une autre application avec ExifEraser. +* Par l'intermédiaire de l'application elle-même, vous pouvez sélectionner une seule image, plusieurs images à la fois, ou même un répertoire entier. +* Elle comporte une option "Appareil photo", qui utilise l'application appareil photo de votre système d'exploitation pour prendre une photo, puis en supprime les métadonnées. +* Elle vous permet de faire glisser des photos d'une autre application dans ExifEraser lorsque les deux sont ouvertes en mode écran partagé. +* Enfin, elle vous permet de coller une image à partir de votre presse-papiers. + +### Metapho (iOS) + +!!! recommendation + + ![Logo Metapho](assets/img/data-redaction/metapho.jpg){ align=right } + + Metapho est une visionneuse simple et propre pour les métadonnées des photos telles que la date, le nom du fichier, la taille, le modèle d'appareil photo, la vitesse d'obturation et le lieu. + + [:octicons-home-16: Page d'accueil](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Politique de confidentialité" } + + ??? downloads "Téléchagements" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![Logo PrivacyBlur](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** est une application gratuite qui permet de brouiller les parties sensibles des photos avant de les partager en ligne. + + [:octicons-home-16: Page d'accueil](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Code source" } + + ??? downloads "Téléchagements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning "Avertissement" + + Vous ne devez **jamais** utiliser le flou pour expurger [du texte dans les images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). Si vous voulez expurger du texte dans une image, dessinez une case sur le texte. Pour cela, nous vous suggérons [Pocket Paint](https://github.com/Catrobat/Paintroid) ou [Imagepipe](https://codeberg.org/Starfish/Imagepipe). + +## Ligne de commande + +### ExifTool + +!!! recommendation + + ![Logo ExifTool](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** est la bibliothèque perl originale et l'application en ligne de commande pour lire, écrire et modifier les méta-informations (Exif, IPTC, XMP, etc.) dans une grande variété de formats de fichiers (JPEG, TIFF, PNG, PDF, RAW, etc.). + + Elle est souvent un composant d'autres applications de suppression d'Exif et se trouve dans les dépôts de la plupart des distributions Linux. + + [:octicons-home-16: Page d'accueil](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Code source" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribuer } + + ??? downloads "Téléchagements" + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Suppression des données d'un répertoire de fichiers" + + ```bash + exiftool -all= *.extension_de_fichier + ``` + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Les applications développées pour les systèmes d'exploitation open source doivent être open source. +- Les applications doivent être gratuites et ne doivent pas comporter de publicités ou d'autres limitations. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/desktop-browsers.md b/i18n/fr/desktop-browsers.md new file mode 100644 index 00000000..8eb4e464 --- /dev/null +++ b/i18n/fr/desktop-browsers.md @@ -0,0 +1,262 @@ +--- +title: "Navigateurs de Bureau" +icon: material/laptop +--- + +Ce sont les navigateurs web de bureau et les configurations que nous recommandons actuellement pour une navigation classique/non anonyme. Si vous avez besoin de naviguer anonymement sur Internet, vous devriez plutôt utiliser [Tor](tor.md). D'une manière générale, nous vous recommandons de limiter au maximum les extensions de votre navigateur ; elles ont un accès privilégié dans votre navigateur, vous obligent à faire confiance au développeur, peuvent vous faire [sortir du lot](https://fr.wikipedia.org/wiki/Empreinte_digitale_d%27appareil), et [affaiblir](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) l'isolation des sites. + +## Firefox + +!!! recommendation + + ![Logo Firefox](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** offre de solides paramètres de confidentialité, tels que la [protection renforcée contre le suivi](https://support.mozilla.org/fr/kb/protection-renforcee-contre-pistage-firefox-ordinateur), qui peut contribuer à bloquer divers [types de suivi](https://support.mozilla.org/fr/kb/protection-renforcee-contre-pistage-firefox-ordinateur#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Accueil](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/fr/privacy/firefox/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title="Documentation"} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Code source"} + [:octicons-heart-16:](https://donate.mozilla.org/fr/){ .card-link title=Contribuer} + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning "Avertissement" + Firefox inclut un [jeton de téléchargement](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) unique dans les téléchargements effectués à partir du site Web de Mozilla et utilise la télémétrie dans Firefox pour envoyer le jeton. Le jeton **n'est pas** inclus dans les versions de [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Configuration recommandée + +Le navigateur Tor est le seul moyen de vraiment naviguer anonymement sur Internet. Si vous utilisez Firefox, nous recommandons de modifier les paramètres suivants pour protéger votre vie privée de certains acteurs, mais tous les navigateurs autres que le [Navigateur Tor](tor.md#tor-browser) seront traçables par *quelqu'un* d'une manière ou d'une autre. + +Ces options se trouvent dans :material-menu: → **Paramètres** → **Confidentialité & Sécurité**. + +##### Protection renforcée contre le pistage + +- [x] Sélectionnez **Stricte** Protection renforcée contre le pistage + +Cela vous protège en bloquant les traceurs de réseaux sociaux, les scripts de prise d'empreinte (notez que cela ne vous protège pas de *toutes* les prises d'empreinte), les cryptomineurs, les cookies de suivi intersites et certains autres contenus de suivi. La PRT protège de nombreuses menaces courantes, mais ne bloque pas tous les moyens de suivi, car il est conçu pour avoir un impact minimal, voire nul, sur l'utilisation du site. + +##### Supprimer à la fermeture + +Si vous voulez rester connecté à des sites en particulier, vous pouvez autoriser des exceptions dans **Cookies et données de site** → **Gérer les exceptions....** + +- [x] Cochez **Supprimer les cookies et les données du site lorsque Firefox est fermé** + +Cela vous protège contre les cookies persistants, mais ne vous protège pas contre les cookies acquis au cours d'une même session de navigation. Lorsque cette option est activée, il devient possible de nettoyer facilement les cookies de votre navigateur en redémarrant simplement Firefox. Vous pouvez définir des exceptions par site, si vous souhaitez rester connecté à un site précis que vous visitez souvent. + +##### Suggestions de recherche + +- [ ] Décochez **Fournir des suggestions de recherche** + +Les fonctionnalités de suggestion de recherche peuvent ne pas être disponibles dans votre région. + +Les suggestions de recherche envoient tout ce que vous tapez dans la barre d'adresse au moteur de recherche par défaut, que vous effectuiez ou non une recherche effective. La désactivation des suggestions de recherche vous permet de contrôler plus précisément les données que vous envoyez à votre fournisseur de moteur de recherche. + +##### Télémétrie + +- [ ] Décochez **Autoriser Firefox à envoyer des données techniques et d'interaction à Mozilla** +- [ ] Décochez **Autoriser Firefox à installer et à exécuter des études** +- [ ] Décochez **Permettre à Firefox d'envoyer en votre nom les rapports de plantage** + +> Firefox nous envoie des données sur la version et la langue de votre Firefox ; le système d'exploitation de l'appareil et la configuration matérielle ; la mémoire, les informations de base sur les plantages et les erreurs; les résultats de processus automatisés tels que les mises à jour, la navigation sécurisée et l'activation de notre système. Lorsque Firefox nous envoie des données, votre adresse IP est temporairement collectée dans les journaux de notre serveur. + +En outre, le service Firefox Accounts collecte [certaines données techniques](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). Si vous utilisez un compte Firefox, vous pouvez la refuser : + +1. Ouvrez les [paramètres de votre profil sur accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Décochez **Collecte et utilisation de données** > **Aidez à améliorer les comptes Firefox** + +##### Mode HTTPS uniquement + +- [x] Sélectionnez **Activer le mode HTTPS uniquement dans toutes les fenêtres** + +Cela vous empêche de vous connecter involontairement à un site Web en "clair" HTTP. Les sites sans HTTPS sont rares de nos jours. Cela ne devrait donc avoir que peu ou pas d'impact sur votre navigation quotidienne. + +### Synchronisation Firefox + +La [Synchronisation Firefox](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) permet à vos données de navigation (historique, favoris, etc.) d'être accessibles sur tous vos appareils et les protège avec le chiffrement de bout en bout (E2EE). + +### Arkenfox (avancé) + +Le projet [Arkenfox](https://github.com/arkenfox/user.js) fournit un ensemble d'options soigneusement étudiées pour Firefox. Si vous [décidez](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) d'utiliser Arkenfox, quelques [options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) sont subjectivement strictes et/ou peuvent empêcher certains sites Web de fonctionner correctement. [Vous pouvez facilement modifier ces options](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) pour répondre à vos besoins. Nous **recommandons vivement** de lire l'intégralité de leur [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox permet également la prise en charge des [conteneurs](https://support.mozilla.org/fr/kb/conteneurs#w_for-advanced-users). + +## Brave + +!!! recommendation + + ![Logo Brave](assets/img/browsers/brave.svg){ align=right } + + **Le navigateur Brave** comprend un bloqueur de contenu intégré et des [fonctions de confidentialité](https://brave.com/privacy-features/), dont la plupart sont activées par défaut. + + Brave est basé sur le projet de navigateur Web Chromium. Il devrait donc vous être familier et présenter un minimum de problèmes de compatibilité avec les sites Web. + + [:octicons-home-16: Page d'accueil](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Code source" } + + ??? downloads annotate "Téléchargements" + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. Nous vous déconseillons d'utiliser la version Flatpak de Brave, car elle remplace la sandbox de Chromium par celle de Flatpak, qui est moins efficace. De plus, le paquet n'est pas maintenu par Brave Software, Inc. + +### Configuration recommandée + +Le navigateur Tor est le seul moyen de vraiment naviguer anonymement sur Internet. Lorsque vous utilisez Brave, nous vous recommandons de modifier les paramètres suivants afin de protéger votre vie privée de certains tiers, mais tous les navigateurs autres que le [Navigateur Tor](tor.md#tor-browser) seront traçables par *quelqu'un* d'une manière ou d'une autre. + +Ces options se trouvent dans :material-menu: → **Paramètres**. + +##### Shields + +Brave inclut certaines mesures contre la prise d'empreinte numérique dans sa fonction [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Nous vous suggérons de configurer ces options [de manière globale](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) sur toutes les pages que vous visitez. + +Les options Shields peuvent être réduites par site selon les besoins, mais par défaut, nous recommandons de définir les paramètres suivants: + +
+ +- [x] Sélectionnez **Empêchez les sites de prendre mon empreinte numérique en fonction de mes préférences linguistiques** +- [x] Sélectionnez **Agressif** dans la rubrique Blocage des pisteurs et annonces + + ??? warning "Utiliser les listes de filtres par défaut" + Brave vous permet de sélectionner des filtres de contenu supplémentaires dans la page interne `brave://adblock`. Nous vous déconseillons d'utiliser cette fonctionnalité ; conservez plutôt les listes de filtres par défaut. L'utilisation de listes supplémentaires vous distinguera des autres utilisateurs de Brave et peut également augmenter la surface d'attaque s'il y a une faille dans Brave et qu'une règle malveillante est ajoutée à l'une des listes que vous utilisez. + +- [x] (Facultatif) Sélectionnez **Bloquer les scripts** (1) +- [x] Sélectionnez **Strict, peut casser les sites** sous Bloquer la capture d'empreinte numérique + +
+ +1. Cette option fournit une fonctionnalité similaire aux [modes de blocage](https://github.com/gorhill/uBlock/wiki/Blocking-mode) avancés de uBlock Origin ou l'extension [NoScript](https://noscript.net/). + +##### Blocage des médias sociaux + +- [ ] Décochez toutes les fonctionnalités de médias sociaux + +##### Confidentialité et sécurité + +
+ +- [x] Sélectionnez **Désactiver l'UDP pas en proxy** sous [Politique de gestion des adresses IP WebRTC](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Décochez **Utiliser les services Google pour la messagerie push** +- [ ] Décochez **Autoriser l'analyse de produits respectueuse de la vie privée (P3A)** +- [ ] Décochez **Envoyer automatiquement un signal d'utilisation quotidienne à Brave** +- [x] Sélectionnez **Toujours utiliser une connexion sécurisée** dans le menu **Sécurité** +- [ ] Décochez **Fenêtre privée avec Tor** (1) + + !!! tip "Nettoyer à la Fermeture" + - [x] Sélectionnez **Effacer les cookies et les données du site lorsque vous fermez toutes les fenêtres** dans le menu *Cookies et autres données du site* + + Si vous souhaitez rester connecté à un site particulier que vous visitez souvent, vous pouvez définir des exceptions par site dans la section *Comportements personnalisés*. + +
+ +1. Brave **n'est pas** aussi résistant à la prise d'empreinte numérique que le navigateur Tor et beaucoup moins de personnes utilisent Brave avec Tor, vous sortirez donc du lot. Lorsqu'[un fort anonymat est nécessaire](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) utilisez le [Navigateur Tor ](tor.md#tor-browser). + +##### Extensions + +Désactivez les extensions intégrées que vous n'utilisez pas dans **Extensions** + +- [ ] Décochez **Hangouts** +- [ ] Décochez **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) est un réseau décentralisé, de pair à pair, permettant de stocker et de partager des données dans un système de fichiers distribué. À moins que vous n'utilisiez cette fonctionnalité, désactivez-la. + +- [x] Sélectionnez **désactivé** dans la méthode pour résoudre les ressources IPFS + +##### Paramètres additionnels + +Dans le menu *Système* + +
+ +- [ ] Décochez **Continuer l'exécution des applications lorsque Brave est fermé** pour désactiver les applications en arrière-plan (1) + +
+ +1. Cette option n'est pas présente sur toutes les plateformes. + +### Synchronisation Brave + +La [Synchronisation Brave](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) permet à vos données de navigation (historique, signets, etc.) d'être accessibles sur tous vos appareils sans nécessiter de compte et les protège avec E2EE. + +## Ressources Supplémentaires + +Nous ne recommandons généralement pas l'installation d'extensions, car elles augmentent votre surface d'attaque. Cependant, uBlock Origin peut s'avérer utile si vous appréciez la fonctionnalité de blocage de contenu. + +### uBlock Origin + +!!! recommendation + + ![Logo uBlock Origin](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** est un bloqueur de contenu populaire qui peut vous aider à bloquer les publicités, les traqueurs et les scripts d'empreintes numériques. + + [:octicons-repo-16: Dépôt](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +Nous vous suggérons de suivre la [documentation du développeur](https://github.com/gorhill/uBlock/wiki/Blocking-mode) et de choisir l'un des "modes". Des listes de filtres supplémentaires peuvent avoir un impact sur les performances et [peuvent augmenter la surface d'attaque](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Autres listes + +Voici d'autres [listes de filtres](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) que vous pourriez envisager d'ajouter : + +- [x] Cochez **Confidentialité** > **AdGuard URL Tracking Protection** +- Ajoutez [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Exigences minimales + +- Doit être un logiciel open source. +- Prend en charge les mises à jour automatiques. +- Reçoit les mises à jour du moteur dans un délai de 1 jour à partir de la publication en amont. +- Disponible sur Linux, macOS et Windows. +- Les modifications nécessaires pour rendre le navigateur plus respectueux de la vie privée ne devraient pas avoir d'impact négatif sur l'expérience des utilisateurs. +- Bloque les cookies tiers par défaut. +- Prend en charge le [cloisonnement des états](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) pour atténuer le suivi intersite.[^1] + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Comprend une fonctionnalité intégrée de blocage du contenu. +- Supporte la compartimentation des cookies (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Prend en charge les Progressive Web Apps. + Les PWAs vous permettent d'installer certains sites web comme s'il s'agissait d'applications natives sur votre ordinateur. Cela peut présenter des avantages par rapport à l'installation d'applications basées sur Electron, car vous bénéficiez des mises à jour de sécurité régulières de votre navigateur. +- Ne comprend pas de fonctionnalités supplémentaires (bloatware) qui n'ont pas d'incidence sur la vie privée des utilisateurs. +- Ne collecte pas de télémétrie par défaut. +- Fournit une implémentation de serveur de synchronisation open-source. +- Le moteur de recherche par défaut est un [moteur de recherche privé](search-engines.md). + +### Critères d'extension + +- Ne doit pas dupliquer une fonctionnalité intégrée dans le navigateur ou dans le système d'exploitation. +- Doit avoir un impact direct sur la vie privée des utilisateurs, c'est-à-dire qu'il ne doit pas simplement fournir des informations. + +--8<-- "includes/abbreviations.fr.txt" + +[^1]: L'implémentation de Brave est détaillée dans [Mises à jour de la confidentialité de Brave : Partitionnement de l'état du réseau pour la confidentialité](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/fr/desktop.md b/i18n/fr/desktop.md new file mode 100644 index 00000000..c72388f7 --- /dev/null +++ b/i18n/fr/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Bureau/PC" +icon: simple/linux +--- + +Les distributions Linux sont généralement recommandées pour la protection de la vie privée et la liberté logicielle. Si vous n'utilisez pas encore Linux, vous trouverez ci-dessous quelques distributions que nous vous suggérons d'essayer, ainsi que des conseils généraux d'amélioration de la sécurité et de la confidentialité qui s'appliquent à de nombreuses distributions Linux. + +- [Vue d'ensemble de Linux :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Distributions Traditionnelles + +### Station de Travail Fedora + +!!! recommendation + + ![Logo Fedora](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** est notre distribution recommandée pour les personnes débutant sous Linux. Fedora adopte généralement les nouvelles technologies avant les autres distributions, par exemple, [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), et bientôt. Ces nouvelles technologies s'accompagnent souvent d'améliorations générales en matière de sécurité, de vie privée et d'ergonomie. + + [:octicons-home-16: Page d'accueil](https://getfedora.org/fr/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/fr/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribuer } + +Fedora a un cycle de publication semi-continu. Si certains paquets comme [GNOME](https://www.gnome.org) sont gelés jusqu'à la prochaine version de Fedora, la plupart des paquets (y compris le noyau) sont mis à jour fréquemment tout au long de la durée de vie de la version. Chaque version de Fedora est supportée pendant un an, avec une nouvelle version publiée tous les 6 mois. + +### openSUSE Tumbleweed + +!!! recommendation + + ![logo openSUSE Tumbleweed](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** est une distribution stable à publication continue. + + openSUSE Tumbleweed dispose d'un système de [mise à jour transactionnelle](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) qui utilise [Btrfs](https://en.wikipedia.org/wiki/Btrfs) et [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) pour s'assurer que les livraisons peuvent être annulées en cas de problème. + + [:octicons-home-16: Page d'accueil](https://get.opensuse.org/fr/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/fr/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribuer } + +Tumbleweed suit un modèle de publication continu où chaque mise à jour est publiée comme un instantané de la distribution. Lorsque vous mettez votre système à niveau, un nouvel instantané est téléchargé. Chaque livraison est soumise à une série de tests automatisés par [openQA](https://openqa.opensuse.org) afin de garantir sa qualité. + +### Arch Linux + +!!! recommendation + + ![Logo Arch](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** est une distribution légère, de type do-it-yourself (DIY), ce qui signifie que vous n'obtenez que ce que vous installez. Pour plus d'informations, voir leur [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions_(Fran%C3%A7ais)). + + [:octicons-home-16: Page d'accueil](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/title/Main_page_(Fran%C3%A7ais)){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribuer } + +Arch Linux a un cycle de publication continue. Il n'y a pas de calendrier de publication fixe et les paquets sont mis à jour très fréquemment. + +S'agissant d'une distribution DIY, vous êtes [censé mettre en place et maintenir](os/linux-overview.md#arch-based-distributions) votre système par vous-même. Arch a un [installateur officiel](https://wiki.archlinux.org/title/Archinstall_(Fran%C3%A7ais)) pour rendre le processus d'installation un peu plus facile. + +Une grande partie des [paquets d'Arch Linux](https://reproducible.archlinux.org) sont [reproductibles](https://reproducible-builds.org). + +## Distributions Immuables + +### Fedora Silverblue + +!!! recommendation + + ![Logo Fedora Silverblue](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** et **Fedora Kinoite** sont des variantes immuables de Fedora qui mettent l'accent sur les flux de travail en conteneur. Silverblue est livré avec l'environnement de bureau [GNOME](https://www.gnome.org/) tandis que Kinoite est livré avec [KDE](https://kde.org/fr/). Silverblue et Kinoite suivent le même calendrier de publication que Fedora Workstation, bénéficiant des mêmes mises à jour rapides et restant très proches de l'original. + + [:octicons-home-16: Page d'accueil](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/fr/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribuer } + +Silverblue (et Kinoite) diffèrent de Fedora Workstation car ils remplacent le gestionnaire de paquets [DNF](https://docs.fedoraproject.org/fr/quick-docs/dnf/) par une alternative beaucoup plus avancée appelée [`rpm-ostree`](https://docs.fedoraproject.org/fr/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). Le gestionnaire de paquets `rpm-ostree` fonctionne en téléchargeant une image de base pour le système, puis en superposant des paquets par-dessus dans un arbre de commit semblable à [git](https://fr.wikipedia.org/wiki/Git). Lorsque le système est mis à jour, une nouvelle image de base est téléchargée et les surcouches seront appliquées à cette nouvelle image. + +Une fois la mise à jour terminée, vous redémarrez le système dans le nouveau déploiement. `rpm-ostree` conserve deux déploiements du système afin que vous puissiez facilement revenir en arrière si quelque chose se casse dans le nouveau déploiement. Il est également possible d'épingler plus de déploiements selon les besoins. + +[Flatpak](https://www.flatpak.org) est la méthode principale d'installation des paquets sur ces distributions, car `rpm-ostree` n'est destiné qu'à superposer les paquets qui ne peuvent pas rester à l'intérieur d'un conteneur sur l'image de base. + +Comme alternative aux Flatpaks, il y a l'option de [Toolbox](https://docs.fedoraproject.org/fr/fedora-silverblue/toolbox/) pour créer des conteneurs [Podman](https://podman.io) avec un répertoire de base partagé avec le système d'exploitation hôte et imiter un environnement Fedora traditionnel, ce qui est une [fonctionnalité utile](https://containertoolbx.org) pour le développeur averti. + +### NixOS + +!!! recommendation + + ![Logo NixOS](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS est une distribution indépendante basée sur le gestionnaire de paquets Nix avec un accent sur la reproductibilité et la fiabilité. + + [:octicons-home-16: Page d'accueil](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribuer } + +Le gestionnaire de paquets de NixOS conserve chaque version de chaque paquet dans un dossier différent dans le **magasin Nix**. De ce fait, vous pouvez avoir différentes versions d'un même paquet installé sur votre système. Une fois que le contenu du paquet a été écrit dans le dossier, ce dernier est mis en lecture seule. + +NixOS fournit également des mises à jour atomiques ; il télécharge d'abord (ou construit) les paquets et les fichiers pour la nouvelle génération de système et ensuite y bascule. Il y a différentes façons de passer à une nouvelle génération ; vous pouvez dire à NixOS de l'activer après le redémarrage ou vous pouvez basculer sur celle-ci pendant l'exécution. Vous pouvez également *tester* la nouvelle génération en basculant sur celle-ci pendant l'exécution, mais sans la définir comme la génération actuelle du système. Si quelque chose se casse pendant le processus de mise à jour, vous pouvez simplement redémarrer et revenir automatiquement à une version fonctionnelle de votre système. + +Nix, le gestionnaire de paquets, utilise un langage purement fonctionnel - qui s'appelle aussi Nix - pour définir les paquets. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (la source principale des paquets) sont contenus dans un seul dépôt GitHub. Vous pouvez également définir vos propres paquets dans le même langage, puis les inclure facilement dans votre configuration. + +Nix est un gestionnaire de paquets basé sur les sources ; s'il n'y a pas de paquet pré-construit disponible dans le cache binaire, Nix construira simplement le paquet à partir des sources en utilisant sa définition. Il construit chaque paquet dans un environnement *pur* en bac à sable, qui est aussi indépendant que possible du système hôte, ce qui rend les binaires reproductibles. + +## Distributions Axées sur l'Anonymat + +### Whonix + +!!! recommendation + + ![Logo Whonix](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** est basé sur [Kicksecure](https://www.whonix.org/wiki/Kicksecure), un fork de Debian axé sur la sécurité. Il vise à assurer la vie privée, la sécurité et l'anonymat sur Internet. Whonix est utilisé de préférence en conjonction avec [Qubes OS](#qubes-os). + + [:octicons-home-16: Page d'accueil](https://www.whonix.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribuer } + +Whonix est conçu pour fonctionner sous la forme de deux machines virtuelles : une "Station de Travail" et une "Passerelle" Tor. Toutes les communications de la station de travail doivent passer par la passerelle Tor, et seront acheminées par le réseau Tor. Cela signifie que même si la "Station de Travail" est compromise par un logiciel malveillant quelconque, la véritable adresse IP reste cachée. + +Parmi ses fonctionnalités, citons l'isolation des Flux Tor, [l'anonymisation des frappes de clavier](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [un swap chiffré](https://github.com/Whonix/swap-file-creator), et un allocateur de mémoire renforcé. + +Les futures versions de Whonix incluront probablement [des politiques AppArmor système complètes](https://github.com/Whonix/apparmor-profile-everything) et [un lanceur d'apps bac à sable](https://www.whonix.org/wiki/Sandbox-app-launcher) pour confiner complètement tous les processus sur le système. + +Il est préférable d'utiliser Whonix [en conjonction avec Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers). + +### Tails + +!!! recommendation + + ![Logo de Tails](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** est un système d'exploitation autonome basé sur Debian qui fait passer toutes les communications par Tor, et qui peut démarrer sur presque n'importe quel ordinateur à partir d'un DVD, d'une clé USB ou d'une installation sur carte SD. Il utilise [Tor](tor.md) pour préserver la vie privée et l'anonymat tout en contournant la censure, et il ne laisse aucune trace de son passage sur l'ordinateur sur lequel il est utilisé après avoir été éteint. + + [:octicons-home-16: Page d'accueil](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribuer } + +Tails est excellent pour contrer l'analyse scientifique en raison de son amnésie (ce qui signifie que rien n'est écrit sur le disque) ; cependant, ce n'est pas une distribution renforcée comme Whonix. Il ne dispose pas de nombreuses fonctions d'anonymat et de sécurité comme Whonix et est mis à jour beaucoup moins souvent (seulement une fois toutes les six semaines). Un système Tails compromis par un logiciel malveillant peut potentiellement contourner le proxy transparent et permettre à l'utilisateur d'être désanonymisé. + +Tails inclut [uBlock Origin](desktop-browsers.md#ublock-origin) dans le Navigateur Tor par défaut, ce qui peut potentiellement faciliter la tâche des adversaires pour identifier l'empreinte numérique des utilisateurs de Tails. Les machines virtuelles [Whonix](desktop.md#whonix) sont peut-être plus étanches, mais elles ne sont pas amnésiques, ce qui signifie que les données peuvent être récupérées sur votre périphérique de stockage. + +Par conception, Tails est censé se réinitialiser complètement après chaque redémarrage. Le [stockage persistant](https://tails.boum.org/doc/first_steps/persistence/index.fr.html) chiffré peut être configuré pour stocker certaines données entre les redémarrages. + +## Distributions axées sur la sécurité + +### Qubes OS + +!!! recommendation + + ![Logo Qubes OS](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes** est un système d'exploitation open-source conçu pour fournir une sécurité forte pour l'informatique de bureau. Qubes est basé sur Xen, le système X Window et Linux, et peut exécuter la plupart des applications Linux et utiliser la plupart des pilotes Linux. + + [:octicons-home-16: Page d'accueil](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Aperçu](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribuer } + +Qubes OS est un système d'exploitation basé sur Xen destiné à fournir une sécurité forte pour l'informatique de bureau par le biais de machines virtuelles (VMs) sécurisées, également connues sous le nom de *Qubes*. + +Le système d'exploitation Qubes OS sécurise l'ordinateur en isolant les sous-systèmes (par exemple, réseau, USB, etc.) et les applications dans des VMs distinctes. Si une partie du système est compromise, l'isolation supplémentaire est susceptible de protéger le reste du système. Pour plus de détails, voir la FAQ de Qubes [](https://www.qubes-os.org/faq/). + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +Nos systèmes d'exploitation recommandés : + +- Doivent être open-source. +- Doivent recevoir régulièrement des mises à jour des logiciels et du noyau Linux. +- Les distributions Linux doivent prendre en charge [Wayland](os/linux-overview.md#Wayland). +- Doitvent prendre en charge le chiffrement complet du disque pendant l'installation. +- Ne doivent pas geler les mises à jour régulières pendant plus d'un an. Nous [ne recommandons pas](os/linux-overview.md#release-cycle) "Long Term Support" ou les versions "stables" de distro pour une utilisation domestique. +- Doivent prendre en charge une grande variété de matériel. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/dns.md b/i18n/fr/dns.md new file mode 100644 index 00000000..5bb60e9d --- /dev/null +++ b/i18n/fr/dns.md @@ -0,0 +1,142 @@ +--- +title: "Résolveurs DNS" +icon: material/dns +--- + +!!! question "Devrais-je utiliser un DNS chiffré ?" + + Le DNS chiffré avec des serveurs tiers ne doit être utilisé que pour contourner le [blocage DNS](https://en.wikipedia.org/wiki/DNS_blocking) de base lorsque vous êtes certain qu'il n'y aura pas de conséquences. Le DNS chiffré ne vous aidera pas à dissimuler vos activités de navigation. + + [En savoir plus sur le DNS](advanced/dns-overview.md){ .md-button } + +## Fournisseurs Recommandés + +| Fournisseur DNS | Politique de confidentialité | Protocoles | Journalisation | ECS | Filtrage | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | --------------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH
DoT
DNSCrypt | Un peu[^1] | Non | En fonction du choix fait côté serveur. La liste des filtres utilisés peut être consultée ici. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH
DoT | Un peu[^2] | Non | En fonction du choix fait côté serveur. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH
DoT
DNSCrypt
DoQ
DoH3 | Optionnelle[^3] | Non | En fonction du choix fait côté serveur. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | Aucune[^4] | Non | En fonction du choix fait côté serveur. La liste des filtres utilisés peut être consultée ici. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH
DoT | Optionnelle[^5] | Optionnel | En fonction du choix fait côté serveur. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Un peu[^6] | Optionnel | En fonction du choix fait côté serveur, Blocage des logiciels malveillants par défaut. | + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Doit supporter [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [Minimisation QNAME](advanced/dns-overview.md#what-is-qname-minimization). +- Permettre la désactivation de [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) +- Doit préférer la prise en charge [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) ou geo-steering. + +## Prise en charge native des systèmes d'exploitation + +### Android + +Android 9 et supérieur prennent en charge DNS via TLS. Les paramètres peuvent être trouvés dans : **Paramètres** → **Réseau & Internet** → **DNS Privé**. + +### Appareils Apple + +Les dernières versions d'iOS, iPadOS, tvOS et macOS prennent en charge à la fois DoT et DoH. Les deux protocoles sont pris en charge nativement par l'intermédiaire des [profils de configuration](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) ou par l'intermédiaire de [l'API de Paramètres DNS](https://developer.apple.com/documentation/networkextension/dns_settings). + +Après l'installation d'un profil de configuration ou d'une application qui utilise l'API des Paramètres DNS, la configuration DNS peut être sélectionnée. Si un VPN est actif, la résolution au sein du tunnel VPN utilisera les paramètres DNS du VPN et non les paramètres de votre système. + +#### Profils signés + +Apple ne fournit pas d'interface native pour la création de profils DNS chiffrés. Le [créateur de profil DNS Sécurisé](https://dns.notjakob.com/tool.html) est un outil non officiel permettant de créer vos propres profils DNS chiffrés, mais ils ne seront pas signés. Les profils signés sont préférables ; la signature valide l'origine d'un profil et contribue à garantir l'intégrité des profils. Un label vert "Vérifié" est attribué aux profils de configuration signés. Pour plus d'informations sur la signature de code, voir [A propos de la signature de code](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Les profils signés** sont fournis par [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), et [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info "Information" + + `systemd-resolved`, que de nombreuses distributions Linux utilisent pour effectuer leurs recherches DNS, ne [supporte pas encore DoH](https://github.com/systemd/systemd/issues/8639). Si vous voulez utiliser DoH, vous devez installer un proxy comme [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) et [le configurer](https://wiki.archlinux.org/title/Dnscrypt-proxy) pour prendre toutes les requêtes DNS du résolveur de votre système et les transmettre via HTTPS. + +## Proxys DNS chiffrés + +Un logiciel de proxy DNS chiffré fourni un proxy local vers lequel le résolveur [DNS non chiffré](advanced/dns-overview.md#unencrypted-dns) doit rediriger. Il est généralement utilisé sur les plates-formes qui ne supportent pas nativement les [DNS chiffrés](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![Logo RethinkDNS](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![Logo RethinkDNS](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** est un client Android open-source prenant en charge [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) et DNS Proxy, ainsi que la mise en cache des réponses DNS, l'enregistrement local des requêtes DNS et peut également être utilisé comme pare-feu. + + [:octicons-home-16: Page d'accueil](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![logo dnscrypt-proxy](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** est un proxy DNS qui prend en charge [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh) et [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "La fonction DNS anonyme n'anonymise [**pas**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) le reste du trafic réseau." + + [:octicons-repo-16: Dépôt](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Code source" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Solutions auto-hébergées + +Une solution DNS auto-hébergée est utile pour assurer le filtrage sur les plateformes contrôlées, telles que les téléviseurs intelligents et autres appareils IoT, car aucun logiciel côté client n'est nécessaire. + +### AdGuard Home + +!!! recommendation + + ![Logo AdGuard Home](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** est un logiciel libre [gouffre DNS](https://wikipedia.org/wiki/DNS_sinkhole) qui utilise le [filtrage DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) pour bloquer les contenus web indésirables, tels que les publicités. + + AdGuard Home est doté d'une interface web conviviale qui permet de visualiser et de gérer le contenu bloqué. + + [:octicons-home-16: Page d'accueil](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Code source" } + +### Pi-hole + +!!! recommendation + + ![Logo Pi-hole](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** est un [gouffre DNS](https://wikipedia.org/wiki/DNS_sinkhole) open-source qui utilise le [filtrage DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) pour bloquer les contenus web indésirables, tels que les publicités. + + Pi-hole est conçu pour être hébergé sur un Raspberry Pi, mais il n'est pas limité à ce type de matériel. Le logiciel est doté d'une interface web conviviale permettant de visualiser et de gérer les contenus bloqués. + + [:octicons-home-16: Page d'accueil](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Code source" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribuer } + +--8<-- "includes/abbreviations.fr.txt" + +[^1]: AdGuard stocke des mesures de performance agrégées de ses serveurs DNS, à savoir le nombre de demandes complètes adressées à un serveur particulier, le nombre de demandes bloquées et la vitesse de traitement des demandes. Ils conservent et stockent également la base de données des domaines demandés dans les dernières 24 heures. "Nous avons besoin de ces informations pour identifier et bloquer les nouveaux traqueurs et menaces." "Nous enregistrons également le nombre de fois où tel ou tel traqueur a été bloqué. Nous avons besoin de ces informations pour supprimer les règles obsolètes de nos filtres." [https://adguard.com/fr/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare ne collecte et ne stocke que les données limitées des requêtes DNS qui sont envoyées au résolveur 1.1.1.1. Le service de résolution 1.1.1.1 n'enregistre pas de données personnelles, et la majeure partie des données de requête limitées et non personnellement identifiables n'est stockée que pendant 25 heures. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D n'enregistre que les résolveurs Premium avec des profils DNS personnalisés. Les résolveurs libres n'enregistrent pas de données. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Le service DNS de Mullvad est disponible à la fois pour les abonnés et les non-abonnés de Mullvad VPN. Leur politique de confidentialité affirme explicitement qu'ils n'enregistrent pas les requêtes DNS de quelque manière que ce soit. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS peut fournir des informations et des fonctions de journalisation sur la base d'un accord préalable. Vous pouvez choisir les durées de conservation et les emplacements de stockage des journaux pour tous les journaux que vous choisissez de conserver. Si ce n'est pas spécifiquement demandé, aucune donnée n'est enregistrée. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 recueille certaines données à des fins de surveillance et de réponse aux menaces. Ces données peuvent ensuite être remélangées et partagées, par exemple à des fins de recherche sur la sécurité. Quad9 ne collecte ni n'enregistre les adresses IP ou d'autres données qu'elle juge personnellement identifiables. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/fr/email-clients.md b/i18n/fr/email-clients.md new file mode 100644 index 00000000..ae04a4ef --- /dev/null +++ b/i18n/fr/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Logiciels de messagerie électronique" +icon: material/email-open +--- + +Notre liste de recommandations contient des clients de messagerie qui prennent en charge à la fois [OpenPGP](encryption.md#openpgp) et l'authentification forte telle que [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth vous permet d'utiliser l'[Authentification à Multi-Facteurs](multi-factor-authentication) et d'empêcher le vol de compte. + +??? warning "L'email ne fournit pas de secret de transmission" + + Lors de l'utilisation d'une technologie de chiffrement de bout en bout (E2EE) comme OpenPGP, le courrier électronique contiendra toujours [certaines métadonnées](email.md#email-metadata-overview) qui ne sont pas chiffrées dans l'en-tête du courrier électronique. + + OpenPGP ne prend pas non plus en charge la [confidentialité persistante](https://fr.wikipedia.org/wiki/Confidentialit%C3%A9_persistante), ce qui signifie que si votre clé privée ou celle du destinataire est volée, tous les messages précédents chiffrés avec cette clé seront exposés: [Comment protéger mes clés privées ?](basics/email-security.md) Envisagez l'utilisation d'un support qui assure la confidentialité persistante: + + [Communication en temps réel](real-time-communication.md){ .md-button } + +## Multi-plateformes + +### Thunderbird + +!!! recommendation + + ![Logo Thunderbird](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** est un client de messagerie, de groupes de discussion, de flux d'informations et de chat (XMPP, IRC, Twitter) gratuit, open-source et multiplateforme, développé par la communauté Thunderbird, et précédemment par la Fondation Mozilla. + + [:octicons-home-16: Page d'accueil](https://www.thunderbird.net/fr/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.mozilla.org/fr/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://www.thunderbird.net/fr/) + - [:simple-apple: macOS](https://www.thunderbird.net/fr/) + - [:simple-linux: Linux](https://www.thunderbird.net/fr/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Configuration recommandée + +Nous vous recommandons de modifier certains de ces paramètres pour rendre Thunderbird un peu plus privé. + +Ces options se trouvent dans :material-menu: → **Paramètres** → **Confidentialité & Sécurité**. + +##### Contenu Web + +- [ ] Décochez **Se souvenir des sites web et des liens que j'ai visités** +- [ ] Décochez **Accepter les cookies des sites** + +##### Télémétrie + +- [ ] Décochez **Autoriser Thunderbird à envoyer des données techniques et d'interaction à Mozilla** + +#### Thunderbird-user.js (avancé) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), est un ensemble d'options de configuration qui vise à désactiver le plus grand nombre possible de fonctions de navigation web dans Thunderbird afin de réduire la surface d'attaque et de préserver la confidentialité. Certains changements sont rétroportés depuis le [projet Arkenfox](https://github.com/arkenfox/user.js). + +## Spécifique à une plateforme + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** est inclus dans macOS et peut être étendu pour prendre en charge OpenPGP avec [GPG Suite](/encryption/# gpg-suite), ce qui ajoute la possibilité d'envoyer des e-mails chiffrés. + + [:octicons-home-16: Page d'accueil](https://support.apple.com/fr-fr/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/fr/legal/privacy/fr-ww/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.apple.com/fr-fr/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Logo de Canary Mail](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** est un client de messagerie payant conçu pour rendre le chiffrement de bout en bout transparent grâce à des fonctions de sécurité telles que le verrouillage biométrique des applications. + + [:octicons-home-16: Page d'accueil](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning "Avertissement" + + Canary Mail n'a publié que récemment un client Windows et Android, mais nous ne pensons pas qu'ils soient aussi stables que leurs homologues iOS et Mac. + +Canary Mail est à source fermée. Nous le recommandons en raison du peu de choix disponibles pour les clients de messagerie sur iOS prenant en charge PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![Logo FairEmail](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** est une application de messagerie électronique minimale et open-source, utilisant des standards ouverts (IMAP, SMTP, OpenPGP) avec une faible consommation de données et de batterie. + + [:octicons-home-16: Page d'accueil](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Code source" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribuer} + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Logo Evolution](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** est une application de gestion des informations personnelles qui fournit des fonctionnalités intégrées de courrier, de calendrier et de carnet d'adresses. Evolution dispose d'une vaste [documentation](https://help.gnome.org/users/evolution/stable/) pour vous aider à démarrer. + + [:octicons-home-16: Page d'accueil](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribuer} + + ??? downloads "Téléchargements" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![Logo de K-9 Mail](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** est une application de messagerie indépendante qui prend en charge les boîtes aux lettres POP3 et IMAP, mais ne prend en charge le push mail que pour IMAP. + + À l'avenir, K-9 Mail sera le client Thunderbird [officiel](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) pour Android . + + [:octicons-home-16: Page d'accueil](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Code source" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning "Avertissement" + + Lorsque vous répondez à un membre d'une liste de diffusion, l'option "répondre" peut également inclure la liste de diffusion. Pour plus d'informations, voir [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Logo Kontact](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** est une application de gestion des informations personnelles (PIM) issue du projet [KDE](https://kde.org). Il offre un client de messagerie, un carnet d'adresses, un organiseur et un client RSS. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Code source" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Navigateur) + +!!! recommendation + + ![Logo Mailvelope](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** est une extension de navigateur qui permet l'échange de courriers électroniques cryptés selon la norme de cryptage OpenPGP. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![Logo NeoMutt](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** est un lecteur de courrier en ligne de commande (ou MUA) open-source pour Linux et BSD. C'est un fork de [Mutt](https://fr.wikipedia.org/wiki/Mutt) avec des fonctionnalités supplémentaires. + + NeoMutt est un client textuel qui a une courbe d'apprentissage abrupte. Il est cependant très personnalisable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Qualifications minimales + +- Les applications développées pour les systèmes d'exploitation open source doivent être open source. +- Ne doit pas collecter de télémétrie, ou disposer d'un moyen facile de désactiver toute télémétrie. +- Doit prendre en charge le chiffrement des messages OpenPGP. + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Doit être open-source. +- Doit être multiplateforme. +- Ne doit pas collecter de télémétrie par défaut. +- Doit prendre en charge OpenPGP nativement, c'est-à-dire sans extensions. +- Doit prendre en charge le stockage local de courriels chiffrés par OpenPGP. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/email.md b/i18n/fr/email.md new file mode 100644 index 00000000..09b04fe2 --- /dev/null +++ b/i18n/fr/email.md @@ -0,0 +1,485 @@ +--- +title: "Services de messagerie électronique" +icon: material/email +--- + +Le courriel est pratiquement une nécessité pour utiliser n'importe quel service en ligne, mais nous ne le recommandons pas pour les conversations de personne à personne. Plutôt que d'utiliser le courriel pour contacter d'autres personnes, envisagez d'utiliser un support de messagerie instantanée qui prend en charge le secret de transfert. + +[Messageries instantanées recommandées](real-time-communication.md ""){.md-button} + +Pour tout le reste, nous recommandons une variété de fournisseurs de messagerie électronique en fonction de la viabilité de leur modèle économique et de leurs fonctions intégrées de sécurité et de confidentialité. + +## Fournisseurs recommandés + +Ces fournisseurs prennent en charge le chiffrement/déchiffrement OpenPGP nativement, ce qui permet d'envoyer des e-mails chiffrés de bout en bout (E2EE) indépendamment du fournisseur. Par exemple, un utilisateur de Proton Mail peut envoyer un message E2EE à un utilisateur de Mailbox.org, ou vous pouvez recevoir des notifications chiffrées par OpenPGP de la part de services internet qui le supportent. + +!!! warning "Avertissement" + + Lors de l'utilisation d'une technologie E2EE telle que OpenPGP, le courrier électronique contiendra toujours certaines métadonnées non chiffrées dans l'en-tête du courrier. En savoir plus sur les [métadonnées de messagerie](basics/email-security.md#email-metadata-overview). + + OpenPGP ne prend pas non plus en charge le secret de transfert, ce qui signifie que si votre clé privée ou celle du destinataire est volée, tous les messages précédents chiffrés avec elle seront exposés. [Comment protéger mes clés privées ?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Logo Proton Mail](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** est un service de messagerie électronique qui met l'accent sur la confidentialité, le chiffrement, la sécurité et la facilité d'utilisation. Ils sont en activité depuis **2013**. Proton AG a son siège à Genève, en Suisse. Les comptes commencent avec 500 Mo de stockage avec leur offre gratuite. + + [:octicons-home-16: Page d'accueil](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Les comptes gratuits présentent certaines limitations, comme le fait de ne pas pouvoir effectuer de recherche dans le corps du texte et de ne pas avoir accès à [Proton Mail Bridge](https://proton.me/mail/bridge), qui est nécessaire pour utiliser un [client de messagerie de bureau recommandé](email-clients.md) (par exemple Thunderbird). check "Modes de paiement privés" check "Modes de paiement privés" Une [lettre d'attestation](https://proton.me/blog/security-audit-all-proton-apps) a été fournie pour les applications de Proton Mail le 9 novembre 2021 par [Securitum](https://research.securitum.com). + +Si vous avez l'offre Proton Illimité, entreprise ou Visionnaire, vous obtenez également [SimpleLogin](#simplelogin) Premium gratuitement. + +Proton Mail dispose de rapports de plantages internes qu'il **ne partage pas** avec des tiers. Ils peuvent être désactivés dans : **Paramètres** > **Aller à Paramètres** > **Compte** > **Sécurité et confidentialité** > **Envoyer des rapports de crash**. + +??? success "Domaines personnalisés et alias" + + Les abonnés payants à Proton Mail peuvent utiliser leur propre domaine avec le service ou une adresse [fourre-tout](https://proton.me/support/catch-all). Proton Mail prend également en charge le [sous-adressage](https://proton.me/support/creating-aliases), ce qui est utile pour les personnes qui ne souhaitent pas acheter un domaine. + +??? success "Modes de paiement privés" + + Proton Mail [accepte](https://proton.me/support/payment-options) le Bitcoin et l'argent liquide par courrier en plus des paiements standards par carte de crédit/débit et PayPal. + +??? success "Sécurité du compte" + + Proton Mail ne prend en charge que l'[authentification à deux facteurs](https://proton.me/support/two-factor-authentication-2fa) TOTP. L'utilisation d'une clé de sécurité U2F n'est pas encore prise en charge. Proton Mail prévoit d'implémenter U2F dès l'achèvement de son système d'[Authentification unique (SSO - Single Sign On)](https://reddit.com/comments/cheoy6/comment/feh2lw0/). + +??? success "Sécurité des données" + + Proton Mail dispose d'un [chiffrement à accès zéro](https://proton.me/blog/zero-access-encryption) au repos pour vos e-mails et [calendriers](https://proton.me/news/protoncalendar-security-model). Les données sécurisées par un chiffrmeent à accès zéro ne sont accessibles que par vous. + + Certaines informations stockées dans [Proton Contacts](https://proton.me/support/proton-contacts), telles que les noms et les adresses e-mail, ne sont pas sécurisées par un chiffrement à accès zéro. Les champs de contact qui prennent en charge le chiffrement à accès zéro, comme les numéros de téléphone, sont indiqués par une icône de cadenas. + +??? success "Chiffrement des e-mails" + + Proton Mail a [intégré le chiffrement OpenPGP](https://proton.me/support/how-to-use-pgp) dans son webmail. Les e-mails destinés à d'autres comptes Proton Mail sont chiffrés automatiquement, et le chiffrement vers des adresses autres que Proton Mail avec une clé OpenPGP peut être activé facilement dans les paramètres de votre compte. Ils vous permettent également de [chiffrer les messages destinés à des adresses autres que celles de Proton Mail](https://proton.me/support/password-protected-emails) sans qu'ils aient besoin de s'inscrire à un compte Proton Mail ou d'utiliser un logiciel comme OpenPGP. + + Proton Mail prend également en charge la découverte de clés publiques via HTTP à partir de son [Répertoire de Clés Web (WKD - Web Key Directory)](https://wiki.gnupg.org/WKD). Cela permet aux personnes qui n'utilisent pas Proton Mail de trouver facilement les clés OpenPGP des comptes Proton Mail, pour un E2EE inter-fournisseurs. + +??? warning "Héritage numérique" + + Proton Mail ne propose pas de fonction d'héritage numérique. + +??? info "Résiliation du compte" + + Si vous avez un compte payant et que votre [facture est impayée](https://proton.me/support/delinquency) après 14 jours, vous ne pourrez pas accéder à vos données. Après 30 jours, votre compte sera en impayé et ne recevra plus d'e-mail entrant. Vous continuerez à être facturé pendant cette période. + +??? info "Fonctionnalités supplémentaires" + + Proton Mail propose un compte "Illimité" pour 9,99 €/mois, qui permet également d'accéder à Proton VPN en plus de fournir plusieurs comptes, domaines, alias et 500 Go de stockage. + +### Mailbox.org + +!!! recommendation + + ![Logo de Mailbox.org](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** est un service de messagerie électronique qui se veut sécurisé, sans publicité et alimenté par une énergie 100% écologique. Ils sont en activité depuis 2014. Mailbox.org est basé à Berlin, en Allemagne. Les comptes commencent avec 2 Go de stockage, qui peuvent être mis à niveau si nécessaire. + + [:octicons-home-16: Page d'accueil](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads "Téléchargements" + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Domaines personnalisés et alias" + + Mailbox.org vous permet d'utiliser votre propre domaine et prend en charge les adresses [fourre-tout](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+avec+propre+domaine). Mailbox.org prend également en charge le [sous-adressage](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), ce qui est utile pour les personnes qui ne souhaitent pas acheter un domaine. + +??? info "Modes de paiement privés" + + Mailbox.org n'accepte pas les bitcoins ni les autres crypto-monnaies en raison de la suspension des opérations de leur processeur de paiement BitPay en Allemagne. Cependant, ils acceptent les paiements par courrier, les paiements en espèces sur compte bancaire, les virements bancaires, les cartes de crédit, PayPal et quelques processeurs spécifiques à l'Allemagne : paydirekt et Sofortüberweisung. + +??? success "Sécurité du compte" + + Mailbox.org prend en charge [l'authentification à deux facteurs](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) pour son webmail uniquement. Vous pouvez utiliser soit TOTP soit un [Yubikey](https://fr.wikipedia.org/wiki/YubiKey) via le [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Les normes web telles que [WebAuthn](https://fr.wikipedia.org/wiki/WebAuthn) ne sont pas encore prises en charge. + +??? info "Sécurité des données" + + Mailbox.org permet de chiffrer les e-mails entrants en utilisant leur [boîte mail chiffrée](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). Les nouveaux messages que vous recevrez seront alors immédiatement chiffrés avec votre clé publique. + + Toutefois, [Open-Exchange](https://fr.wikipedia.org/wiki/Open-Xchange), la plate-forme logicielle utilisée par Mailbox.org, [ne prend pas en charge](https://kb.mailbox.org/display/BMBOKBEN/Encryption+de+calendrier+et+carnet+d'adresses) le chiffrement de votre carnet d'adresses et de votre calendrier. Une [option dissociée](calendar.md) peut être plus appropriée pour ces informations. + +??? success "Chiffrement des e-mails" + + Mailbox.org a [intégré le chiffrement](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) dans son webmail, ce qui simplifie l'envoi de messages aux personnes disposant de clés OpenPGP publiques. Ils permettent également [aux destinataires distants de déchiffrer un e-mail](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) sur les serveurs de Mailbox.org. Cette fonction est utile lorsque le destinataire distant ne dispose pas d'OpenPGP et ne peut pas déchiffrer une copie de l'e-mail dans sa propre boîte mail. + + Mailbox.org supporte également la découverte de clés publiques via HTTP à partir de leur [Répertoire de Clés Web (WKD - Web Key Directory)](https://wiki.gnupg.org/WKD). Cela permet aux personnes extérieures à Mailbox.org de trouver facilement les clés OpenPGP des comptes Mailbox.org, pour un E2EE inter-fournisseurs. + +??? sucess "Héritage numérique" + + Mailbox.org dispose d'une fonction d'héritage numérique pour toutes les offres. Vous pouvez choisir de transmettre certaines de vos données à vos héritiers, à condition d'en faire la demande et de fournir votre testament. Vous pouvez également désigner une personne par son nom et son adresse. + +??? info "Résiliation du compte" + + Votre compte sera défini comme un compte d'utilisateur restreint lorsque votre contrat prendra fin, après [30 jours, il sera irrévocablement supprimé](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Fonctionnalités supplémentaires" + + Vous pouvez accéder à votre compte Mailbox.org via IMAP/SMTP en utilisant leur [service .onion](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+de+mailbox.org). Cependant, leur interface webmail n'est pas accessible via leur service .onion et vous pouvez rencontrer des erreurs de certificat TLS. + + Tous les comptes sont dotés d'un espace de stockage cloud limité qui [peut être chiffré](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+sur+votre+Drive). Mailbox.org propose également l'alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely) qui impose le chiffrement TLS sur la connexion entre les serveurs de messagerie, sinon le message ne sera pas envoyé du tout. Mailbox.org supporte également [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) en plus des protocoles d'accès standard comme IMAP et POP3. + +### StartMail + +!!! recommendation + + ![Logo de StartMail](assets/img/email/startmail.svg#only-light){ align=right } + ![Logo de StartMail](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** est un service de messagerie électronique qui met l'accent sur la sécurité et la confidentialité grâce à l'utilisation du standard de chiffrement OpenPGP. StartMail est en activité depuis 2014 et est basé à Boulevard 11, Zeist Pays-Bas. Les comptes commencent avec 10 Go. Ils offrent un essai de 30 jours. + + [:octicons-home-16: Page d'accueil](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads "Téléchargements" + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Domaines personnalisés et alias" + + Les comptes personnels peuvent utiliser des alias [Personnalisés ou Rapides](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases). Des [domaines personnalisés](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) sont également disponibles. + +??? warning "Modes de paiement privés" + + StartMail accepte Visa, MasterCard, American Express et Paypal. StartMail propose également d'autres [options de paiement](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) telles que le Bitcoin (actuellement uniquement pour les comptes personnels) et le prélèvement SEPA pour les comptes de plus d'un an. + +??? success "Sécurité du compte" + + StartMail supporte l'authentification TOTP à deux facteurs [pour le webmail uniquement](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). Ils ne permettent pas l'authentification par clé de sécurité U2F. + +??? info "Sécurité des données" + + StartMail dispose d'un [chiffrement à accès zéro au repos](https://www.startmail.com/en/whitepaper/#_Toc458527835), utilisant leur système de "coffre-fort utilisateur". Lorsque vous vous connectez, le coffre-fort est ouvert, et le courriel est alors déplacé dans le coffre-fort hors de la file d'attente où il est déchiffré par la clé privée correspondante. + + StartMail supporte l'import de [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts), cependant, ils ne sont accessibles que dans le webmail et non par des protocoles tels que [CalDAV](https://fr.wikipedia.org/wiki/CalDAV). Les contacts ne sont pas non plus stockés à l'aide d'un chiffrement à connaissance zéro. + +??? success "Chiffrement des e-mails" + + StartMail dispose d'un [chiffrement intégré](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) dans son webmail, ce qui simplifie l'envoi de messages chiffrés avec des clés OpenPGP publiques. + +??? warning "Héritage numérique" + + StartMail ne propose pas de fonction d'héritage numérique. + +??? info "Résiliation du compte" + + À l'expiration du compte, StartMail supprimera définitivement votre compte après [6 mois en 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Fonctionnalités supplémentaires" + + StartMail permet de faire passer les images des e-mails par leur serveur proxy. Si vous autorisez le chargement de l'image distante, l'expéditeur ne saura pas quelle est votre adresse IP. + +## D'autres fournisseurs + +Ces fournisseurs stockent vos e-mails avec un chiffrement à connaissance zéro, ce qui en fait d'excellentes options pour assurer la sécurité de vos courriels stockés. check "Sécurité du compte" + +### Tutanota + +!!! recommendation + + ![Logo Tutanota](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** est un service de messagerie électronique qui met l'accent sur la sécurité et la confidentialité grâce à l'utilisation du chiffrement. Tutanota est en activité depuis **2011** et est basée à Hanovre, en Allemagne. Les comptes commencent avec 1 Go de stockage avec leur offre gratuite. + + [:octicons-home-16: Page d'accueil](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Code source" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota ne prend pas en charge le [protocole IMAP](https://tutanota.com/faq/#imap) ni l'utilisation de [clients de messagerie](email-clients.md) tiers, et vous ne pourrez pas non plus ajouter [des comptes de messagerie externes](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) à l'application Tutanota. Ni [l'import d'e-mails](https://github.com/tutao/tutanota/issues/630) ni [les sous-dossiers](https://github.com/tutao/tutanota/issues/927) ne sont actuellement pris en charge, bien que cela soit [amené à changer](https://tutanota.com/blog/posts/kickoff-import). Les e-mails peuvent être exportés [individuellement ou par sélection groupée](https://tutanota.com/howto#generalMail) par dossier, ce qui peut s'avérer peu pratique si vous avez de nombreux dossiers. + +??? success "Domaines personnalisés et alias" + + Les comptes Tutanota payants peuvent utiliser jusqu'à 5 [aliases](https://tutanota.com/faq#alias) et [domaines personnalisés](https://tutanota.com/faq#custom-domain). Tutanota ne permet pas le [sous-adressage (adresses plus)](https://tutanota.com/faq#plus), mais vous pouvez utiliser un [fourre-tout](https://tutanota.com/howto#settings-global) avec un domaine personnalisé. + +??? warning "Modes de paiement privés" + + Tutanota n'accepte directement que les cartes de crédit et PayPal, mais les Bitcoin et Monero peuvent être utilisés pour acheter des cartes-cadeaux via leur [partenariat](https://tutanota.com/faq/#cryptocurrency) avec Proxystore. + +??? success "Sécurité du compte" + + Tutanota prend en charge l'[authentification à deux facteurs](https://tutanota.com/faq#2fa) avec TOTP ou U2F. + +??? success "Sécurité des données" + + Tutanota dispose d'un [chiffrement à accès zéro au repos](https://tutanota.com/faq#what-encrypted) pour vos e-mails, [contacts du carnet d'adresses](https://tutanota.com/faq#encrypted-address-book) et [calendriers](https://tutanota.com/faq#calendar). Cela signifie que les messages et autres données stockés dans votre compte ne sont lisibles que par vous. + +??? warning "Chiffrement des e-mails" + + Tutanota [n'utilise pas OpenPGP](https://www.tutanota.com/faq/#pgp). Les comptes Tutanota peuvent uniquement recevoir des e-mails chiffrés provenant de comptes de messagerie non Tutanota lorsqu'ils sont envoyés via une [boîte aux lettres temporaire Tutanota] (https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Héritage numérique" + + Tutanota ne propose pas de fonction d'héritage numérique. + +??? info "Résiliation du compte" + + Tutanota [supprimera les comptes gratuits inactifs](https://tutanota.com/faq#inactive-accounts) après six mois. Vous pouvez réutiliser un compte gratuit désactivé si vous payez. + +??? info "Fonctionnalités supplémentaires" + + Tutanota propose la version professionnelle de [Tutanota pour les organisations à but non lucratif](https://tutanota.com/blog/posts/secure-email-for-non-profit) gratuitement ou avec une grosse réduction. + + Tutanota dispose également d'une fonction commerciale appelée [Secure Connect](https://tutanota.com/secure-connect/). Cela garantit que le contact du client avec l'entreprise utilise E2EE. La fonctionnalité coûte 240 €/an. + +## Services d'alias d'e-mails + +Un service d'alias d'e-mails vous permet de générer facilement une nouvelle adresse e-mail pour chaque site web auquel vous vous inscrivez. Les alias que vous créez sont ensuite transférés vers une adresse électronique de votre choix, ce qui permet de masquer à la fois votre adresse électronique "principale" et l'identité de votre fournisseur de messagerie. Un véritable alias d'e-mail est mieux que l'adressage plus, couramment utilisé et pris en charge par de nombreux fournisseurs, qui vous permet de créer des alias tels que votrenom+[nimportequoiici]@exemple.fr, car les sites web, les annonceurs et les réseaux de pistage peuvent trivialement supprimer tout ce qui suit le signe + pour connaître votre véritable adresse e-mail. + +L'alias d'e-mail peut servir de protection au cas où votre fournisseur d'e-mail cesserait de fonctionner. Dans ce cas, vous pouvez facilement rediriger vos alias vers une nouvelle adresse électronique. En revanche, vous faites confiance au service d'aliasing pour qu'il continue de fonctionner. + +L'utilisation d'un service d'alias d'e-mail dédié présente également un certain nombre d'avantages par rapport à un alias fourre-tout sur un domaine personnalisé : + +- Les alias peuvent être activés et désactivés individuellement lorsque vous en avez besoin, ce qui empêche les sites web de vous envoyer des messages électroniques de façon aléatoire. +- Les réponses sont envoyées à partir de l'adresse alias, qui masque votre véritable adresse électronique. + +Ils présentent également un certain nombre d'avantages par rapport aux services qui fournissent des "e-mails temporaires" : + +- Les alias sont permanents et peuvent être réactivés si vous devez recevoir quelque chose comme une réinitialisation de mot de passe. +- Les courriels sont envoyés à votre boîte mails de confiance plutôt que d'être stockés par le fournisseur d'alias. +- Les services d'e-mails temporaires proposent généralement des boîtes mail publiques auxquelles peuvent accéder tous ceux qui connaissent l'adresse, tandis que les alias sont privés. + +Nos recommandations en matière d'alias d'e-mail sont des fournisseurs qui vous permettent de créer des alias sur des domaines qu'ils contrôlent, ainsi que sur votre ou vos propres domaine(s) personnalisé(s), pour un coût annuel modeste. Ils peuvent également être auto-hébergés si vous souhaitez un contrôle maximal. Toutefois, l'utilisation d'un domaine personnalisé peut présenter des inconvénients en matière de confidentialité : Si vous êtes la seule personne à utiliser votre domaine personnalisé, vos actions peuvent être facilement suivies sur les sites web en regardant simplement le nom de domaine dans l'adresse électronique et en ignorant tout ce qui se trouve avant le signe arobase (@). + +L'utilisation d'un service d'alias nécessite de faire confiance à la fois à votre fournisseur de messagerie et à votre fournisseur d'alias pour vos messages non chiffrés. Certains fournisseurs atténuent légèrement ce problème grâce au chiffrement automatique PGP, qui réduit le nombre de services auxquels vous devez faire confiance de deux à un en chiffrant les e-mails entrants avant qu'ils ne soient remis à votre fournisseur de boîte mail final. + +### AnonAddy + +!!! recommendation + + ![Logo AnonAddy](assets/img/email/anonaddy.svg#only-light){ align=right } + ![Logo AnonAddy](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** vous permet de créer gratuitement 20 alias de domaine sur un domaine partagé, ou un nombre illimité d'alias "standard" qui sont moins anonymes. + + [:octicons-home-16: Page d'accueil](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Code source" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/fr/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +Le nombre d'alias partagés (qui se terminent par un domaine partagé comme @anonaddy.me) que vous pouvez créer est limité à 20 sur l'offre gratuite d'AnonAddy et à 50 sur leur offre à 12 $/an. Vous pouvez créer un nombre illimité d'alias standard (qui se terminent par un domaine tel que @[nomdutilisateur].anonaddy.com ou un domaine personnalisé sur les offres payantes), mais, comme nous l'avons déjà mentionné, cela peut nuire à la confidentialité car les gens peuvent trivialement relier vos alias standard en se basant sur le seul nom de domaine. Des alias partagés illimités sont disponibles pour 36 $/an. + +Fonctions gratuites notables : + +- [x] 20 Alias partagés +- [x] Alias standard illimités +- [ ] Pas de réponses sortantes +- [x] 2 Boîtes mail de réception +- [x] Chiffrement automatique PGP + +### SimpleLogin + +!!! recommendation + + ![Logo Simplelogin](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** est un service gratuit qui fournit des alias d'e-mail sur une variété de noms de domaine partagés, et offre en option des fonctionnalités payantes comme des alias illimités et des domaines personnalisés. + + [:octicons-home-16: Page d'accueil](https://simplelogin.io/fr/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/fr/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin a été [acquis par Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) à compter du 8 avril 2022. Si vous utilisez Proton Mail pour votre boîte mail principale, SimpleLogin est un excellent choix. Les deux produits étant désormais détenus par la même société, vous ne devez plus faire confiance qu'à une seule entité. Nous supposons également que SimpleLogin sera plus étroitement intégré aux offres de Proton à l'avenir. SimpleLogin continue de prendre en charge la redirection vers le fournisseur de messagerie de votre choix. Securitum [a audité](https://simplelogin.io/blog/security-audit/) SimpleLogin début 2022 et tous les problèmes [ont été résolus](https://simplelogin.io/audit2022/web.pdf). + +Vous pouvez lier votre compte SimpleLogin avec votre compte Proton dans les paramètres de SimpleLogin. Si vous avez l'offre Proton Illimité, Entreprise, ou Visionnaire, vous aurez SimpleLogin Premium gratuitement. + +Fonctions gratuites notables : + +- [x] 10 Alias partagés +- [x] Réponses illimitées +- [x] 1 Boîte mail de réception + +## E-mail auto-hébergé + +Les administrateurs système peuvent envisager de mettre en place leur propre serveur de messagerie. Les serveurs de messagerie requièrent une attention et une maintenance permanente afin de garantir la sécurité et la fiabilité de la distribution des e-mails. + +### Solutions logicielles combinées + +!!! recommendation + + ![Logo Mailcow](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** est un serveur de messagerie plus avancé, parfait pour ceux qui ont un peu plus d'expérience de Linux. Il possède tout ce dont vous avez besoin dans un conteneur Docker : Un serveur de messagerie avec prise en charge de DKIM, une surveillance antivirus et spam, un webmail et ActiveSync avec SOGo, et une administration basée sur le web avec prise en charge de 2FA. + + [:octicons-home-16: Page d'accueil](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribuer } + +!!! recommendation + + ![Logo Mail-in-a-Box](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** est un script de configuration automatisé pour le déploiement d'un serveur de messagerie sur Ubuntu. Son objectif est de faciliter la mise en place d'un serveur de courrier électronique. + + [:octicons-home-16: Page d'accueil](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Code source" } + +Nous préférons que nos prestataires recommandés collectent le moins de données possible. + +- [Configuration d'un serveur de messagerie avec OpenSMTPD, Dovecot et Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [Comment gérer votre propre serveur de messagerie](https://www.c0ffee.net/blog/mail-server-guide/) (août 2017) + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des fournisseurs que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour tout fournisseur d'email souhaitant être recommandé, y compris la mise en place des bonnes pratiques du secteur, une technologie moderne et bien plus. Nous vous suggérons de vous familiariser avec cette liste avant de choisir un fournisseur d'e-mails, et de mener vos propres recherches pour vous assurer que le fournisseur d'e-mails que vous choisissez est le bon choix pour vous. + +### Technologie + +Nous considérons ces caractéristiques comme importantes afin de fournir un service sûr et optimal. Vous devez vous demander si le fournisseur possède les caractéristiques dont vous avez besoin. + +**Le Meilleur Cas:** + +- Chiffre les données du compte de messagerie au repos avec un chiffrement à accès zéro. +- Capacité d'export en tant que [Mbox](https://fr.wikipedia.org/wiki/Mbox) ou .eml individuel avec standard [RFC5322](https://datatracker.ietf.org/doc/rfc5322/). +- Permet aux utilisateurs d'utiliser leur propre [nom de domaine](https://fr.wikipedia.org/wiki/Nom_de_domaine). Les noms de domaine personnalisés sont importants pour les utilisateurs car ils leur permettent de conserver leur indépendance du service, au cas où celui-ci tournerait mal ou serait racheté par une autre société qui ne donne pas priorité à la vie privée. +- Fonctionne sur sa propre infrastructure, c'est-à-dire qu'elle ne repose pas sur des fournisseurs de services de messagerie tiers. + +**Dans le meilleur des cas :** + +- Chiffre toutes les données du compte (contacts, calendriers, etc.) au repos avec un chiffrement à accès zéro. +- Un webmail intégré avec chiffrement E2EE/PGP est fourni à titre de commodité. +- Prise en charge de [WKD](https://wiki.gnupg.org/WKD) pour permettre une meilleure découverte des clés publiques OpenPGP via HTTP. Les utilisateurs de GnuPG peuvent obtenir une clé en tapant : `gpg --locate-key utilisateur_exemple@exemple.fr` +- Prise en charge d'une boîte mail temporaire pour les utilisateurs externes. Cette fonction est utile lorsque vous souhaitez envoyer un e-mail chiffré, sans envoyer une copie réelle à votre destinataire. Ces e-mails ont généralement une durée de vie limitée et sont ensuite automatiquement supprimés. Ils n'obligent pas non plus le destinataire à configurer un système de chiffrement comme OpenPGP. +- Disponibilité des services du fournisseur de courrier électronique via un [service onion](https://en.wikipedia.org/wiki/.onion). +- Prise en charge du [sous-adressage](https://en.wikipedia.org/wiki/Email_address#Subaddressing). +- Fonctionnalité fourre-tout ou alias pour ceux qui possèdent leurs propres domaines. +- Utilisation de protocoles standard d'accès au e-mails tels que IMAP, SMTP ou [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Les protocoles d'accès standard garantissent que les clients peuvent facilement télécharger l'ensemble de leur courrier électronique, s'ils souhaitent changer de fournisseur. + +### Confidentialité + +Nous préférons que nos prestataires recommandés collectent le moins de données possible. + +**Le Meilleur Cas:** + +- Protéger l'adresse IP de l'expéditeur. Filtrez-la pour qu'elle n'apparaisse pas dans le champ d'en-tête `Received`. +- Ne demandez pas d'Informations Personnelles Identifiables (PII) en plus d'un nom d'utilisateur et d'un mot de passe. +- Politique de confidentialité répondant aux exigences définies par le RGPD. +- Ne doit pas être hébergé aux États-Unis en raison de [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) qui doit [encore être réformé](https://epic.org/ecpa/). + +**Dans le meilleur des cas :** + +- Accepte le Bitcoin, les espèces et d'autres formes de crypto-monnaies et/ou options de paiement anonymes (cartes-cadeaux, etc.). + +### Sécurité + +Les serveurs de courrier électronique traitent un grand nombre de données très sensibles. Nous nous attendons à ce que les prestataires adoptent les meilleures pratiques du secteur afin de protéger leurs membres. + +**Le Meilleur Cas:** + +- Protection du webmail avec 2FA, tel que TOTP. +- Le chiffrement à accès zéro, qui complète le chiffrement au repos. Le fournisseur ne dispose pas des clés de déchiffrement des données qu'il détient. Cela permet d'éviter qu'un employé malhonnête ne divulgue les données auxquelles il a accès ou qu'un adversaire distant ne divulgue les données qu'il a volées en obtenant un accès non autorisé au serveur. +- Prise en charge de [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). +- Aucune erreurs ou vulnérabilités TLS lors du profilage par des outils tels que [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), ou [Qualys SSL Labs](https://www.ssllabs.com/ssltest); cela inclut les erreurs liées aux certificats et les paramètres DH faibles, tels que ceux qui ont conduit à [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- Une préférence, pour les serveurs (facultatif sur TLSv1.3), pour les suites de chiffrement fortes qui prennent en charge la confidentialité persistante et le chiffrement authentifié. +- Une politique valide [MTA-STS](https://tools.ietf.org/html/rfc8461) et [TLS-RPT](https://tools.ietf.org/html/rfc8460). +- Des enregistrements [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) valides. +- Des enregistrements [SPF](https://fr.wikipedia.org/wiki/Sender_Policy_Framework) et [DKIM](https://fr.wikipedia.org/wiki/DomainKeys_Identified_Mail) valides. +- Disposer d'un enregistrement et d'une politique [DMARC](https://fr.wikipedia.org/wiki/DMARC) appropriés ou utiliser [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) pour l'authentification. Si l'authentification DMARC est utilisée, la politique doit être définie comme suit : `reject` ou `quarantine`. +- Une préférence pour les serveurs avec TLS 1.2 ou plus et un plan pour [retirer TLSv1.0 et TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- Une soumission [SMTPS](https://en.wikipedia.org/wiki/SMTPS), en supposant que le SMTP est utilisé. +- Des normes de sécurité des sites web telles que : + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - Une [Intégrité des sous-ressources](https://en.wikipedia.org/wiki/Subresource_Integrity) si des éléments sont chargés depuis des domaines externes. +- Doit prendre en charge l'affichage des [en-têtes de message](https://en.wikipedia.org/wiki/Email#Message_header), car il s'agit d'une fonction d'analyse scientifique essentielle pour déterminer si un e-mail est une tentative de hammeçonnage. + +**Dans le meilleur des cas :** + +- Prise en charge de l'authentification matérielle, à savoir Prise en charge de l'authentification matérielle, à savoir U2F et [WebAuthn](https://fr.wikipedia.org/wiki/WebAuthn). U2F et WebAuthn sont plus sûrs car ils utilisent une clé privée stockée sur un dispositif matériel côté client pour authentifier les personnes, par opposition à un secret partagé qui est stocké sur le serveur web et côté client lors de l'utilisation de TOTP. De plus, U2F et WebAuthn sont plus résistants au phishing car leur réponse d'authentification est basée sur le [nom de domaine](https://fr.wikipedia.org/wiki/Nom_de_domaine) authentifié. +- Un [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) en plus de la prise en charge de DANE. +- Prise en charge de [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), utile pour les personnes qui publient sur des listes de diffusion [RFC8617](https://tools.ietf.org/html/rfc8617). +- Des programmes de primes aux bugs et/ou un processus coordonné de divulgation des vulnérabilités. +- Des normes de sécurité des sites web telles que : + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Confiance + +Vous ne confieriez pas vos finances à une personne ayant une fausse identité, alors pourquoi lui confier vos e-mails ? Nous exigeons de nos fournisseurs recommandés qu'ils rendent public leur propriété ou leur direction. Nous aimerions également voir des rapports de transparence fréquents, notamment en ce qui concerne la manière dont les demandes de gouvernement sont traitées. + +**Le Meilleur Cas:** + +- Une direction ou un propriétaire public. + +**Dans le meilleur des cas :** + +- Une direction publique. +- Rapports de transparence fréquents. + +### Marketing + +Avec les fournisseurs de courrier électronique que nous recommandons, nous aimons voir un marketing responsable. + +**Le Meilleur Cas:** + +- Doit héberger lui-même ses outils d'analyse de traffic (pas de Google Analytics, Adobe Analytics, etc.). Le site du fournisseur doit également se conformer à [DNT (Do Not Track)](https://fr.wikipedia.org/wiki/Do_Not_Track) pour ceux qui souhaitent refuser. + +Ne doit pas avoir de marketing irresponsable : + +- Prétendre à un "chiffrement incassable". Le chiffrement doit être utilisé en supposant qu'il ne soit plus secret dans le futur, lorsque la technologie existera pour le décrypter. +- Garantir la protection de l'anonymat à 100%. Lorsque quelqu'un prétend que quelque chose est à 100%, cela signifie qu'il n'y a aucune certitude d'échec. Nous savons que les gens peuvent assez facilement se désanonymiser de plusieurs façons, par exemple : + +- Réutiliser des informations personnelles (comptes de messagerie, pseudonymes uniques, etc.) auxquelles ils ont eu accès sans logiciel d'anonymat (Tor, VPN, etc.). +- [Empreinte digitale des navigateurs](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Dans le meilleur des cas :** + +- Une documentation claire et facile à lire. Notamment pour la mise en place du 2FA, des clients de messagerie, d'OpenPGP, etc. + +### Fonctionnalités Supplémentaires + +Bien qu'il ne s'agisse pas d'exigences strictes, nous avons pris en compte d'autres facteurs liés à la commodité ou à la confidentialité pour déterminer les fournisseurs à recommander. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/encryption.md b/i18n/fr/encryption.md new file mode 100644 index 00000000..b7ca5f86 --- /dev/null +++ b/i18n/fr/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Logiciels de chiffrement" +icon: material/file-lock +--- + +Le chiffrement des données est le seul moyen de contrôler de qui peut y accéder. Si vous n'utilisez pas actuellement de logiciel de chiffrement pour votre disque dur, vos e-mails ou vos fichiers, vous devriez choisir une option ici. + +## Multi-plateforme + +Les options répertoriées ici sont multiplateformes et parfaites pour créer des sauvegardes chiffrées de vos données. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Logo Cryptomator](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** est une solution de chiffrement conçue pour enregistrer vos fichiers de manière privée vers n'importe quel fournisseur de cloud. Il vous permet de créer des coffres-forts qui sont stockés sur un disque virtuel, dont le contenu est chiffré et synchronisé avec votre fournisseur de stockage cloud. + + [:octicons-home-16: Page d'accueil](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Politique de Confidentialité" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Code Source" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator utilise le chiffrement AES-256 pour chiffrer les fichiers et les noms de fichiers. Cryptomator ne peut pas chiffrer certaines métadonnées telles que les dates et heures d'accès, de modification et de création, ni le nombre et la taille des fichiers et des dossiers. + +Certaines bibliothèques cryptographiques de Cryptomator ont été [auditées](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) par Cure53. La portée des bibliothèques auditées comprend: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) et [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). L'audit ne s'est pas étendu à [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), qui est une bibliothèque utilisée par Cryptomator pour iOS. + +La documentation de Cryptomator détaille sa [cible de sécurité](https://docs.cryptomator.org/en/latest/security/security-target/), son [architecture de sécurité](https://docs.cryptomator.org/en/latest/security/architecture/), et ses [meilleures pratiques](https://docs.cryptomator.org/en/latest/security/best-practices/) prévues pour une utilisation de manière plus détaillée. + +### Picocrypt (Fichier) + +!!! recommendation + + ![Logo de Picocrypt](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** est un outil de chiffrement léger et simple qui fournit un chiffrement moderne. Picocrypt utilise le chiffrement sécurisé XChaCha20 et la fonction de dérivation de clé Argon2id pour assurer un haut niveau de sécurité. Il utilise les modules x/crypto standards de Go pour ses fonctions de chiffrement. + + [:octicons-repo-16: Dépôt](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Code source" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disque) + +!!! recommendation + + ![logo VeraCrypt](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![logo VeraCrypt](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** est un utilitaire gratuit et open source pour le chiffrement de fichiers/dossiers à la volée. Il peut créer un disque virtuel chiffré dans un fichier, chiffrer une partition ou l'ensemble du périphérique de stockage avec une authentification avant le démarrage. + + [:octicons-home-16: Page d'accueil](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Code source" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt est un dérivé du projet TrueCrypt, qui a été abandonné. Selon ses développeurs, des améliorations de la sécurité ont été apportées et les problèmes soulevés par l'audit initial du code de TrueCrypt ont été résolus. + +Lors du chiffrement avec VeraCrypt, vous avez la possibilité de choisir parmi différentes [fonctions de hachage](https://fr.wikipedia.org/wiki/VeraCrypt#Syst%C3%A8me_de_chiffrement). Nous vous suggérons de **seulement** sélectionner [SHA-512](https://fr.wikipedia.org/wiki/SHA-2) et de vous en tenir au [chiffrement par blocs AES](https://fr.wikipedia.org/wiki/Advanced_Encryption_Standard). + +Truecrypt a été [audité un certain nombre de fois](https://fr.wikipedia.org/wiki/TrueCrypt#Audit_global_du_logiciel_en_2013) et VeraCrypt a également été [audité séparément](https://fr.wikipedia.org/wiki/VeraCrypt#Audit). + +## Chiffrement complet du disque du système d'exploitation + +Les systèmes d'exploitation modernes incluent le [Chiffrement de Disque](https://fr.wikipedia.org/wiki/Chiffrement_de_disque) et utiliseront un [cryptoprocesseur sécurisé](https://fr.wikipedia.org/wiki/Cryptoprocesseur_s%C3%A9curis%C3%A9). + +### BitLocker + +!!! recommendation + + ![Logo BitLocker](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** est la solution de chiffrement intégral de volume fournie avec Microsoft Windows. La principale raison pour laquelle nous le recommandons est son [utilisation du TPM](https://docs.microsoft.com/fr-fr/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), une entreprise de forensique, a écrit à ce sujet dans [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/fr-fr/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker est [uniquement pris en charge](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) sur les éditions Pro, Entreprise et Éducation de Windows. Il peut être activé sur les éditions Famille à condition qu'elles remplissent les pré-requis. + +??? example "Activer BitLocker sur Windows Famille" + + Pour activer BitLocker sur les éditions "Famille" de Windows, vous devez formater vos partitions avec une [Table de Partitionnement GUID](https://fr.wikipedia.org/wiki/GUID_Partition_Table) et disposer d'un module TPM dédié (v1.2, 2.0+). + + 1. Ouvrez une invite de commande et vérifiez le format de la table de partition de votre disque à l'aide de la commande suivante. Vous devriez voir "**GPT**" listé sous "Style de partition" : + + ``` + powershell Get-Disk + ``` + + 2. Exécutez cette commande (dans une invite de commande administrateur) pour vérifier la version de votre TPM. Vous devriez voir `2.0` ou `1.2` listé à côté de `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Accédez à [Options de démarrage avancées](https://support.microsoft.com/fr-fr/windows/options-de-d%C3%A9marrage-avanc%C3%A9es-y-compris-le-mode-sans-%C3%A9chec-b90e7808-80b5-a291-d4b8-1a1af602b617). Vous devez redémarrer en appuyant sur la touche F8 avant que Windows ne démarre et aller dans l'*invite de commande* dans **Dépannage** → **Options avancées** → **Invite de commande**. + + 4. Connectez-vous avec votre compte administrateur et tapez ceci dans l'invite de commande pour lancer le chiffrement: + + ``` + manage-bde -on c: -used + ``` + + 5. Fermez l'invite de commande et continuez le démarrage vers Windows normalement. + + 6. Ouvrez une invite de commande administrateur et exécutez les commandes suivantes: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip "Conseil" + + Sauvegardez le fichier `BitLocker-Recovery-Key.txt` de votre ordinateur de bureau sur un périphérique de stockage distinct. La perte de ce code de récupération peut entraîner la perte de données. + +### FileVault + +!!! recommendation + + ![Logo FileVault](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** est la solution de chiffrement de volume à la volée intégrée à macOS. FileVault est recommandé parce qu'il [tire profit](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) de capacités de sécurité matérielle présentes sur un SoC de silicium Apple ou une Puce de Sécurité T2. + + [:octicons-info-16:](https://support.apple.com/fr-fr/guide/mac-help/mh11785/mac){ .card-link title=Documentation} + +Nous recommandons de stocker une clé de récupération locale dans un endroit sûr plutôt que d'utiliser votre compte iCloud pour la récupération. + +### Linux Unified Key Setup + +!!! recommendation + + ![Logo LUKS](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** est la méthode de chiffrement de disque par défaut pour Linux. Elle peut être utilisée pour chiffrer des volumes complets, des partitions ou créer des conteneurs chiffrés. + + [:octicons-home-16: Page d'accueil](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Code source" } + +??? example "Créer et ouvrir des conteneurs chiffrés" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Ouvrir des conteneurs chiffrés + Nous recommandons d'ouvrir les conteneurs et les volumes avec `udisksctl` car cela utilise [Polkit](https://fr.wikipedia.org/wiki/Polkit). La plupart des gestionnaires de fichiers, tels que ceux inclus dans les environnements de bureau les plus courants, peuvent déverrouiller les fichiers chiffrés. Des outils comme [udiskie](https://github.com/coldfix/udiskie) peuvent s'exécuter dans la barre d'état système et fournir une interface utilisateur utile. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "N'oubliez pas de sauvegarder les en-têtes de volume" + + Nous vous recommandons de toujours [sauvegarder vos en-têtes LUKS](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) en cas de panne partielle du lecteur. Cela peut être fait avec : + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Basé sur le navigateur + +Le chiffrement basé sur le navigateur peut être utile lorsque vous avez besoin de chiffrer un fichier, mais que vous ne pouvez pas installer de logiciel ou d'applications sur votre appareil. + +### hat.sh + +!!! recommendation + + ![logo hat.sh](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![logo hat.sh](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** est une application web qui fournit un chiffrement sécurisé des fichiers dans votre navigateur. Il peut également être auto-hébergé et est utile si vous devez chiffrer un fichier mais que vous ne pouvez pas installer de logiciel sur votre appareil en raison de politiques d'entreprises. + + [:octicons-globe-16: Page d'accueil](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Code source" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Les méthodes de dons se trouvent au bas du site web" } + +## Ligne de commande + +Les outils dotés d'une interface de ligne de commande sont utiles pour intégrer des [scripts shell](https://fr.wikipedia.org/wiki/Script_shell). + +### Kryptor + +!!! recommendation + + ![Logo Kryptor](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** est un outil gratuit et open source de chiffrement et de signature de fichiers qui utilise des algorithmes cryptographiques modernes et sécurisés. Il vise à être une meilleure version d'[age](https://github.com/FiloSottile/age) et [Minisign](https://jedisct1.github.io/minisign/) pour fournir une alternative simple et facile à GPG. + + [:octicons-home-16: Page d'accueil](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Logo de Tomb](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** est un outil pour LUKS en ligne de commande shell. Il prend en charge la stéganographie via des [outils tiers](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Page d'accueil](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribuer } + +## OpenPGP + +OpenPGP est parfois nécessaire pour des tâches spécifiques telles que la signature numérique et le chiffrage des e-mails. PGP possède de nombreuses fonctionnalités et est [complexe](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) car il existe depuis longtemps. Pour des tâches telles que la signature ou le chiffrement des fichiers, nous suggérons les options ci-dessus. + +Lorsque vous chiffrez avec PGP, vous avez la possibilité de configurer différentes options dans votre fichier `gpg.conf` . Nous recommandons de suivre les options standard spécifiées dans la [FAQ de l'utilisateur de GnuPG](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Utiliser future-defaults lors de la génération d'une clé" + + Lorsque vous [générez des clés](https://www.gnupg.org/gph/en/manual/c14.html), nous vous suggérons d'utiliser la commande `future-default` car elle demandera à GnuPG d'utiliser de la cryptographie moderne telle que [Curve25519](https://fr.wikipedia.org/wiki/Curve25519) et [Ed25519](https://ed25519.cr.yp.to/) : + + ```bash + gpg --quick-gen-key alice@exemple.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![Logo de GNU Privacy Guard](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** est une alternative sous licence GPL de la suite de logiciels cryptographiques PGP. GnuPG est conforme [RFC 4880](https://tools.ietf.org/html/rfc4880), qui est la spécification actuelle de l'IETF pour OpenPGP. Le projet GnuPG a travaillé sur une [nouvelle ébauche](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) dans le but de moderniser OpenPGP. GnuPG fait partie du projet logiciel GNU de la Free Software Foundation et a reçu un [financement](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) majeur du gouvernement allemand. + + [:octicons-home-16: Page d'accueil](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![Logo GPG4win](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** est un paquet pour Windows de [Intevation et g10 Code](https://gpg4win.org/impressum.html). Il comprend [divers outils](https://gpg4win.org/about.html) qui peuvent vous aider à utiliser GPG sous Microsoft Windows. Le projet a été lancé et initialement [financé par](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) l'Office Fédéral allemand pour la Sécurité de l'Information (BSI) en 2005. + + [:octicons-home-16: Page d'accueil](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Code source" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note "À noter" + + Nous suggérons [Canary Mail](email-clients.md#canary-mail) pour utiliser PGP avec les e-mails sur les appareils iOS. + +!!! recommendation + + ![Logo de GPG Suite](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** fournit un support OpenPGP pour [Courrier Apple](email-clients.md#apple-mail) et macOS. + + Nous vous recommandons de consulter leurs [Premiers pas](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) et leur [Base de connaissances](https://gpgtools.tenderapp.com/kb) pour obtenir de l'aide. + + [:octicons-home-16: Page d'accueil](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![Logo OpenKeychain](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** est une implémentation Android de GnuPG. Elle est généralement requise par les clients de messagerie comme [K-9 Mail](email-clients.md#k-9-mail) et [FairEmail](email-clients.md#fairemail) et d'autres applications Android pour fournir la prise en charge du chiffrement. Cure53 a réalisé un [audit de sécurité](https://www.openkeychain.org/openkeychain-3-6) d'OpenKeychain 3.6 en octobre 2015. Les détails techniques concernant l'audit et les solutions d'OpenKeychain peuvent être trouvés [ici](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Page d'accueil](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Qualifications minimales + +- Les applications de chiffrement multiplateforme doivent être open-source. +- Les applications de chiffrement de fichiers doivent prendre en charge le déchiffrement sur Linux, macOS et Windows. +- Les applications de chiffrement de disques externes doivent prendre en charge le déchiffrement sur Linux, macOS et Windows. +- Les applications de chiffrement de disques internes (OS) doivent être multiplateforme ou intégrées nativement au système d'exploitation. + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Les applications de chiffrement du système d'exploitation (FDE) devraient utiliser une sécurité matérielle telle qu'un TPM ou Secure Enclave. +- Les applications de chiffrement de fichiers doivent bénéficier d'une prise en charge native ou tierce pour les plateformes mobiles. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/file-sharing.md b/i18n/fr/file-sharing.md new file mode 100644 index 00000000..73a01489 --- /dev/null +++ b/i18n/fr/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "Partage et synchronisation de fichiers" +icon: material/share-variant +--- + +Découvrez comment partager vos fichiers en toute confidentialité entre vos appareils, avec vos amis et votre famille, ou de manière anonyme en ligne. + +## Partage de fichiers + +### Envoyer + +!!! recommendation + + ![Logo de Send](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** est un dérivé du service Firefox Send de Mozilla, qui a été abandonné, et qui vous permet d'envoyer des fichiers à d'autres personnes à l'aide d'un lien. Les fichiers sont cryptés sur votre appareil afin qu'ils ne puissent pas être lus par le serveur, et ils peuvent également être protégés par un mot de passe. Le responsable de Send héberge une [instance publique](https://send.vis.ee/). Vous pouvez utiliser d'autres instances publiques, ou vous pouvez héberger Send vous-même. + + [:octicons-home-16: Page d'accueil](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Instances Publiques"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Code Source" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribuer } + +Send peut être utilisé via son interface web ou via le CLI [ffsend](https://github.com/timvisee/ffsend) . Si vous êtes familier avec la ligne de commande et que vous envoyez fréquemment des fichiers, nous vous recommandons d'utiliser le client CLI pour éviter le cryptage basé sur JavaScript. Vous pouvez spécifier le flag `--host` pour utiliser un serveur spécifique : + +```bash +ffsend upload --host https://send.vis.ee/ FICHIER +``` + +### OnionShare + +!!! recommendation + + ![Logo OnionShare](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** est un outil open-source qui vous permet de partager de manière sécurisée et anonyme un fichier de n'importe quelle taille. Il fonctionne en démarrant un serveur web accessible en tant que service oignon Tor, avec une URL non devinable que vous pouvez partager avec les destinataires pour télécharger ou envoyer des fichiers. + + [:octicons-home-16: Page d'accueil](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Ne doit pas stocker des données déchiffrées sur un serveur distant. +- Doit être un logiciel open source. +- Doit avoir soit des clients pour Linux, macOS et Windows, soit une interface web. + +## FreedomBox + +!!! recommendation + + ![Logo FreedomBox](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** est un système d'exploitation conçu pour être exécuté sur un [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). L'objectif est de faciliter la mise en place d'applications serveur que vous pourriez vouloir auto-héberger. + + [:octicons-home-16: Page d'accueil](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribuer } + +## Synchronisation de Fichiers + +### Nextcloud (Client-Serveur) + +!!! recommendation + + ![Logo Nextcloud](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** est une suite de logiciels client-serveur gratuits et open-source permettant de créer vos propres services d'hébergement de fichiers sur un serveur privé que vous contrôlez. + + [:octicons-home-16: Page d'accueil](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Code source" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "Danger" + + Nous ne recommandons pas l'utilisation de [l'application E2EE](https://apps.nextcloud.com/apps/end_to_end_encryption) pour Nextcloud car elle peut entraîner une perte de données ; elle est hautement expérimentale et n'est pas de qualité de production. + +### Syncthing (P2P) + +!!! recommendation + + ![Logo de Syncthing](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** est un utilitaire open-source de synchronisation continue de fichiers de pair à pair. Il est utilisé pour synchroniser des fichiers entre deux ou plusieurs appareils via le réseau local ou internet. Syncthing n'utilise pas de serveur centralisé ; il utilise le [Protocole d'Échange de Blocs](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) pour transférer les données entre appareils. Toutes les données sont chiffrées à l'aide de TLS. + + [:octicons-home-16: Page d'accueil](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Code Source" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +#### Exigences minimales + +- Ne doit pas nécessiter un serveur distant/cloud tiers. +- Doit être un logiciel open source. +- Doit avoir soit des clients pour Linux, macOS et Windows, soit une interface web. + +#### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Dispose de clients mobiles pour iOS et Android, qui permettent au moins de prévisualiser les documents. +- Prend en charge la sauvegarde des photos à partir d'iOS et d'Android et, en option, la synchronisation des fichiers/dossiers sur Android. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/frontends.md b/i18n/fr/frontends.md new file mode 100644 index 00000000..98d9e33b --- /dev/null +++ b/i18n/fr/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Clients applicatifs" +icon: material/flip-to-front +--- + +Parfois, des services tentent de vous obliger à créer un compte en bloquant l'accès au contenu par des fenêtres pop-up gênantes. Ils peuvent également ne pas fonctionner sans JavaScript activé. Ces interfaces client peuvent vous permettre de contourner ces restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Logo Librarian](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Logo Librarian](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** est une interface client web gratuite et open source pour le réseau de partage vidéo [Odysee](https://odysee.com/) (LBRY) qui est également auto-hébergeable. + + Il existe un certain nombre d'instances publiques, dont certaines bénéficient de la prise en charge des services oignon [Tor](https://www.torproject.org). + + [:octicons-repo-16: Page d'accueil](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning "Avertissement" + + Par défaut Librarian n'utilise pas de proxy pour les flux vidéo. Les vidéos regardées via Librarian feront toujours l'objet de connexions directes aux serveurs d'Odysee (par exemple `odycdn.com`) ; cependant, certaines instances peuvent activer le proxy, ce qui serait détaillé dans la politique de confidentialité de l'instance. + +!!! tip "Conseil" + + Librarian est utile si vous voulez regarder du contenu LBRY sur votre mobile sans télémétrie obligatoire et si vous voulez désactiver JavaScript dans votre navigateur, comme c'est le cas avec [le navigateur Tor](https://www.torproject.org/) au niveau de sécurité Le plus sûr. + +Lorsque vous auto-hébergez, il est important que d'autres personnes utilisent également votre instance pour que vous puissiez vous fondre dans la masse. Vous devez faire attention à l'endroit et à la manière dont vous hébergez Librarian, car l'utilisation par d'autres personnes sera liée à votre hébergement. + +Lorsque vous utilisez une instance de Librarian, veillez à lire la politique de confidentialité de cette instance spécifique. Les instances Librarian peuvent être modifiées par leurs propriétaires et peuvent donc ne pas refléter la politique de confidentialité qui leur est associée. Les instances Librarian comportent une "étiquette nutritionnelle de confidentialité" pour donner un aperçu de leur politique. Dans certains cas, les adresses Tor .onion peuvent garantir une certaine confidentialité tant que les requêtes de recherche ne contiennent pas d'informations personnelles identifiables. + +## Twitter + +### Nitter + +!!! recommendation + + ![Logo Nitter](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** est un frontal libre et open-source pour [Twitter](https://twitter.com) qui est également auto-hébergeable. + + Il existe un certain nombre d'instances publiques, dont certaines bénéficient de la prise en charge des services oignon [Tor](https://www.torproject.org). + + [:octicons-repo-16: Dépôt](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Instances Publiques"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Code Source" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribuer } + +!!! tip "Conseil" + + Nitter est utile si vous souhaitez naviguer sur le contenu de Twitter sans avoir à vous connecter et si vous souhaitez désactiver JavaScript dans votre navigateur, comme c'est le cas avec [Tor Browser](https://www.torproject.org/) au niveau de sécurité le plus sûr. Il vous permet également de [créer des flux RSS pour Twitter] (news-aggregators.md#twitter). + +Lorsque vous auto-hébergez, il est important que d'autres personnes utilisent également votre instance pour que vous puissiez vous fondre dans la masse. Vous devez faire attention à l'endroit et à la manière dont vous hébergez Nitter, car l'utilisation par d'autres personnes sera liée à votre hébergement. + +Lorsque vous utilisez une instance de Nitter, assurez-vous de lire la politique de confidentialité de cette instance spécifique. Les instances Nitter peuvent être modifiées par leurs propriétaires et peuvent donc ne pas refléter la politique par défaut. Dans certains cas, les adresses Tor .onion peuvent garantir une certaine confidentialité tant que les requêtes de recherche ne contiennent pas d'informations personnelles identifiables. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![Logo ProxiTok](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** est une interface client open source du site [TikTok](https://www.tiktok.com) qui est également auto-hébergeable. + + Il existe un certain nombre d'instances publiques, dont certaines bénéficient de la prise en charge des services oignon [Tor](https://www.torproject.org). + + [:octicons-repo-16: Dépôt](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Instances Publiques"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Code Source" } + +!!! tip "Conseil" + + ProxiTok est utile si vous souhaitez désactiver JavaScript dans votre navigateur, comme avec le [Navigateur Tor](https://www.torproject.org/) sur le niveau de sécurité Le plus sûr. + +Lorsque vous auto-hébergez, il est important que d'autres personnes utilisent également votre instance pour que vous puissiez vous fondre dans la masse. Vous devez faire attention à l'endroit et à la manière dont vous hébergez ProxiTok, car l'utilisation par d'autres personnes sera liée à votre hébergement. + +Lorsque vous utilisez une instance de ProxiTok, veillez à lire la politique de confidentialité de cette instance spécifique. Les instances ProxiTok peuvent être modifiées par leurs propriétaires et peuvent donc ne pas refléter la politique de confidentialité qui leur est associée. Dans certains cas, les adresses Tor .onion peuvent garantir une certaine confidentialité tant que les requêtes de recherche ne contiennent pas d'informations personnelles identifiables. + +## YouTube + +### FreeTube + +!!! recommendation + + ![Logo FreeTube](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** est une application de bureau gratuite et open-source pour [YouTube](https://youtube.com). Lorsque vous utilisez FreeTube, votre liste d'abonnement et vos listes de lecture sont enregistrées localement sur votre appareil. + + Par défaut, FreeTube bloque toutes les publicités YouTube. En outre, FreeTube intègre en option [SponsorBlock](https://sponsor.ajay.app) pour vous aider à sauter les segments de vidéos sponsorisées. + + [:octicons-home-16: Page d'accueil](https://freetubeapp.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Politique de Confidentialité" } + [:octicons-info-16:](https://docs.freetubeapp.io){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Code Source" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning "Avertissement" + + Lorsque vous utilisez FreeTube, votre adresse IP peut encore être connue de YouTube, [Invidious](https://instances.invidious.io) ou [SponsorBlock](https://sponsor.ajay.app/) selon votre configuration. Il utilise un réseau de type [BitTorrent](https://wikipedia.org/wiki/BitTorrent) pour stocker le contenu vidéo, et une [blockchain](https://wikipedia.org/wiki/Blockchain) pour stocker les index de ces vidéos. + +### Yattee + +!!! recommendation + + ![Logo Yattee](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** est un lecteur vidéo gratuit et open-source orienté vie privée pour iOS, tvOS et macOS pour [YouTube](https://youtube.com). Lorsque vous utilisez Yattee, votre liste d'abonnement est enregistrée localement sur votre appareil. + + Vous devrez suivre quelques [étapes supplémentaires](https://gonzoknows.com/posts/Yattee/) avant de pouvoir utiliser Yattee pour regarder YouTube, en raison des restrictions de l'App Store. + + [:octicons-home-16: Page d'accueil](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Politique de Confidentialité" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Code Source" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning "Avertissement" + + Lorsque vous utilisez Yattee, votre adresse IP peut encore être connue de YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) ou [SponsorBlock](https://sponsor.ajay.app/) selon votre configuration. Il utilise un réseau de type [BitTorrent](https://wikipedia.org/wiki/BitTorrent) pour stocker le contenu vidéo, et une [blockchain](https://wikipedia.org/wiki/Blockchain) pour stocker les index de ces vidéos. + +Par défaut, Yattee bloque toutes les publicités YouTube. En outre, Yattee s'intègre en option à [SponsorBlock](https://sponsor.ajay.app) pour vous aider à sauter les segments vidéo sponsorisés. + +### LibreTube (Android) + +!!! recommendation + + ![Logo LibreTube](assets/img/frontends/libretube.svg#only-light){ align=right } + ![Logo LibreTube](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** est une application Android gratuite et open-source pour [YouTube](https://youtube.com) qui utilise l'API [Piped](#piped). + + LibreTube vous permet de stocker votre liste d'abonnement et vos listes de lecture localement sur votre appareil Android, ou dans un compte sur l'instance Piped de votre choix, ce qui vous permet d'y accéder de manière transparente sur d'autres appareils également. + + [:octicons-home-16: Homepage ](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning "Avertissement" + + Lorsque vous utilisez LibreTube, votre adresse IP sera visible par l'instance [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) que vous avez choisie et/ou [SponsorBlock](https://sponsor.ajay.app/) en fonction de votre configuration. Il utilise un réseau de type [BitTorrent](https://wikipedia.org/wiki/BitTorrent) pour stocker le contenu vidéo, et une [blockchain](https://wikipedia.org/wiki/Blockchain) pour stocker les index de ces vidéos. + +Par défaut, LibreTube bloque toutes les publicités YouTube. En outre, Libretube utilise [SponsorBlock](https://sponsor.ajay.app) pour vous aider à sauter les segments vidéo sponsorisés. Vous pouvez configurer entièrement les types de segments que SponsorBlock va ignorer, ou le désactiver complètement. Il existe également un bouton sur le lecteur vidéo lui-même pour le désactiver pour une vidéo spécifique si vous le souhaitez. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Logo Newpipe](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** est une application Android gratuite et open-source pour [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), et [PeerTube](https://joinpeertube.org/) (1). + + Votre liste d'abonnement et vos listes de lecture sont enregistrées localement sur votre appareil Android. + + [:octicons-home-16: Homepage ](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Code source" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. L'instance par défaut est [FramaTube](https://framatube.org/), mais d'autres peuvent être ajoutées via **Paramètres** → **Contenu** → **Instances PeerTube** + +!!! warning "Avertissement" + + Lorsque vous utilisez NewPipe, votre adresse IP sera visible par les fournisseurs vidéo utilisés. Il utilise un réseau de type [BitTorrent](https://wikipedia.org/wiki/BitTorrent) pour stocker le contenu vidéo, et une [blockchain](https://wikipedia.org/wiki/Blockchain) pour stocker les index de ces vidéos. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** est une interface gratuite et open-source pour [YouTube](https://youtube.com) qui est également auto-hébergable. + + Il existe un certain nombre d'instances publiques, dont certaines bénéficient de la prise en charge des services oignon [Tor](https://www.torproject.org). + + [:octicons-home-16: Homepage ](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Instances publiques"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribuer } + +!!! warning "Avertissement" + + Invidious n'utilise pas de proxy pour les flux vidéo par défaut. Les vidéos regardées via Invidious seront toujours connectées directement aux serveurs de Google (par exemple, `googlevideo.com`) ; cependant, certaines instances prennent en charge la vidéo par proxy : il suffit d'activer *Proxy videos* dans les paramètres des instances ou d'ajouter `&local=true` à l'URL. + +!!! tip "Conseil" + + Invidious est utile si vous souhaitez désactiver JavaScript dans votre navigateur, comme c'est le cas avec [le navigateur Tor](https://www.torproject.org/) au niveau de sécurité le plus sûr. Il ne garantit pas la vie privée en soi, et nous ne recommandons pas de vous connecter à un compte quelconque. + +Lorsque vous auto-hébergez, il est important que d'autres personnes utilisent également votre instance pour que vous puissiez vous fondre dans la masse. Vous devez faire attention à l'endroit et à la manière dont vous hébergez Invidious, car l'utilisation par d'autres personnes sera liée à votre hébergement. + +Lorsque vous utilisez une instance d'Invidious, veillez à lire la politique de confidentialité de cette instance spécifique. Les instances involontaires peuvent être modifiées par leurs propriétaires et peuvent donc ne pas refléter leur politique de confidentialité associée. Dans certains cas, les adresses Tor .onion peuvent garantir une certaine confidentialité tant que les requêtes de recherche ne contiennent pas d'informations personnelles identifiables. + +### Piped + +!!! recommendation + + ![Logo Piped](assets/img/frontends/piped.svg){ align=right } + + **Piped** est une interface gratuite et open-source pour [YouTube](https://youtube.com) qui est également auto-hébergeable. + + Piped nécessite JavaScript pour fonctionner et il existe un certain nombre d'instances publiques. + + [:octicons-repo-16: Dépôt](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Instances Publiques"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Code Source" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribuer } + +!!! tip "Conseil" + + Piped est utile si vous souhaitez utiliser [SponsorBlock](https://sponsor.ajay.app) sans installer d'extension ou pour accéder à des contenus limités en âge sans compte. Il ne garantit pas la vie privée en soi, et nous ne recommandons pas de vous connecter à un compte quelconque. + +Lorsque vous auto-hébergez, il est important que d'autres personnes utilisent également votre instance pour que vous puissiez vous fondre dans la masse. Vous devez faire attention à l'endroit et à la manière dont vous hébergez Piped, car l'utilisation par d'autres personnes sera liée à votre hébergement. + +Lorsque vous utilisez une instance de Piped, veillez à lire la politique de confidentialité de cette instance spécifique. Les instances Piped peuvent être modifiées par leurs propriétaires et peuvent donc ne pas refléter la politique de confidentialité qui leur est associée. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +Clients recommandés... + +- Doit être un logiciel open source. +- Doit être auto-hébergeable. +- Doit fournir toutes les fonctionnalités de base du site web accessibles aux utilisateurs anonymes. + +Nous ne prenons en compte que les clients des sites web qui sont... + +- Normalement non accessible sans JavaScript. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/index.md b/i18n/fr/index.md new file mode 100644 index 00000000..4da48675 --- /dev/null +++ b/i18n/fr/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.fr.html +hide: + - navigation + - toc + - feedback +--- + + +## En quoi ça me concerne ? + +##### « Je n'ai rien à cacher. Pourquoi devrais-je me soucier de ma vie privée? » + +Tout comme le droit au mariage mixte, le droit de vote des femmes, la liberté d'expression et bien d'autres, notre droit à la vie privée n'a pas toujours été respecté. Dans plusieurs dictatures, ce n'est toujours pas le cas. Nombreux sont nos ancêtres qui se sont battus pour notre droit à la vie privée. ==La vie privée est un droit humain inhérent à chacun d'entre nous== auquel nous avons droit sans discrimination. + +Il ne faut pas confondre la vie privée et le secret. Même si on sait ce qui se passe dans la salle de bain, vous fermez quand même la porte. C'est parce que vous voulez une vie privée, et non pas du secret. **Tout le monde** a quelque chose à protéger. La vie privée est quelque chose qui nous rend humains. + +[:material-target-account: Menaces courantes sur internet](basics/common-threats.md ""){.md-button.md-button--primary} + +## Que dois-je faire ? + +##### Tout d'abord, vous devez établir un plan + +Essayer de protéger toutes vos données contre tout le monde, tout le temps, est peu pratique, coûteux et épuisant. Mais ne vous en faites pas ! La sécurité est un processus et, en anticipant, vous pouvez élaborer un plan qui vous convient. La sécurité ne concerne pas seulement les outils que vous utilisez ou les logiciels que vous téléchargez. Au contraire, elle commence par une compréhension des menaces uniques auxquelles vous êtes confrontés, et comment les atténuer. + +==Ce processus d'identification des menaces et de définition des contre-mesures est appelé la **modélisation des menaces**==, et constitue la base de tout bon plan de sécurité et de vie privée. + +[:material-book-outline: En savoir plus sur la modélisation des menaces](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## On a besoin de vous ! Voici comment vous pouvez vous impliquer + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Rejoignez notre forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Suivez-nous sur Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribuez à ce site web" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Aidez à traduire ce site" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Discutez avec nous sur Matrix" } +[:material-information-outline:](about/index.md){ title="En savoir plus sur nous" } +[:material-hand-coin-outline:](about/donate.md){ title="Soutenir le projet" } + +Il est important pour un site web comme Privacy Guides de toujours rester à jour. Nous avons besoin que notre public garde un œil sur les mises à jour logicielles des applications répertoriées sur notre site et suive l'actualité récente des fournisseurs que nous recommandons. Internet évolue à une vitesse telle, qu'il est difficile de suivre le rythme, mais nous faisons de notre mieux. Si vous repérez une erreur, que vous pensez qu'un fournisseur ne devrait pas figurer dans la liste, remarquez l'absence d'un fournisseur qualifié, pensez qu'un plugin de navigateur n'est plus le meilleur choix ou si vous découvrez tout autre problème, veuillez nous en informer. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/kb-archive.md b/i18n/fr/kb-archive.md new file mode 100644 index 00000000..7e071206 --- /dev/null +++ b/i18n/fr/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: Archives +icon: material/archive +--- + +# Pages déplacées vers le blog + +Certaines pages qui se trouvaient auparavant dans notre base de connaissances peuvent désormais être consultées sur notre blog : + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Renforcement de la configuration de Signal](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - Renforcement du système](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Sandboxing des applications](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Effacement sécurisé des données](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Intégration de la suppression des métadonnées](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [Guide de configuration iOS](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/meta/brand.md b/i18n/fr/meta/brand.md new file mode 100644 index 00000000..898a9fc0 --- /dev/null +++ b/i18n/fr/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/meta/git-recommendations.md b/i18n/fr/meta/git-recommendations.md new file mode 100644 index 00000000..68a5f9fb --- /dev/null +++ b/i18n/fr/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/meta/uploading-images.md b/i18n/fr/meta/uploading-images.md new file mode 100644 index 00000000..f219f108 --- /dev/null +++ b/i18n/fr/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/meta/writing-style.md b/i18n/fr/meta/writing-style.md new file mode 100644 index 00000000..b4143422 --- /dev/null +++ b/i18n/fr/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/mobile-browsers.md b/i18n/fr/mobile-browsers.md new file mode 100644 index 00000000..247af1e0 --- /dev/null +++ b/i18n/fr/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Navigateurs mobiles" +icon: material/cellphone-information +--- + +Il s'agit des navigateurs web mobiles et des configurations que nous recommandons actuellement. Si vous avez besoin de naviguer anonymement sur Internet, vous devriez plutôt utiliser [Tor](tor.md). D'une manière générale, nous vous recommandons de limiter au maximum les extensions ; elles ont un accès privilégié dans votre navigateur, vous obligent à faire confiance au développeur, peuvent vous faire sortir du lot [](https://fr.wikipedia.org/wiki/Empreinte_digitale_d%27appareil), et [affaiblissent l'isolation du site](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) . + +## Android + +Sur Android, Firefox est toujours moins sûr que les alternatives basées sur Chromium : Le moteur de Mozilla, [GeckoView](https://mozilla.github.io/geckoview/), doit encore prendre en charge [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) ou activer [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Logo Brave](assets/img/browsers/brave.svg){ align=right } + + **Le navigateur Brave** comprend un bloqueur de contenu intégré et des [fonctions de confidentialité](https://brave.com/privacy-features/), dont la plupart sont activées par défaut. + + Brave est basé sur le projet de navigateur Web Chromium. Il devrait donc vous être familier et présenter un minimum de problèmes de compatibilité avec les sites Web. + + [:octicons-home-16: Page d'accueil](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Code source" } + + ??? downloads annotate "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Configuration recommandée + +Le navigateur Tor est le seul moyen de vraiment naviguer anonymement sur Internet. Lorsque vous utilisez Brave, nous vous recommandons de modifier les paramètres suivants afin de protéger votre vie privée de certains tiers, mais tous les navigateurs autres que le [Navigateur Tor](tor.md#tor-browser) seront traçables par *quelqu'un* d'une manière ou d'une autre. + +Ces options se trouvent dans :material-menu: → **Paramètres** → **Brave Shields & confidentialité** + +##### Shields + +Brave inclut certaines mesures contre la prise d'empreinte numérique dans sa fonction [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Nous vous suggérons de configurer ces options [de manière globale](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) sur toutes les pages que vous visitez. + +##### Les valeurs par défaut de Brave Shields + +Les options Shields peuvent être réduites par site selon les besoins, mais par défaut, nous recommandons de définir les paramètres suivants: + +
+ +- [x] Sélectionnez **Agressif** sous Bloquer les balises & pubs + + ??? warning "Utiliser les listes de filtres par défaut" + Brave vous permet de sélectionner des filtres de contenu supplémentaires dans la page interne `brave://adblock`. Nous vous déconseillons d'utiliser cette fonctionnalité ; conservez plutôt les listes de filtres par défaut. L'utilisation de listes supplémentaires vous distinguera des autres utilisateurs de Brave et peut également augmenter la surface d'attaque s'il y a une faille dans Brave et qu'une règle malveillante est ajoutée à l'une des listes que vous utilisez. + +- [x] Sélectionnez **Mettre à niveau les connexions vers HTTPS** +- [x] (Facultatif) Sélectionnez **Bloquer les scripts** (1) +- [x] Sélectionnez **Strict, peut casser les sites** sous **Bloquer les empreintes numériques** + +
+ +1. Cette option fournit une fonctionnalité similaire aux [modes de blocage](https://github.com/gorhill/uBlock/wiki/Blocking-mode) avancés de uBlock Origin ou l'extension [NoScript](https://noscript.net/). + +##### Effacer les données de navigation + +- [x] Sélectionner **Effacer les données en quittant** + +##### Blocage des Réseaux Sociaux + +- [ ] Décochez toutes les fonctionnalités de médias sociaux + +##### Autres paramètres de confidentialité + +
+ +- [x] Sélectionnez **Désactiver l'UDP pas en proxy** sous [Politique de gestion des adresses IP WebRTC](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Décochez **Autoriser les sites à vérifier si vous avez enregistré des modes de paiement** +- [ ] Décochez **Passerelle IPFS** (1) +- [x] Sélectionnez **Fermer les onglets à la sortie** +- [ ] Décochez **Autoriser les analyses de produits préservant la vie privée (P3A)** +- [ ] Décochez **Envoyer automatiquement des rapports de diagnostic** +- [ ] Décochez **Envoyer automatiquement un ping d'utilisation quotidienne à Brave** + +1. InterPlanetary File System (IPFS) est un réseau décentralisé, de pair à pair, permettant de stocker et de partager des données dans un système de fichiers distribué. À moins que vous n'utilisiez cette fonctionnalité, désactivez-la. + +
+ +#### Synchronisation Brave + +La [Synchronisation Brave](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) permet à vos données de navigation (historique, signets, etc.) d'être accessibles sur tous vos appareils sans nécessiter de compte et les protège avec E2EE. + +## iOS + +Sur iOS, toute application capable de naviguer sur le web est [](https://developer.apple.com/app-store/review/guidelines) limitée à l'utilisation du cadre WebKit [fourni par Apple](https://developer.apple.com/documentation/webkit), de sorte qu'il y a peu de raisons d'utiliser un navigateur web tiers. + +### Safari + +!!! recommendation + + ![Logo Safari](assets/img/browsers/safari.svg){ align=right } + + **Safari** est le navigateur par défaut dans iOS. Il comprend des [fonctions de confidentialité](https://support.apple.com/fr-fr/guide/iphone/iphb01fc3c85/15.0/ios/15.0) telles que la Protection Intelligente contre le Pistage, le Rapport de Confidentialité, les Onglets de Navigation Privée isolés, le Relais Privé iCloud et les mises à niveau HTTPS automatiques. + + [:octicons-home-16: Page d'accueil](https://www.apple.com/fr/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/fr/safari/){ .card-link title="Politique de Confidentialité" } + [:octicons-info-16:](https://support.apple.com/fr-fr/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Configuration recommandée + +Ces options se trouvent dans :gear: **Paramètres** → **Safari** → **Confidentialité et sécurité**. + +##### Prévention du Pistage Intersite + +- [x] Activer **Empêcher le Pistage Intersite** + +Cela active la [Protection Intelligente contre le Pistage](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp) de WebKit. Cette fonction permet de se protéger contre les pistages non désirés en utilisant un apprentissage machine sur l'appareil pour arrêter les traqueurs. ITP protège contre de nombreuses menaces courantes, mais il ne bloque pas toutes les voies de pistage, car il est conçu pour ne pas interférer avec la convivialité des sites Web. + +##### Rapport de Confidentialité + +Le Rapport de Confidentialité donne un aperçu des traqueurs intersites qui sont actuellement bloqués sur le site Web que vous visitez et ne peuvent pas vous profiler. Il peut également afficher un rapport hebdomadaire pour montrer quels traqueurs ont été bloqués au fil du temps. + +Le Rapport de Confidentialité est accessible via le menu Paramètres de Page. + +##### Mesure Publicitaire Préservant la vie privée + +- [ ] Désactiver **Mesure Publicitaire Préservant la vie privée** + +La mesure des clics publicitaires a traditionnellement utilisé une technologie de suivi qui porte atteinte à la vie privée des utilisateurs. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) est une fonctionnalité de WebKit et une proposition de norme web visant à permettre aux annonceurs de mesurer l'efficacité des campagnes web sans compromettre la confidentialité des utilisateurs. + +Cette fonction ne pose que peu de problèmes de confidentialité en soi, et même si vous pouvez choisir de la laisser activée, nous considérons que le fait qu'elle soit automatiquement désactivée en Navigation Privée est un indicateur pour la désactiver. + +##### Navigation Privée Permanente + +Ouvrez Safari et appuyez sur le bouton Onglets, situé en bas à droite. Ensuite, développez la liste des Groupes d'Onglets. + +- [x] Sélectionner **Privé** + +Le mode de Navigation Privée de Safari offre des protections supplémentaires en matière de confidentialité. La Navigation Privée utilise une nouvelle session [éphémère](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) pour chaque onglet, ce qui signifie que les onglets sont isolés les uns des autres. La Navigation Privée présente également d'autres avantages mineurs en matière de protection de la vie privée, comme le fait de ne pas envoyer l'adresse d'une page web à Apple lors de l'utilisation de la fonction de traduction de Safari. + +Notez que la Navigation Privée n'enregistre pas les cookies et les données des sites web. Il ne sera donc pas possible de rester connecté aux sites. Cela peut être un inconvénient. + +##### Synchronisation iCloud + +La synchronisation de l'Historique de Safari, des Groupes d'Onglets, des Onglets iCloud et des mots de passe enregistrés est E2EE. Cependant, les signets ne le sont [pas](https://support.apple.com/fr-fr/HT202303). Apple peut les déchiffrer et y accéder conformément à sa [politique de confidentialité](https://www.apple.com/fr/legal/privacy/fr-ww/). + +Si vous utilisez iCloud, nous vous recommandons également de vérifier que l'emplacement de téléchargement par défaut de Safari est défini sur "localement sur votre appareil". Accédez à votre **nom d'identifiant Apple → iCloud → Protection Avancée des Données**. + +- [x] Activez **Protection Avancée des Données** + +Si vous utilisez iCloud avec la Protection Avancée des Données désactivée, nous vous recommandons également de vérifier que l'emplacement de téléchargement par défaut de Safari est défini sur localement sur votre appareil. Cette option se trouve dans :gear: **Paramètres** → **Safari** → **Général** → **Téléchargements**. + +### AdGuard + +!!! recommendation + + ![Logo AdGuard](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard pour iOS** est une extension gratuite et open-source de blocage de contenu pour Safari qui utilise nativement le [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard pour iOS dispose de quelques fonctions payantes, mais le blocage standard du contenu de Safari est gratuit. + + [:octicons-home-16: Page d'accueil](https://adguard.com/fr/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/fr/privacy/ios.html){ .card-link title="Politique de Confidentialité" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Code Source" } + + ??? downloads "Téléchargements" + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Les listes de filtres supplémentaires ralentissent la navigation et peuvent augmenter votre surface d'attaque. N'appliquez donc que ce dont vous avez besoin. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Exigences minimales + +- Doit prendre en charge les mises à jour automatiques. +- Doit recevoir les mises à jour du moteur dans un délai de 1 jour à partir de la publication en amont. +- Les modifications nécessaires pour rendre le navigateur plus respectueux de la vie privée ne devraient pas avoir d'impact négatif sur l'expérience des utilisateurs. +- Les navigateurs Android doivent utiliser le moteur Chromium. + - Malheureusement, Mozilla GeckoView est toujours moins sécurisé que Chromium sur Android. + - Les navigateurs iOS sont limités à WebKit. + +### Critères d'extension + +- Ne doit pas dupliquer une fonctionnalité intégrée dans le navigateur ou dans le système d'exploitation. +- Doit avoir un impact direct sur la vie privée des utilisateurs, c'est-à-dire qu'il ne doit pas simplement fournir des informations. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/multi-factor-authentication.md b/i18n/fr/multi-factor-authentication.md new file mode 100644 index 00000000..13cf896c --- /dev/null +++ b/i18n/fr/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Outils d'authentification multi-facteurs" +icon: 'material/two-factor-authentication' +--- + +## Clés de sécurité matérielles + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + Les **YubiKeys** font partie des clés de sécurité les plus populaires. Certains modèles de YubiKey disposent d'un large éventail de fonctionnalités telles que : [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 et WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP et HOTP](https://developers.yubico.com/OATH). + + L'un des avantages de la YubiKey est qu'une seule clé peut faire presque tout (YubiKey 5) ce que vous pouvez attendre d'une clé de sécurité matérielle. Nous vous encourageons à faire le [quiz](https://www.yubico.com/quiz/) avant d'acheter afin d'être sûr de faire le bon choix. + + [:octicons-home-16: Page d'accueil](https://www.yubico.com/?lang=fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +Le [tableau de comparaison](https://www.yubico.com/store/compare/) montre les fonctionnalités de chaque YubiKeys et leurs différences. Nous vous recommandons vivement de choisir des clés de la série YubiKey 5. + +Les YubiKeys peuvent être programmées à l'aide du [Gestionnaire YubiKey](https://www.yubico.com/support/download/yubikey-manager/) ou de l'[Outil de Personnalisation YubiKey](https://www.yubico.com/support/download/yubikey-personalization-tools/). Pour gérer les codes TOTP, vous pouvez utiliser le [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). Tous les clients de Yubico sont open source. + +Pour les modèles qui supportent HOTP et TOTP, il y a 2 emplacements dans l'interface OTP qui peuvent être utilisés pour HOTP et 32 emplacements pour stocker les secrets TOTP. Ces secrets sont stockés et chiffrés sur la clé et ne sont jamais exposés aux appareils sur lesquels elle est branchée. Une fois qu'une graine (secret partagé) est donnée à l'authentificateur Yubico, celui-ci ne donnera que les codes à six chiffres, mais jamais la graine. Ce modèle de sécurité permet de limiter ce qu'un attaquant peut faire s'il compromet l'un des appareils exécutant le Yubico Authenticator et rend la YubiKey résistante à un attaquant physique. + +!!! warning "Avertissement" + Le micrologiciel des YubiKeys n'est pas open source et ne peut pas être mis à jour. Si vous souhaitez obtenir des fonctionnalités dans des versions plus récentes du firmware, ou si la version du firmware que vous utilisez présente une vulnérabilité, vous devrez acheter une nouvelle clé. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** possède une clé de sécurité qui supporte [FIDO2 et WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) appelée la **Nitrokey FIDO2**. Pour la prise en charge de PGP, vous devez acheter l'une de leurs autres clés comme la **Nitrokey Start**, la **Nitrokey Pro 2** ou la **Nitrokey Storage 2**. + + [:octicons-home-16: Page d'accueil](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +Le [tableau de comparaison](https://www.nitrokey.com/#comparison) montre les fonctionnalités de chaque Nitrokey et leurs différences. La **Nitrokey 3** répertoriée aura un ensemble de fonctionnalités combinées. + +Les modèles de Nitrokey peuvent être configurés à l'aide de l'[application Nitrokey](https://www.nitrokey.com/download). + +Pour les modèles qui supportent HOTP et TOTP, il y a 3 emplacements pour HOTP et 15 pour TOTP. Certaines Nitrokeys peuvent faire office de gestionnaire de mots de passe. Ils peuvent stocker 16 identifiants différents et les chiffrer en utilisant le même mot de passe que l'interface OpenPGP. + +!!! warning "Avertissement" + + Bien que les Nitrokeys ne divulguent pas les secrets HOTP/TOTP à l'appareil auquel ils sont connectés, le stockage HOTP et TOTP n'est **pas** chiffré et est vulnérable aux attaques physiques. Si vous cherchez à stocker ces secrets HOTP ou TOTP, nous vous recommandons vivement d'utiliser plutôt un Yubikey. + +!!! warning "Avertissement" + + La réinitialisation de l'interface OpenPGP sur une Nitrokey rendra également la base de données des mots de passe [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + + La Nitrokey Pro 2, Nitrokey Storage 2 et la prochaine Nitrokey 3 prennent en charge la vérification de l'intégrité du système pour les ordinateurs portables équipés du micrologiciel [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/). La [Librem Key](https://puri.sm/products/librem-key/) de Purism est une NitroKey Pro 2 rebaptisée avec un micrologiciel similaire et peut également être utilisée pour les mêmes fins. + +Le micrologiciel de Nitrokey est open-source, contrairement à la YubiKey. Le micrologiciel des modèles NitroKey modernes (à l'exception de la **NitroKey Pro 2**) peut être mis à jour. + +!!! tip "Conseil" + + L'application Nitrokey, bien que compatible avec les clés Librem, nécessite la version 3.6 ou supérieure de `libnitrokey` pour les reconnaître. Actuellement, le paquet est périmé sur Windows, macOS, et sur la plupart des dépôts des distributions Linux, donc vous devrez probablement compiler l'application Nitrokey vous-même pour la faire fonctionner avec la clé Librem. Sous Linux, vous pouvez obtenir une version à jour à partir de [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +#### Exigences minimales + +- Doit utiliser des modules de sécurité matériels de haute qualité et resistant aux attaques physiques. +- Doit prendre en charge la dernière spécification FIDO2. +- Ne doit pas permettre l'extraction de la clé privée. +- Les appareils qui coûtent plus de 35 $ doivent prendre en charge la gestion d'OpenPGP et de S/MIME. + +#### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Devrait être disponible en format USB-C. +- Devrait être disponible avec NFC. +- Devrait prendre en charge le stockage de secrets de TOTP. +- Devrait prendre en charge les mises à jour sécurisées du micrologiciel. + +## Applications d'authentification + +Les applications d'authentification implémentent une norme de sécurité adoptée par l'Internet Engineering Task Force (IETF) appelée **Mots de Passe à Usage Unique Basé sur le Temps**, ou **Time based One Time Password (TOTP)**. Il s'agit d'une méthode par laquelle les sites web partagent avec vous un secret qui est utilisé par votre application d'authentification pour générer un code à six chiffres (généralement) basé sur l'heure actuelle, que vous saisissez lorsque vous vous connectez pour que le site web puisse le vérifier. En général, ces codes sont régénérés toutes les 30 secondes, et dès qu'un nouveau code est généré, l'ancien devient inutile. Même si un pirate obtient un code à six chiffres, il n'a aucun moyen d'inverser ce code pour obtenir le secret original, ni de prédire quels seront les codes futurs. + +Nous vous recommandons vivement d'utiliser des applications TOTP mobiles plutôt que des alternatives de bureau, car Android et IOS offrent une meilleure sécurité et une meilleure isolation des applications que la plupart des systèmes d'exploitation de bureau. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Logo Aegis](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** est une application gratuite, sécurisée et open source pour gérer les doubles authentifications de vos services en ligne. + + [:octicons-home-16: Page d'accueil](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Logo Raivo OTP](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** est un client natif, léger et sécurisé pour gérer des mots de passe basés sur le temps (TOTP) & basés sur un compteur (HOTP) pour iOS. Raivo OTP offre une sauvegarde & une synchronisation iCloud optionnelle. Raivo OTP est également disponible pour macOS sous la forme d'une application de barre d'état, mais l'application Mac ne fonctionne pas indépendamment de l'application iOS. + + [:octicons-home-16: Page d'accueil](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Code source" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Doit être un logiciel open source. +- Ne doit pas nécessiter de connexion à internet. +- Ne doit pas se synchroniser avec un service tiers de synchronisation/sauvegarde cloud. + - La prise en charge **facultative** de la synchronisation E2EE avec des outils natifs du système d'exploitation est acceptable, par exemple la synchronisation chiffrée via iCloud. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/news-aggregators.md b/i18n/fr/news-aggregators.md new file mode 100644 index 00000000..ec5f4120 --- /dev/null +++ b/i18n/fr/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "Agrégateurs d'actualités" +icon: material/rss +--- + +Un [agrégateur d'actualités](https://en.wikipedia.org/wiki/News_aggregator) est un moyen de suivre vos blogs et sites d'actualités préférés. + +## Clients agrégateurs + +### Akregator + +!!! recommendation + + ![Logo Akregator](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** est un lecteur de flux d'actualités qui fait partie du projet [KDE](https://kde.org). Il est doté d'une fonction de recherche rapide, d'une fonctionnalité d'archivage avancée et d'un navigateur interne pour faciliter la lecture des actualités. + + [:octicons-home-16: Page d'accueil](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Code source" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Logo de Feeder](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** est un client RSS moderne pour Android qui possède de nombreuses [fonctionnalités](https://gitlab.com/spacecowboy/Feeder#features) et fonctionne bien avec des dossiers de flux RSS. Il prend en charge [RSS](https://fr.wikipedia.org/wiki/RSS), [Atom](https://fr.wikipedia.org/wiki/Atom_Syndication_Format), [RDF](https://fr.wikipedia.org/wiki/RDF/XML) et [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Dépôt](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Code source" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Logo de Fluent Reader](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** est un agrégateur d'actualités multiplateforme sécurisé qui possède des fonctionnalités de confidentialité utiles telles que la suppression des cookies à la fermeture, des [politiques de sécurité du contenu (CSP)](ghttps://fr.wikipedia.org/wiki/Content_Security_Policy) strictes et un support proxy, ce qui signifie que vous pouvez l'utiliser en passant par[Tor](tor.md). + + [:octicons-home-16: Page d'accueil](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Code source" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![Logo GNOME Feeds](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** est un lecteur d'actualités [RSS](https://fr.wikipedia.org/wiki/RSS) et [Atom](https://fr.wikipedia.org/wiki/Atom_Syndication_Format) pour [GNOME](https://www.gnome.org). Il possède une interface simple et est assez rapide. + + [:octicons-home-16: Page d'accueil](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Code source" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Logo Miniflux](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Logo Miniflux](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** est un agrégateur d'actualités basé sur le web que vous pouvez héberger vous-même. Il prend en charge [RSS](https://fr.wikipedia.org/wiki/RSS), [Atom](https://fr.wikipedia.org/wiki/Atom_Syndication_Format), [RDF](https://fr.wikipedia.org/wiki/RDF/XML) et [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Page d'accueil](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Code source" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribuer } + +### NetNewsWire + +!!! recommendation + + ![Logo NetNewsWire](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** est un lecteur de flux gratuit et open-source pour macOS et iOS qui met l'accent sur un design et des fonctionnalités natives. Il prend en charge les formats de flux habituels, ainsi que les flux Twitter et Reddit. + + [:octicons-home-16: Page d'accueil](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Logo Newsboat](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** est un lecteur de flux RSS/Atom pour les consoles texte. C'est un fork activement maintenu de [Newsbeuter](https://fr.wikipedia.org/wiki/Newsbeuter). Il est très léger et idéal pour une utilisation via [Secure Shell](https://fr.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Page d'accueil](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Code source" } + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Doit être un logiciel open source. +- Doit fonctionner localement, c'est-à-dire qu'il ne doit pas s'agir d'un service cloud. + +## Support RSS pour les médias sociaux + +Certains services de médias sociaux prennent également en charge le RSS, bien que cela ne soit pas souvent mis en avant. + +### Reddit + +Reddit prend également en charge l'abonnement via RSS. + +!!! example "Exemple" + Remplacez `nom_du_subbreddit` par le subreddit auquel vous souhaitez vous abonner. + + ```text + https://www.reddit.com/r/{{ nom_du_subbreddit }}/new/.rss + ``` + +### Twitter + +En utilisant l'une des [instances](https://github.com/zedeus/nitter/wiki/Instances) de Nitter vous pouvez facilement vous abonner en utilisant le RSS. + +!!! example "Exemple" + 1. Choisissez une instance et définissez `nitter_instance`. + 2. Remplacez `twitter_account` par le nom du compte. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +Vous pouvez vous abonner aux chaînes YouTube sans vous connecter et sans associer des informations d'utilisation à votre compte Google. + +!!! example "Exemple" + + Pour s'abonner à une chaîne YouTube avec un client RSS, cherchez d'abord votre [code de chaîne](https://support.google.com/youtube/answer/6180214), remplacez `[CHANNEL ID]` ci-dessous : + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/notebooks.md b/i18n/fr/notebooks.md new file mode 100644 index 00000000..90f1fe9d --- /dev/null +++ b/i18n/fr/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Bloc-notes" +icon: material/notebook-edit-outline +--- + +Gardez une trace de vos notes et de vos journaux sans les donner à un tiers. + +Si vous utilisez actuellement une application comme Evernote, Google Keep, ou Microsoft OneNote, nous vous suggérons de choisir ici une alternative qui supporte l'E2EE. + +## Basé sur le cloud + +### Joplin + +!!! recommendation + + ![Logo Joplin](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** est une application gratuite, open-source et complète de prise de notes et de tâches à accomplir qui peut gérer un grand nombre de notes écrites en markdown organisées en carnets et en balises. Il offre E2EE et peut se synchroniser via Nextcloud, Dropbox, et plus encore. Il permet également d'importer facilement des notes d'Evernote et des notes en texte brut. + + [:octicons-home-16: Page d'accueil](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Code source" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin ne prend pas en charge la protection par mot de passe/PIN de [l'application elle-même ou des notes et cahiers individuels](https://github.com/laurent22/joplin/issues/289). Les données sont toujours chiffrées en transit et à l'emplacement de la synchronisation à l'aide de votre clé principale. + +### Standard Notes + +!!! recommendation + + ![Logo de Standard Notes](assets/img/notebooks/standard-notes.svg){ align=right } + + Standard Notes est une application de notes simple et privée qui rend vos prises de notes faciles et disponibles partout où vous êtes. Il propose E2EE sur toutes les plateformes et une expérience de bureau puissante avec des thèmes et des éditeurs personnalisés. Il a également fait l'objet d'un [audit indépendant (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Page d'accueil](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Code source" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Logo Cryptee](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Logo Cryptee](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** est un éditeur de documents E2EE et une application de stockage de photos à code source ouvert, basés sur le web. Cryptee est une PWA, ce qui signifie qu'elle fonctionne de manière transparente sur tous les appareils modernes sans nécessiter d'applications natives pour chaque plate-forme respective. + + [:octicons-home-16: Page d'accueil](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offre 100 Mo de stockage gratuit, avec des options payantes si vous avez besoin de plus. L'inscription ne nécessite pas d'e-mail ou d'autres informations permettant d'identifier la personne. + +## Blocs-notes locaux + +### Org-mode + +!!! recommendation + + ![Logo Org-mode](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** est un [mode majeur](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) pour GNU Emacs. Org-mode permet de prendre des notes, de tenir à jour des listes TODO, de planifier des projets et de rédiger des documents à l'aide d'un système de texte brut rapide et efficace. La synchronisation est possible avec des outils de [synchronisation de fichiers](file-sharing.md#file-sync). + + [:octicons-home-16: Page d'accueil](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Code source" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribuer } + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Les clients doivent être open-source. +- Toute fonctionnalité de synchronisation cloud doit être E2EE. +- Doit permettre l'export de documents dans un format standard. + +### Dans le meilleur des cas + +- La fonctionnalité de sauvegarde/synchronisation locale doit prendre en charge le chiffrement. +- Les plateformes basées sur le cloud doivent permettre le partage de documents. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/os/android-overview.md b/i18n/fr/os/android-overview.md new file mode 100644 index 00000000..0c05375c --- /dev/null +++ b/i18n/fr/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Présentation d'Android +icon: simple/android +--- + +Android est un système d'exploitation sécurisé qui dispose d'un [sandboxing](https://source.android.com/security/app-sandbox) solide, du [Démarrage Vérifié](https://source.android.com/security/verifiedboot) (AVB), et d'un système de contrôle des [autorisations](https://developer.android.com/guide/topics/permissions/overview) robuste. + +## Choisir une distribution Android + +Lorsque vous achetez un téléphone Android, le système d'exploitation par défaut de l'appareil s'accompagne souvent d'une intégration envahissante des applications et des services qui ne font pas partie de l'[Android Open-Source Project](https://source.android.com/). C'est le cas par exemple de l'application Services Google Play, qui dispose de privilèges irrévocables pour accéder à vos fichiers, au stockage de vos contacts, aux journaux d'appels, aux SMS, à votre localisation, à votre appareil photo, à votre microphone, aux identifiants matériels, etc. Ces applications et ces services augmentent la surface d'attaque de votre appareil et sont à l'origine de divers problèmes d'invasion de la vie privée sur Android. + +Ce problème pourrait être résolu en utilisant une distribution Android qui n'est pas fournie avec une intégration de ces applications invasives. Malheureusement, de nombreuses distributions d'Android enfreignent souvent le modèle de sécurité d'Android en ne prenant pas en charge les fonctions de sécurité essentielles telles que l'AVB, le rollback protection, les mises à jour du firmware, etc. Certaines distributions fournissent également des builds [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) qui permettent le root via [ADB](https://developer.android.com/studio/command-line/adb) et nécessitent [des politiques SELinux plus permissives](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) pour prendre en compte les fonctionnalités de débogage, ce qui augmente encore plus la surface d'attaque et affaiblit grandement le modèle de sécurité. + +Idéalement, lorsque vous choisissez une distribution Android, vous devez vous assurer qu'elle respecte le modèle de sécurité Android. Au minimum, la distribution doit disposer de builds de production, d'un support pour AVB, d'une rollback protection, de mises à jour dans les meilleurs délais du firmware et du système d'exploitation, et de SELinux en [mode enforcing](https://source.android.com/security/selinux/concepts#enforcement_levels). Toutes les distributions Android que nous recommandons répondent à ces critères. + +[Nos recommandations de distributions Android :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Éviter le rootage + +[Le rootage](https://en.wikipedia.org/wiki/Rooting_(Android)) des téléphones Android peut diminuer la sécurité de manière significative car il affaiblit complétement le modèle de sécurité d'[Android](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). Cela peut nuire à la protection de la vie privée en cas d'exploitation facilitée par la diminution de la sécurité. Les méthodes courantes de rootage impliquent une modification directe de la partition de démarrage, ce qui rend impossible l'exécution du Démarrage Vérifié. Les applications qui requièrent un Android rooté modifieront également la partition du système, ce qui signifie que le Démarrage Vérifié devra rester désactivé. Le fait que le root soit exposé directement dans l'interface utilisateur augmente également la [surface d'attaque](https://en.wikipedia.org/wiki/Attack_surface) de votre appareil et peut contribuer aux vulnérabilités [d'élévation de privilèges](https://en.wikipedia.org/wiki/Privilege_escalation) et aux contournements de la politique SELinux. + +Les bloqueurs de publicités, qui modifient le [fichier hosts](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) et les pare-feu (AFWall+ ) qui requièrent un accès root de manière persistante sont dangereux et ne doivent pas être utilisés. Ils ne sont pas non plus la bonne façon de résoudre les problèmes auxquels ils sont destinés. Pour le blocage des publicités, nous suggérons plutôt des serveurs [DNS](../dns.md) chiffrés ou un [VPN](../vpn.md). RethinkDNS, TrackerControl et AdAway en mode non root occuperont l'emplacement VPN (afin de rediriger tout le trafic vers l'application), ce qui vous empêchera d'utiliser des vrais services améliorant votre vie privée tels qu'Orbot ou un vrai serveur VPN. + +AFWall+ fonctionne sur le [filtrage des paquets](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) et peut être contourné dans certaines situations. + +Nous ne pensons pas que les sacrifices de sécurité en rootant un smartphone valent les avantages discutables de ces applications en matière de vie privée. + +## Démarrage Vérifié + +Le [Démarrage Vérifié](https://source.android.com/security/verifiedboot) est un élément important du modèle de sécurité d'Android. Il fournit une protection contre les attaques de type [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack), la persistance de logiciels malveillants et garantit que les mises à jour de sécurité ne peuvent pas être rétrogradées grâce au [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Les versions supérieures à Android 10 ont abandonné le chiffrement complet du disque au profit d'un chiffrement plus souple [basé sur les fichiers](https://source.android.com/security/encryption/file-based). Vos données sont chiffrées à l'aide de clés de chiffrement propres à chaque utilisateur, tandis que les fichiers du système d'exploitation ne sont pas chiffrés. + +Le Démarrage Vérifié garantit l'intégrité des fichiers du système d'exploitation, empêchant un adversaire disposant d'un accès physique d'altérer ou d'installer des logiciels malveillants sur l'appareil. Dans le cas improbable où un logiciel malveillant parviendrait à exploiter d'autres parties du système et à obtenir un accès privilégié, le Démarrage Vérifié empêchera et annulera toutes modifications apportées à la partition système lors du redémarrage de l'appareil. + +Malheureusement, les fabricants sont tenus de prendre uniquement en charge le Démarrage Vérifié que sur leurs distributions Android. Seuls quelques fabricants OEM, tels que Google, supportent l'enrolement de clés AVB personnalisées sur leurs appareils. De plus, certaines ROM dérivées d'AOSP tels que LineageOS ou /e/ OS ne prennent pas en charge le Démarrage Vérifié, même si le matériel peut le prendre en charge. Nous vous recommandons de vérifier le support de cette fonctionnalité **avant** d'acheter un nouvel appareil. Les dérivés d'AOSP qui ne prennent pas en charge le Démarrage Vérifié ne sont **pas** recommandés. + +De nombreux contructeurs ont également une implémentation défectueuse du Démarrage Vérifié dont vous devez être conscient au-delà de leur marketing. Par exemple, les Fairphone 3 et 4 ne sont pas sécurisés par défaut, car le [chargeur d'amorçage de base fait confiance à la clé de signature AVB publique](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). Cela contourne le Démarrage Vérifié sur un appareil Fairphone d'origine, car le système démarrera des systèmes d'exploitation Android alternatifs tels que (comme /e/) [sans aucun avertissement](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) sur l'utilisation d'un système d'exploitation personnalisé. + +## Mises à jour du micrologiciel + +Les mises à jour du micrologiciel sont essentielles au maintien de la sécurité. Sans elles, votre appareil ne peut être sécurisé. Les fabriquants ont conclu des accords de prise de en charge avec leurs partenaires pour fournir les mises à jour des composants closed-source pendant une période limitée. Celles-ci sont détaillées dans les [Bulletins de Sécurité Android](https://source.android.com/security/bulletin) mensuels. + +Comme les composants du téléphone, tels que le processeur et les technologies radio, reposent sur des composants closed-source, les mises à jour doivent être fournies par leur fabricants respectifs. Par conséquent, il est important que vous achetiez un appareil qui reçoit activement des mises à jours. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) et [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) prennent en charge leurs appareils pendant 4 ans, tandis que les produits moins chers ont souvent des cycles de mises à jour plus courts. Avec l'introduction du [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google fabrique maintenant son propre SoC et fournira un minimum de 5 ans de mises à jour. + +Les appareils qui ne sont plus pris en charge par le fabricant du SoC ne peuvent pas recevoir de mises à jour du micrologiciel de la part des fabricants ou des distributeurs. Cela signifie que les problèmes de sécurité de ces appareils ne seront pas corrigés. + +Fairphone, par exemple, commercialise ses appareils comme bénéficiant de 6 ans de mises à jour. Cependant, le SoC (Qualcomm Snapdragon 750G sur le Fairphone 4) a une date de fin de vie (EOL) beaucoup plus courte. Cela signifie que les mises à jour de sécurité du micrologiciel de Qualcomm pour le Fairphone 4 prendront fin en septembre 2023, que Fairphone continue ou non à publier des mises à jour de sécurité logicielle. + +## Versions d'Android + +Il est important de ne pas utiliser une version d'Android [en fin de vie](https://endoflife.date/android). Les nouvelles versions d'Android reçoivent non seulement des mises à jour de sécurité pour le système d'exploitation, mais aussi d'importantes mises à jour destinées à améliorer votre vie privée. Par exemple, [avant Android 10](https://developer.android.com/about/versions/10/privacy/changes), toute application disposant de l'autorisation [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) pouvait accéder aux numéros de série uniques et sensibles de votre téléphone, tels que l'[IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), le [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), et l'[IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity) de votre carte SIM, alors qu'aujourd'hui les applications soivent désormais être des des applications système pour lire ces données sensibles. Les applications système sont uniquement fournies par le fabricant ou la distribution Android. + +## Autorisations d'Android + +Les [autorisations sur Android](https://developer.android.com/guide/topics/permissions/overview) vous permettent de contrôler ce que les applications ont le droit d'accéder. Google apporte régulièrement des [améliorations](https://developer.android.com/about/versions/11/privacy/permissions) sur le système d'autorisations à chaque nouvelle version d'Android. Toutes les applications que vous installez sont strictement [isolées](https://source.android.com/security/app-sandbox), il n'est donc pas nécessaire d'installer des applications antivirus. Un smartphone avec la dernière version d'Android sera toujours plus sécurisé qu'un ancien smartphone muni d'un antivirus que vous aurez payé. Il est plutôt conseillé de ne pas payer pour ces antivirus et d'économiser pour acheter un smartphone neuf tel qu'un Google Pixel. + +Si vous souhaitez utiliser une application dont vous n'êtes pas sûr, envisagez d'utiliser un profil utilisateur ou professionnel. + +## Accès aux médias + +De nombreuses applications vous permettent de "partager" un fichier avec elles pour le téléchargement de médias. Si vous voulez, par exemple, envoyer une photo sur Twitter, n'accordez pas à Twitter l'accès à vos "médias et photos", car il aura alors accès à toutes vos photos. Au lieu de cela, allez dans votre gestionnaire de fichiers (documentsUI), appuyez longuement sur l'image, puis partagez-la avec Twitter. + +## Profils Utilisateurs + +Les profils d'utilisateurs multiples se trouvent dans **Paramètres** → **Système** → **Utilisateurs multiples** et constituent le moyen le plus simple d'isoler dans Android. + +Avec les profils d'utilisateur, vous pouvez imposer des restrictions à un profil spécifique, par exemple : passer des appels, utiliser des SMS ou installer des applications sur l'appareil. Chaque profil est chiffré à l'aide de sa propre clé de chiffrement et ne peut accéder aux données d'aucun autre profil. Même le propriétaire de l'appareil ne peut pas voir les données des autres profils sans connaître leur mot de passe. Les profils d'utilisateurs multiples est une méthode d'isolement plus sécurisée. + +## Profil Professionnel + +Les [Profils Professionnels](https://support.google.com/work/android/answer/6191949?hl=fr) sont une autre façon d'isoler des applications de manière individuelles et peuvent s'avérer plus pratiques que des profils d'utilisateur séparés. + +Une application de **gestionnaire d'appareil** telle que [Shelter](#recommended-apps) est nécessaire pour créer un profil professionnel sans MDM d'entreprise, à moins que vous n'utilisiez un OS Android personnalisé qui en comprend une. + +Le profil professionnel dépend d'un gestionnaire d'appareil pour fonctionner. Les fonctionnalités telles que la *Navigation de Fichiers* et le *blocage de la recherche de contacts* ou tout autre type de fonctionnalités d'isolation doivent être implémentées par le gestionnaire. Vous devez également faire entièrement confiance à l'application de gestionnaire d'appareil, car elle a un accès total à vos données au sein du profil professionnel. + +Cette méthode est généralement moins sûre qu'un profil utilisateur secondaire, mais elle vous permet d'exécuter simultanément des applications dans les profils professionnel et personnel. + +## Arrêt d'Urgence VPN + +Android 7 et plus prennent en charge un arrêt d'urgence de VPN et il est disponible sans qu'il soit nécessaire d'installer des applications tierces. Cette fonction permet d'éviter les fuites si le VPN est déconnecté. Il se trouve dans :gear: **Paramètres** → **Réseau & internet** → **VPN** → :gear: → **Bloquer les connexions sans VPN**. + +## Boutons à Bascule Globaux + +Les appareils Android modernes disposent de boutons à bascule permettant de désactiver les services Bluetooth et de localisation. Android 12 a introduit des boutons à bascule pour l'appareil photo et le microphone. Lorsque vous n'utilisez pas ces fonctions, nous vous recommandons de les désactiver. Les applications ne peuvent pas utiliser les fonctions désactivées (même si elles ont reçu une autorisation individuelle) jusqu'à ce qu'elles soient réactivées. + +## Google + +Si vous utilisez un appareil doté des services Google, qu'il s'agisse de votre système d'exploitation d'origine ou d'un système d'exploitation qui intègre les services Google Play sandboxed en toute sécurité, comme GrapheneOS, vous pouvez apporter un certain nombre de modifications supplémentaires pour améliorer votre confidentialité. Nous recommandons toujours d'éviter complètement les services Google ou de limiter les services Google Play à un profil utilisateur/professionnel spécifique en combinant un contrôleur d'appareil comme *Shelter* avec le Sandboxed Google Play de GrapheneOS. + +### Programme de Protection Avancé + +Si vous avez un compte Google, nous vous suggérons de vous inscrire au [Programme de Protection Avancée](https://landing.google.com/advancedprotection/). Il est disponible gratuitement pour toute personne possédant au moins deux clés de sécurité physiques qui prennent en charge le protocole [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online). + +Le Programme de Protection Avancée offre une surveillance accrue des menaces et permet : + +- Une authentification à deux facteurs plus stricte; par exemple, seul [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **doit** être utilisé et toute autre type de double autentification tels que [SMS OTP](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) et [OAuth](https://en.wikipedia.org/wiki/OAuth) sont bloqués +- Seul Google et les applications tierces vérifiées peuvent accéder aux données du compte +- Une analyse des e-mails entrants sur les comptes Gmail pour détecter les tentatives de [hameçonnage](https://en.wikipedia.org/wiki/Phishing#Email_phishing) +- Une plus stricte [analyse de sécurité du navigateur](https://www.google.com/chrome/privacy/whitepaper.html#malware) avec Google Chrome +- Un processus de récupération plus strict pour les comptes ayant perdu leurs informations d'identification + + Si vous utilisez des services Google Play non sandboxés (courants sur les systèmes d'exploitation d'origine), l'Advanced Protection Program est également accompagné d'[avantages supplémentaires](https://support.google.com/accounts/answer/9764949?hl=en) tels que : + +- Ne pas autoriser l'installation d'applications en dehors du Google Play Store, en dehors de la boutique d'applications du fournisseur du système d'exploitation ou via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Analyse automatique obligatoire des appareils avec [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Avertissement des applications non vérifiées + +### Mise à jour du système avec Google Play + +Dans le passé, les mises à jour de sécurité d'Android devaient être envoyées par le fournisseur du système d'exploitation. Android est devenu plus modulaire à partir d'Android 10, et Google peut envoyer des mises à jour de sécurité pour **certains** composants du système via les services Google Play privilégiés. + +Si vous avez un appareil sous Android 10 minimum qui n'est plus supporté et que vous ne pouvez pas installer l'un des systèmes d'exploitation que nous recommandons sur votre appareil, vous feriez mieux de vous en tenir à votre installation Android d'origine (par opposition à un système d'exploitation non répertorié ici, tel que LineageOS ou /e/ OS). Cela vous permettra de recevoir **certains** correctifs de sécurité de Google, sans enfreindre le modèle de sécurité Android en utilisant par exemple un dérivé d'Android non sécurisé et augmentant votre surface d'attaque. Nous vous recommanderions néanmoins de passer à un appareil qui est toujours supporté dès que possible. + +### L'Identifiant Publicitaire + +Tous les appareils sur lesquels les Google Play Services sont installés génèrent automatiquement un [identifiant publicitaire](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) utilisé pour la publicité ciblée. Désactivez cette fonctionnalité pour limiter les données collectées à votre sujet. + +Sur les distributions Android avec [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), allez dans :gear: **Paramètres** → **Applications** → **Sandboxed Google Play** → **Paramètres Google** → **Annonces**, et sélectionnez *Supprimer l'ID publicitaire*. + +Sur les distributions Android avec des services Google Play privilégiés (comme les systèmes d'exploitation d'origines), le paramètre peut se trouver à plusieurs endroits. Vérifiez: + +- :gear: **Paramètres** → **Google** → **Annonces** +- :gear: **Paramètres** → **Confidentialité** → **Annonces** + +Vous aurez la possibilité de supprimer votre identifiant publicitaire ou de *refuser les publicités basées sur les centres d'intérêt*, cela varie selon les distributions OEM d'Android. Si l'on vous présente l'option de supprimer l'identifiant publicitaire, faites-le. Si ce n'est pas le cas, veillez à refuser la personnalisation des publicités puis à réinitialiser votre identifiant publicitaire. + +### SafetyNet et Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) et les [API Play Integrity](https://developer.android.com/google/play/integrity) sont généralement utilisés pour des [applications bancaires](https://grapheneos.org/usage#banking-apps). De nombreuses applications bancaires fonctionneront sans problème sur GrapheneOS avec les services Google Play en sandbox, mais certaines applications non financières ont leurs propres mécanismes anti-tampering rudimentaires qui peuvent échouer. GrapheneOS passe le contrôle `basicIntegrity`, mais pas le contrôle de certification `ctsProfileMatch`. Les appareils équipés d'Android 8 ou d'une version ultérieure sont dotés d'un système d'attestation matérielle qui ne peut être contourné qu'en cas de fuite de clés ou de vulnérabilité grave. + +Quant à Google Wallet, nous ne le recommandons pas en raison de sa [politique de confidentialité](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), qui stipule que vous devez manuellement refuser si vous ne voulez pas que votre note de crédit et vos informations personnelles soient partagées avec des services de marketing affilié. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/os/linux-overview.md b/i18n/fr/os/linux-overview.md new file mode 100644 index 00000000..e3c565bd --- /dev/null +++ b/i18n/fr/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Présentation de Linux +icon: simple/linux +--- + +On croit souvent que les logiciels [open-source](https://en.wikipedia.org/wiki/Open-source_software) sont intrinsèquement sûrs parce que le code source est disponible. On s'attend à ce que la vérification de la communauté ait lieu régulièrement ; cependant, ce n'est pas toujours [le cas](https://seirdy.one/posts/2022/02/02/floss-security/). Cela dépend d'un certain nombre de facteurs, tels que l'activité du projet, l'expérience du développeur, le niveau de rigueur appliqué aux [revues de code](https://en.wikipedia.org/wiki/Code_review), et la fréquence de l'attention accordée à certaines parties spécifiques du [codebase](https://en.wikipedia.org/wiki/Codebase) qui peuvent rester à l'abandon pendant des années. + +À l'heure actuelle, les systèmes GNU/Linux de bureau ont certains domaines qui pourraient être améliorés par rapport à leurs homologues propriétaires, par exemple : + +- Une chaîne de démarrage vérifiée, telle que le [Démarage Sécurisé d'Apple](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (avec l'[Enclave Sécurisée](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), le [Démarrage Vérifié d'Android](https://source.android.com/security/verifiedboot), le [Démarrage vérifié de ChromeOS](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), ou le processus de démarrage de [Microsoft Windows](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) avec le [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). Ces fonctionnalités et technologies matérielles peuvent toutes contribuer à empêcher une altération persistante par des logiciels malveillants ou des [attaques de personnel de ménage malfaisant](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- Une solution de sandboxing forte, comme celle que l'on trouve dans [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), et [Android](https://source.android.com/security/app-sandbox). Les solutions de sandboxing Linux couramment utilisées, telles que [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) et [Firejail](https://firejail.wordpress.com/) , ont encore beaucoup de chemin à parcourir +- Forte [atténuation des exploits](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Malgré ces inconvénients, les distributions GNU/Linux de bureau sont excellentes si vous souhaitez : + +- Évitez la télémétrie qui accompagne souvent les systèmes d'exploitation propriétaires +- Maintenir [la liberté des logiciels](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Disposer de systèmes axés sur la protection de la vie privée tels que [Whonix](https://www.whonix.org) ou [Tails](https://tails.boum.org/) + +Notre site web utilise généralement le terme "Linux" pour décrire les distributions GNU/Linux de bureau. Les autres systèmes d'exploitation qui utilisent également le noyau Linux, tels que ChromeOS, Android et Qubes OS, ne sont pas abordés ici. + +[Nos recommandations Linux :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choisir sa distribution + +Toutes les distributions Linux ne sont pas créées égales. Bien que notre page de recommandations Linux ne soit pas censée être une source faisant autorité sur la distribution que vous devriez utiliser, il y a quelques éléments que vous devriez garder à l'esprit lors du choix de la distribution à utiliser. + +### Cycle de mises à jour + +Nous vous recommandons vivement de choisir des distributions qui restent proches des versions stables des logiciels en amont, souvent appelées distributions à publications continues. En effet, les distributions à cycle de publication gelé ne mettent souvent pas à jour les versions des paquets et prennent du retard sur les mises à jour de sécurité. + +Pour les distributions gelées telles que [Debian](https://www.debian.org/security/faq#handling), les responsables de paquets sont censés rapporter les correctifs pour corriger les vulnérabilités plutôt que de faire passer le logiciel à la "prochaine version" publiée par le développeur en amont. Certains correctifs de sécurité ne reçoivent [pas du tout](https://arxiv.org/abs/2105.14565) de [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (en particulier les logiciels moins populaires) et ne sont donc pas intégrés à la distribution avec ce modèle de correctifs. Par conséquent, les corrections de sécurité mineures sont parfois reportées à la prochaine version majeure. + +Nous ne pensons pas que retenir les paquets et appliquer des correctifs provisoires soit une bonne idée, car cela s'écarte de la manière dont le développeur aurait pu vouloir que le logiciel fonctionne. [Richard Brown](https://rootco.de/aboutme/) propose une présentation à ce sujet : + +
+ +
+ +### Mises à jour traditionnelles et atomiques + +Traditionnellement, les distributions Linux se mettent à jour en mettant séquentiellement à jour les paquets souhaités. Les mises à jour traditionnelles, telles que celles utilisées dans les distributions basées sur Fedora, Arch Linux et Debian, peuvent être moins fiables si une erreur se produit lors de la mise à jour. + +Les distributions à mises à jour atomiques appliquent les mises à jour dans leur intégralité ou pas du tout. En général, les systèmes de mise à jour transactionnelle sont également atomiques. + +Un système de mise à jour transactionnelle crée un instantané qui est réalisé avant et après l'application d'une mise à jour. Si une mise à jour échoue à un moment donné (par exemple en raison d'une panne de courant), elle peut facilement être ramenée au "dernier état correct connu." + +La méthode de mise à jour atomique est utilisée pour les distributions immuables comme Silverblue, Tumbleweed et NixOS et permet d'atteindre la fiabilité avec ce modèle. [Adam Šamalík](https://twitter.com/adsamalik) a fait une présentation sur le fonctionnement de `rpm-ostree` avec Silverblue : + +
+ +
+ +### "Distributions "axées sur la sécurité + +Il y a souvent une certaine confusion entre les distributions "axées sur la sécurité" et les distributions pour les "tests de pénétration". Une recherche rapide de "la distribution Linux la plus sûre" donne souvent des résultats comme Kali Linux, Black Arch et Parrot OS. Ces distributions sont des distributions de tests de pénétration offensifs qui regroupent des outils pour tester d'autres systèmes. Elles n'incluent pas de "sécurité supplémentaire" ni de mesures d'atténuation défensives destinées à une utilisation régulière. + +### Distributions basées sur Arch Linux + +Les distributions basées sur Arch ne sont pas recommandées pour les débutants en Linux (quelle que soit la distribution) car elles nécessitent une [maintenance régulière du système](https://wiki.archlinux.org/title/System_maintenance). Arch ne dispose pas d'un mécanisme de mise à jour de la distribution pour les choix logiciels sous-jacents. Par conséquent, vous devez rester au courant des tendances actuelles et adopter les technologies au fur et à mesure qu'elles remplacent les anciennes pratiques. + +Pour un système sécurisé, vous êtes également censé avoir une connaissance suffisante de Linux pour configurer correctement la sécurité de votre système, par exemple en adoptant un système de [contrôle d'accès obligatoire](https://en.wikipedia.org/wiki/Mandatory_access_control), en configurant des listes noires de [modules du noyau](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security), en renforçant les paramètres de démarrage, en manipulant les paramètres [sysctl](https://en.wikipedia.org/wiki/Sysctl), et en sachant de quels composants ils ont besoin, comme [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Toute personne utilisant l'[Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **doit** être à l'aise pour auditer les PKGBUILDs qu'elle installe à partir de ce service. Les paquets AUR sont des contenus produits par la communauté et ne font l'objet d'aucune vérification. Ils sont donc vulnérables aux attaques de la chaîne d'approvisionnement des logiciels, ce qui s'est d'ailleurs produit [dans le passé](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR doit toujours être utilisé avec parcimonie et il existe souvent de nombreux mauvais conseils sur diverses pages qui incitent les gens à utiliser aveuglément [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) sans avertissement suffisant. Des avertissements similaires s'appliquent à l'utilisation d'Archives de Paquets Personnels (PPA) de tiers sur les distributions basées sur Debian ou de Projets Communautaires (COPR) sur Fedora. + +Si vous avez de l'expérience avec Linux et souhaitez utiliser une distribution basée sur Arch, nous recommandons uniquement Arch Linux, et non ses dérivés. Nous déconseillons spécifiquement ces deux dérivés de Arch : + +- **Manjaro**: Cette distribution bloque les mises à jour des paquets pendant 2 semaines pour s'assurer que leurs propres changements ne cassent pas, et non pas pour s'assurer que l'amont est stable. Lorsque des paquets AUR sont utilisés, ils sont souvent construits avec les dernières [bibliothèques](https://en.wikipedia.org/wiki/Library_(computing)) des dépôts d'Arch. +- **Garuda**: Ils utilisent [Chaotic-AUR](https://aur.chaotic.cx/) qui compile automatiquement et aveuglément les paquets de l'AUR. Il n'existe aucun processus de vérification pour s'assurer que les paquets AUR ne souffrent pas d'attaques de la chaîne d'approvisionnement. + +### Kicksecure + +Bien que nous déconseillions fortement l'utilisation de distributions obsolètes comme Debian, il existe un système d'exploitation basé sur Debian qui a été renforcé pour être beaucoup plus sûr que les distributions Linux habituelles : [Kicksecure](https://www.kicksecure.com/). Kicksecure, en termes très simplifiés, est un ensemble de scripts, de configurations et de paquets qui réduisent considérablement la surface d'attaque de Debian. Il couvre par défaut un grand nombre de recommandations en matière de confidentialité et de durcissement. + +### Le noyau Linux-libre et les distributions "libres" + +Nous recommandons fortement **de ne pas** utiliser le noyau Linux-libre, car il [supprime des mesures de sécurité et d'atténuation](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) et [supprime des avertissements de noyau](https://news.ycombinator.com/item?id=29674846) concernant les microcodes vulnérables pour des raisons idéologiques. + +## Recommandations générales + +### Chiffrement de disque + +La plupart des distributions Linux ont une option dans leur installateur pour activer [LUKS](../encryption.md#linux-unified-key-setup) FDE. Si cette option n'est pas définie au moment de l'installation, vous devrez sauvegarder vos données et réinstaller, car le chiffrement est appliqué après le [partitionnement du disque](https://en.wikipedia.org/wiki/Disk_partitioning), mais avant le formatage des [systèmes de fichiers](https://en.wikipedia.org/wiki/File_system). Nous vous suggérons également d'effacer de façon sécurisée votre dispositif de stockage : + +- [Effacement sécurisé des données :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Envisagez l'utilisation de [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) ou du [swap chiffré](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) au lieu du swap non chiffré pour éviter les problèmes de sécurité potentiels avec des données sensibles poussées vers [l'espace swap](https://en.wikipedia.org/wiki/Memory_paging). Les distributions basées sur Fedora [utilisent ZRAM par défaut](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +Nous recommandons l'utilisation d'un environnement de bureau prenant en charge le protocole d'affichage [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) car il a été développé dans [un souci](https://lwn.net/Articles/589147/) de sécurité. Son prédécesseur, [X11](https://en.wikipedia.org/wiki/X_Window_System), ne prend pas en charge l'isolation de l'interface graphique, ce qui permet à toutes les fenêtres [d'enregistrer l'écran, d'enregistrer et d'injecter des entrées dans d'autres fenêtres](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), rendant toute tentative de sandboxing futile. Bien qu'il existe des options pour faire du X11 imbriqué telles que [Xpra](https://en.wikipedia.org/wiki/Xpra) ou [Xephyr](https://en.wikipedia.org/wiki/Xephyr), elles ont souvent des conséquences négatives sur les performances, ne sont pas pratiques à mettre en place et ne sont pas préférables à Wayland. + +Heureusement, des environnements courants tels que [GNOME](https://www.gnome.org), [KDE](https://kde.org), et le gestionnaire de fenêtres [Sway](https://swaywm.org) prennent en charge Wayland. Certaines distributions comme Fedora et Tumbleweed l'utilisent par défaut, et d'autres pourraient le faire à l'avenir car X11 est en [mode maintenance limitée](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). Si vous utilisez l'un de ces environnements, il vous suffit de sélectionner la session "Wayland" dans le gestionnaire d'affichage du bureau ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +Nous recommandons **de ne pas** utiliser des environnements de bureau ou des gestionnaires de fenêtres qui ne prennent pas en charge Wayland, comme Cinnamon (par défaut sur Linux Mint), Pantheon (par défaut sur Elementary OS), MATE, Xfce et i3. + +### Micrologiciel propriétaire (mises à jour du microcode) + +Les distributions Linux telles que celles qui sont [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) ou DIY (Arch Linux) ne sont pas fournies avec les mises à jour propriétaires [microcode](https://en.wikipedia.org/wiki/Microcode) qui corrigent souvent des vulnérabilités. Voici quelques exemples notables de ces vulnérabilités : [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), et d'autres [vulnérabilités matérielles](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +Nous **recommandons vivement** d'installer les mises à jour du microcode, car votre CPU exécute déjà le microcode propriétaire depuis l'usine. Fedora et openSUSE ont tous deux les mises à jour du microcode appliquées par défaut. + +### Mises à jour + +La plupart des distributions Linux installent automatiquement les mises à jour ou vous rappellent de le faire. Il est important de maintenir votre système d'exploitation à jour afin que votre logiciel soit corrigé lorsqu'une vulnérabilité est découverte. + +Certaines distributions (notamment celles destinées aux utilisateurs avancés) sont plus bruts et vous demandent de faire les choses vous-même (par exemple Arch ou Debian). Il faudra manuellement exécuter le "gestionnaire de paquets" (`apt`, `pacman`, `dnf`, etc.) afin de recevoir les mises à jour de sécurité importantes. + +En outre, certaines distributions ne téléchargent pas automatiquement les mises à jour du micrologiciel. Pour cela, vous devrez installer [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Ajustements de confidentialité + +### Adresse MAC aléatoire + +De nombreuses distributions Linux de bureau (Fedora, openSUSE, etc.) sont fournies avec [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), pour configurer les paramètres Ethernet et Wi-Fi. + +Il est possible de [changer aléatoirement](https://fedoramagazine.org/randomize-mac-address-nm/) l'[adresse MAC](https://en.wikipedia.org/wiki/MAC_address) en utilisant NetworkManager. Cela permet de protéger un peu plus la vie privée sur les réseaux Wi-Fi, car il est plus difficile de suivre des appareils spécifiques sur le réseau auquel vous êtes connecté. Cela ne vous rend [**pas**](https://papers.mathyvanhoef.com/wisec2016.pdf) anonyme. + +Nous recommandons de changer le paramètre et mettre **aléatoire** plutôt que **stable**, comme suggéré dans l'[article](https://fedoramagazine.org/randomize-mac-address-nm/). + +Si vous utilisez [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), vous devrez définir [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) qui activera [RFC 7844 (Profils d'anonymat pour les clients DHCP)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +Il n'y a pas beaucoup d'intérêt à rendre aléatoire l'adresse MAC pour les connexions Ethernet car un administrateur système peut vous trouver en regardant le port que vous utilisez sur le [commutateur réseau](https://en.wikipedia.org/wiki/Network_switch). Rendre aléatoire les adresses MAC Wi-Fi dépend de la prise en charge par le micrologiciel du Wi-Fi. + +### Autres identifiants + +Il existe d'autres identifiants de système auxquels vous devez faire attention. Vous devriez y réfléchir pour voir si cela s'applique à votre [modèle de menace](../basics/threat-modeling.md) : + +- **Noms d'hôte :** Le nom d'hôte de votre système est partagé avec les réseaux auxquels vous vous connectez. Vous devriez éviter d'inclure des termes d'identification comme votre nom ou votre système d'exploitation dans votre nom d'hôte, et vous en tenir plutôt à des termes génériques ou à des chaînes aléatoires. +- **Noms d'utilisateur :** De même, votre nom d'utilisateur est utilisé de diverses manières dans votre système. Envisagez d'utiliser des termes génériques comme "utilisateur" plutôt que votre nom réel. +- **Identifiant machine :**: Pendant l'installation, un identifiant machine unique est généré et stocké sur votre appareil. Envisagez de [le régler sur un identifiant générique](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### Comptage des systèmes + +Le projet Fedora [compte](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) le nombre de systèmes uniques qui accèdent à ses miroirs en utilisant une variable [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) au lieu d'un identifiant unique. Fedora fait cela pour déterminer la charge et fournir de meilleurs serveurs pour les mises à jour si nécessaire. + +Cette [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) est actuellement désactivée par défaut. Nous recommandons d'ajouter `countme=false` à `/etc/dnf/dnf.conf` juste au cas où il serait activé dans le futur. Sur les systèmes qui utilisent `rpm-ostree` tels que Silverblue, l'option countme est désactivée en masquant le compteur [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/). + +openSUSE utilise également un [identifiant unique](https://en.opensuse.org/openSUSE:Statistics) pour compter les systèmes, qui peut être désactivé en supprimant le fichier `/var/lib/zypp/AnonymousUniqueId`. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/os/qubes-overview.md b/i18n/fr/os/qubes-overview.md new file mode 100644 index 00000000..b8d1a6e9 --- /dev/null +++ b/i18n/fr/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Présentation de Qubes" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) est un système d'exploitation qui utilise l'hyperviseur [Xen](https://en.wikipedia.org/wiki/Xen) pour fournir une sécurité forte pour l'informatique de bureau par le biais de machines virtuelles isolées. Chaque VM est appelée un *Qube* et vous pouvez attribuer à chaque Qube un niveau de confiance en fonction de son objectif. Étant donné que le système d'exploitation Qubes assure la sécurité en utilisant l'isolation et en n'autorisant des actions qu'au cas par cas, il est à l'opposé de [l'énumération de méchanceté](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## Comment fonctionne Qubes OS ? + +Qubes utilise la [compartimentation](https://www.qubes-os.org/intro/) pour assurer la sécurité du système. Les Qubes sont créés à partir de modèles, les valeurs par défaut étant pour Fedora, Debian et [Whonix](../desktop.md#whonix). Qubes OS vous permet également de créer des machines virtuelles à usage unique [jetable](https://www.qubes-os.org/doc/how-to-use-disposables/) . + +![Architecture de Qubes](../assets/img/qubes/qubes-trust-level-architecture.png) +
Architecture de Qubes, Crédit : Intro de Qu'est-ce que Qubes OS
+ +Chaque application Qubes possède une [bordure colorée](https://www.qubes-os.org/screenshots/) qui peut vous aider à garder une trace de la machine virtuelle dans laquelle elle est exécutée. Vous pouvez, par exemple, utiliser une couleur spécifique pour votre navigateur bancaire, tout en utilisant une couleur différente pour un navigateur général non fiable. + +![Bordure colorée](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Bordures de fenêtres de Qubes, Crédit : Captures d'écran Qubes
+ +## Pourquoi devrais-je utiliser Qubes ? + +Qubes OS est utile si votre [modèle de menace](../basics/threat-modeling.md) exige une compartimentation et une sécurité fortes, par exemple si vous pensez ouvrir des fichiers non fiables provenant de sources non fiables. Une raison typique d'utiliser Qubes OS est d'ouvrir des documents provenant de sources inconnues. + +Qubes OS utilise la VM Xen [Dom0](https://wiki.xenproject.org/wiki/Dom0) (c'est-à-dire une "AdminVM") pour contrôler d'autres VM invitées ou Qubes sur l'OS hôte. Les autres VMs affichent des fenêtres d'applications individuelles dans l'environnement de bureau de Dom0. Cela vous permet d'attribuer un code de couleur aux fenêtres en fonction des niveaux de confiance et d'exécuter des applications qui peuvent interagir les unes avec les autres avec un contrôle très granulaire. + +### Copier et coller du texte + +Vous pouvez [copier et coller du texte](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) en utilisant `qvm-copy-to-vm` ou les instructions ci-dessous : + +1. Appuyez sur **Ctrl+C** pour indiquer à la VM dans laquelle vous vous trouvez que vous souhaitez copier quelque chose. +2. Appuyez sur **Ctrl+Maj+C** pour dire à la VM de rendre ce tampon disponible au presse-papiers global. +3. Appuyez sur **Ctrl+Shift+V** dans la VM de destination pour rendre le presse-papiers global disponible. +4. Appuyez sur **Ctrl+V** dans la VM de destination pour coller le contenu dans le tampon. + +### Échange de fichiers + +Pour copier et coller des fichiers et des répertoires (dossiers) d'une VM à l'autre, vous pouvez utiliser l'option **Copier vers une autre AppVM...** ou **Déplacer vers une autre AppVM...**. La différence est que l'option **Déplacer** supprime le fichier d'origine. L'une ou l'autre de ces options protégera votre presse-papiers contre les fuites vers d'autres Qubes. C'est plus sûr que le transfert de fichiers par ordinateur non connectés car un ordinateur sera toujours obligé d'analyser les partitions ou les systèmes de fichiers. Cela n'est pas nécessaire avec le système de copie inter-qube. + +??? info "Les AppVMs ou les qubes n'ont pas leur propre système de fichiers" + + Vous pouvez [copier et déplacer des fichiers](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) entre les Qubes. Ce faisant, les changements ne sont pas immédiats et peuvent être facilement annulés en cas d'accident. + +### Interactions inter-VM + +L'[environnement qrexec](https://www.qubes-os.org/doc/qrexec/) est une partie essentielle de Qubes qui permet la communication des machines virtuelles entre les domaines. Il est construit sur la bibliothèque Xen *vchan*, qui facilite [l'isolation de par le biais de politiques](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Ressources Supplémentaires + +Pour de plus amples informations, nous vous encourageons à consulter les pages de documentation complètes de Qubes OS, situées sur le [site web de Qubes OS](https://www.qubes-os.org/doc/). Des copies hors ligne peuvent être téléchargées à partir du [dépôt de documentationde](https://github.com/QubesOS/qubes-doc) Qubes OS. + +- Open Technology Fund : [*Sans doute le système d'exploitation le plus sûr au monde*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska : [*Compartimentage logiciel vs. séparation physique*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska : [*Partitionnement de ma vie numérique en domaines de sécurité*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS : [*Articles connexes*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/passwords.md b/i18n/fr/passwords.md new file mode 100644 index 00000000..c471750c --- /dev/null +++ b/i18n/fr/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Gestionnaires de mots de passe" +icon: material/form-textbox-password +--- + +Les gestionnaires de mots de passe vous permettent de stocker et de gérer en toute sécurité les mots de passe et autres informations d'identification à l'aide d'un mot de passe principal. + +[Introduction aux mots de passe :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info "Information" + + Les gestionnaires de mots de passe intégrés dans des logiciels tels que les navigateurs et les systèmes d'exploitation ne sont parfois pas aussi performants que les logiciels de gestion de mots de passe dédiés. L'avantage d'un gestionnaire de mots de passe intégré est une bonne intégration avec le logiciel, mais il peut souvent être très simpliste et manquer de fonctions de confidentialité et de sécurité dont disposent les offres dissociées. + + Par exemple, le gestionnaire de mots de passe de Microsoft Edge ne propose pas du tout E2EE. Le gestionnaire de mots de passe de Google dispose d'un E2EE [facultatif](https://support.google.com/accounts/answer/11350823), et [celui d'Apple](https://support.apple.com/fr-fr/HT202303) propose E2EE par défaut. + +## Basé sur le cloud + +Ces gestionnaires de mots de passe synchronisent vos mots de passe sur un serveur cloud pour un accès facile à partir de tous vos appareils et une sécurité contre la perte d'appareils. + +### Bitwarden + +!!! recommendation + + ![Logo Bitwarden](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** est un gestionnaire de mots de passe gratuit et open-source. Il vise à résoudre les problèmes de gestion des mots de passe pour les individus, les équipes et les organisations commerciales. Bitwarden est l'une des solutions les plus simples et les plus sûres pour stocker tous vos identifiants et mots de passe tout en les synchronisant de manière pratique entre tous vos appareils. + + [:octicons-home-16: Page d'accueil](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden propose également [Bitwarden Send](https://bitwarden.com/products/send/), qui vous permet de partager du texte et des fichiers en toute sécurité grâce au [chiffrement de bout en bout](https://bitwarden.com/help/send-encryption). Un [mot de passe](https://bitwarden.com/help/send-privacy/#send-passwords) peut être demandé avec le lien d'envoi. Bitwarden Send dispose également d'une fonction de [suppression automatique](https://bitwarden.com/help/send-lifespan). + +Vous devez disposer de [l'offre Premium](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) pour pouvoir partager des fichiers. L'offre gratuite ne permet que le partage de texte. + +Le code côté serveur de Bitwarden est [open-source](https://github.com/bitwarden/server), donc si vous ne voulez pas utiliser le cloud Bitwarden, vous pouvez facilement héberger votre propre serveur de synchronisation Bitwarden. + +**Vaultwarden** est une implémentation alternative du serveur de synchronisation de Bitwarden écrite en Rust et compatible avec les clients officiels de Bitwarden. Elle est parfaite pour les déploiements auto-hébergés où l'utilisation du service officiel, lourd en ressources, n'est pas idéale. Si vous cherchez à héberger Bitwarden sur votre propre serveur, vous voudrez certainement utiliser Vaultwarden plutôt que le code serveur officiel de Bitwarden. + +[:octicons-repo-16: Dépôt Vaultwarden](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Code source" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribuer } + +### 1Password + +!!! recommendation + + ![Logo 1Password](assets/img/password-management/1password.svg){ align=right } + + **1Password** est un gestionnaire de mots de passe qui met l'accent sur la sécurité et la facilité d'utilisation. Il vous permet de stocker des mots de passe, des cartes de crédit, des licences de logiciels et toute autre information sensible dans un coffre-fort numérique sécurisé. Votre chambre forte est hébergée sur les serveurs de 1Password pour un [tarif mensuel](https://1password.com/sign-up/). 1Password est [audité](https://support.1password.com/security-assessments/) régulièrement et fournit un support client exceptionnel. 1Password est closed source ; cependant, la sécurité du produit est documentée de manière approfondie dans leur [livre blanc sur la sécurité](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Page d'accueil](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionnellement, **1Password** offrait la meilleure expérience utilisateur en matière de gestion de mots de passe pour les personnes utilisant macOS et iOS ; cependant, il a désormais atteint la parité de fonctionnalités sur toutes les plateformes. Il présente de nombreuses caractéristiques destinées aux familles et aux personnes moins techniques, ainsi que des fonctionnalités avancées. + +Votre coffre-fort 1Password est sécurisé à la fois par votre mot de passe principal et par une clé de sécurité aléatoire de 34 caractères pour chiffrer vos données sur leurs serveurs. Cette clé de sécurité ajoute une couche de protection à vos données, car celles-ci sont sécurisées par une entropie élevée, indépendamment de votre mot de passe principal. De nombreuses autres solutions de gestion des mots de passe dépendent entièrement de la force de votre mot de passe principal pour sécuriser vos données. + +Un avantage de 1Password sur Bitwarden est sa prise en charge de première classe pour les clients natifs. Alors que Bitwarden relègue de nombreuses fonctions, notamment les fonctions de gestion de compte, à son interface de coffre-fort web, 1Password met à disposition presque toutes les fonctions disponibles dans ses clients natifs mobiles ou de bureau. Les clients de 1Password ont également une interface utilisateur plus intuitive, ce qui les rend plus faciles à utiliser et à parcourir. + +### Psono + +!!! recommendation + + ![Logo Psono](assets/img/password-management/psono.svg){ align=right } + + **Psono** est un gestionnaire de mots de passe gratuit et open source d'Allemagne, avec un accent sur la gestion des mots de passe pour les équipes. Il peut être [auto-hébergé](#password-management-servers). Psono prend en charge le partage sécurisé de mots de passe, de fichiers, de signets et d'e-mails. + + [:octicons-home-16: Page d'accueil](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono fournit une documentation complète pour son produit. Le client web de Psono peut être hébergé par vous-même ; vous pouvez également choisir l'édition Community complète ou l'édition Enterprise avec des fonctionnalités supplémentaires. + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +#### Exigences minimales + +- Doit utiliser un système E2EE solide, basé sur des normes et moderne. +- Doit avoir des pratiques de chiffrement et de sécurité soigneusement documentées. +- Doit disposer d'un audit publié par une tierce partie indépendante et réputée. +- Toute télémétrie non essentielle doit être facultative. +- Ne doit pas collecter plus de DPI que nécessaire à des fins de facturation. + +#### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- La télémétrie devrait être optionnelle (désactivée par défaut) ou ne pas être collectée du tout. +- Devrait être open-source et raisonnablement auto-hébergeable. + +## Stockage local + +Ces options vous permettent de gérer une base de données de mots de passe chiffrés localement. + +### KeePassXC + +!!! recommendation + + ![Logo KeePassXC](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** est un fork communautaire de KeePassX, un portage natif multiplateforme de KeePass Password Safe, dans le but de l'étendre et de l'améliorer avec de nouvelles fonctionnalités et des corrections de bugs afin de fournir un gestionnaire de mots de passe open-source riche en fonctionnalités, multiplateforme et moderne. + + [:octicons-home-16: Page d'accueil](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Code source" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stocke ses données d'exportation sous forme de fichiers [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Cela peut entraîner une perte de données si vous importez ce fichier dans un autre gestionnaire de mots de passe. Nous vous conseillons de vérifier chaque entrée manuellement. + +### KeePassDX (Android) + +!!! recommendation + + ![Logo KeePassDX](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** est un gestionnaire de mots de passe léger pour Android. Il permet de modifier des données cryptées dans un seul fichier au format KeePass et de remplir les formulaires de manière sécurisée. Il fonctionne sur tous les principaux systèmes d'exploitation de bureau et de serveur (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Page d'accueil](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Logo Strongbox](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** est un gestionnaire de mots de passe natif et open-source pour iOS et macOS. Prenant en charge les formats KeePass et Password Safe, Strongbox peut être utilisé en tandem avec d'autres gestionnaires de mots de passe, comme KeePassXC, sur des plateformes autres qu'Apple. En utilisant un [modèle freemium](https://strongboxsafe.com/pricing/), Strongbox propose la plupart des fonctionnalités dans son volet gratuit, tandis que les fonctions plus pratiques [features](https://strongboxsafe.com/comparison/) - telles que l'authentification biométrique - sont verrouillées par un abonnement ou une licence perpétuelle. + + [:octicons-home-16: Page d'accueil](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Code source" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribuer } + + ??? downloads "Téléchagements" + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +En outre, une version hors ligne est proposée : [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). Cette version est dépouillée dans le but de réduire la surface d'attaque. + +### Ligne de commande + +Ces produits sont des gestionnaires de mots de passe minimaux qui peuvent être utilisés dans des applications de script. + +#### gopass + +!!! recommendation + + ![logo gopass](assets/img/password-management/gopass.svg){ align=right } + + **gopass** est un gestionnaire de mots de passe pour ligne de commande écrit en Go. Il fonctionne sur tous les principaux systèmes d'exploitation de bureau et de serveur (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Page d'accueil](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Code source" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Doit être multiplateforme. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/productivity.md b/i18n/fr/productivity.md new file mode 100644 index 00000000..7b9646c1 --- /dev/null +++ b/i18n/fr/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Outils de productivité" +icon: material/file-sign +--- + +La plupart des suites bureautiques en ligne ne prennent pas en charge l'E2EE, ce qui signifie que le fournisseur de cloud a accès à tout ce que vous faites. La politique de confidentialité peut protéger légalement vos droits, mais elle ne fournit pas de contraintes techniques d'accès. + +## Plateformes de collaboration + +### Nextcloud + +!!! recommendation + + ![Logo Nextcloud](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** est une suite de logiciels client-serveur gratuits et open-source permettant de créer vos propres services d'hébergement de fichiers sur un serveur privé que vous contrôlez. + + [:octicons-home-16: Page d'accueil](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Code source" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "Danger" + + Nous ne recommandons pas l'utilisation de [l'application E2EE](https://apps.nextcloud.com/apps/end_to_end_encryption) pour Nextcloud car elle peut entraîner une perte de données ; elle est hautement expérimentale et n'est pas de qualité de production. Pour cette raison, nous ne recommandons pas les fournisseurs Nextcloud tiers. + +### CryptPad + +!!! recommendation + + ![Logo CryptPad](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** est une alternative privée par conception aux outils de bureautique populaires. Tout le contenu de ce service web est chiffré de bout en bout et peut être partagé facilement avec d'autres utilisateurs. + + [:octicons-home-16: Page d'accueil](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Code source" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribuer } + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +En général, nous définissons les plateformes de collaboration comme des suites complètes qui pourraient raisonnablement remplacer des plateformes de collaboration comme Google Drive. + +- Open-source. +- Rend les fichiers accessibles via WebDAV, sauf si cela est impossible en raison de l'E2EE. +- Possède des clients de synchronisation pour Linux, macOS et Windows. +- Prend en charge l'édition de documents et de feuilles de calcul. +- Prend en charge la collaboration de documents en temps réel. +- Prend en charge l'export de documents vers des formats de documents standard (par exemple ODF). + +#### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Devrait stocker les fichiers dans un système de fichiers conventionnel. +- Devrait prendre en charge l'authentification multifactorielle TOTP ou FIDO2, ou les connexions par Passkey. + +## Suites bureautiques + +### LibreOffice + +!!! recommendation + + ![Logo de LibreOffice](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** est une suite bureautique gratuite et open-source aux fonctionnalités étendues. + + [:octicons-home-16: Page d'accueil](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![Logo OnlyOffice](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** est une suite bureautique gratuite et open-source basée sur le cloud et dotée de nombreuses fonctionnalités, notamment l'intégration avec Nextcloud. + + [:octicons-home-16: Page d'accueil](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +En général, nous définissons les suites bureautiques comme des applications qui pourraient raisonnablement remplacer Microsoft Word pour la plupart des besoins. + +- Doit être multiplateforme. +- Doit être un logiciel open source. +- Doit fonctionner hors ligne. +- Doit prendre en charge l'édition de documents, de feuilles de calcul et de diaporamas. +- Doit exporter les fichiers vers des formats de document standard. + +## Services de collage + +### PrivateBin + +!!! recommendation + + ![Logo PrivateBin](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** est un service de collage en ligne minimaliste et open-source où le serveur n'a aucune connaissance des données collées. Les données sont chiffrées/déchiffrées dans le navigateur en utilisant AES 256 bits. Il s'agit de la version améliorée de ZeroBin. Il existe une [liste d'instances](https://privatebin.info/directory/). + + [:octicons-home-16: Page d'accueil](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Instances publiques"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Code source" } + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/real-time-communication.md b/i18n/fr/real-time-communication.md new file mode 100644 index 00000000..84941a27 --- /dev/null +++ b/i18n/fr/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Communication en temps réel" +icon: material/chat-processing +--- + +Voici nos recommandations pour de la communication en temps réel chiffrée. + +[Types de réseaux de communication :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Messageries instantanées chiffrées + +Ces messageries sont idéales pour sécuriser vos communications sensibles. + +### Signal + +!!! recommendation + + ![Logo de Signal](assets/img/messengers/signal.svg){ align=right } + + **Signal** est une application mobile développée par Signal Messenger LLC. L'application offre une messagerie instantanée, ainsi que des appels vocaux et vidéo. + + Toutes les communications sont E2EE. Les listes de contacts sont chiffrées à l'aide de votre code PIN de connexion et le serveur n'y a pas accès. Les profils personnels sont également chiffrés et ne sont partagés qu'avec les contacts qui vous ajoutent. + + [:octicons-home-16: Page d'accueil](https://signal.org/fr/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.signal.org/hc/fr){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Code source" } + [:octicons-heart-16:](https://signal.org/fr/donate/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal prend en charge les [groupes privés](https://signal.org/blog/signal-private-group-system/). Le serveur n'a aucune trace de votre appartenance à un groupe, de vos titres de groupe, de vos avatars de groupe ou de vos attributs de groupe. Signal expose un minimum de métadonnées lorsque l'option [Expéditeur Scellé](https://signal.org/blog/sealed-sender/) est activée. L'adresse de l'expéditeur est chiffrée avec le corps du message, et seule l'adresse du destinataire est visible par le serveur. Expéditeur Scellé est uniquement activé pour les personnes de votre liste de contacts, mais peut être activé pour tous les destinataires avec le risque accru de recevoir du spam. Signal requiert votre numéro de téléphone comme identifiant personnel. + +Le protocole a fait l'objet d'un [audit](https://eprint.iacr.org/2016/1013.pdf) indépendant en 2016. La spécification du protocole Signal se trouve dans leur [documentation](https://signal.org/docs/). + +Nous avons quelques conseils supplémentaires pour configurer et renforcer votre installation Signal : + +[Configuration et renforcement de Signal :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Logo Simplex](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat est une messagerie instantanée décentralisée qui ne dépend d'aucun identifiant unique tel qu'un numéro de téléphone ou un nom d'utilisateur. Les utilisateurs de SimpleX Chat peuvent scanner un code QR ou cliquer sur un lien d'invitation pour participer à des conversations de groupe. + + [:octicons-home-16: Page d'accueil](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [a été audité](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) par Trail of Bits en Octobre 2022. + +Actuellement, SimpleX Chat ne fournit qu'un client pour Android et iOS. Les fonctionnalités de base de conversation de groupe, la conversation directe, l'édition des messages et le markdown sont pris en charge. Les appels audio et vidéo E2EE sont également pris en charge. + +Vos données peuvent être exportées et importées sur un autre appareil, car il n'y a pas de serveur central où elles sont sauvegardées. + +### Briar + +!!! recommendation + + ![Logo Briar](assets/img/messengers/briar.svg){ align=right } + + **Briar** est une messagerie instantanée chiffrée qui se [connecte](https://briarproject.org/how-it-works/) à d'autres clients par le réseau Tor. Briar peut également se connecter par Wi-Fi ou Bluetooth lorsqu'il se trouve à proximité. Le mode de maillage local de Briar peut être utile lorsque la disponibilité d’internet pose problème. + + [:octicons-home-16: Page d'accueil](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Code source" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Les options de dons sont listées en bas de la page d'accueil" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +Pour ajouter un contact sur Briar, vous devez d'abord vous ajouter tous les deux. Vous pouvez soit échanger des liens `briar://` soit scanner le QR code d'un contact s'il se trouve à proximité. + +Le logiciel client a été indépendamment [audité](https://briarproject.org/news/2017-beta-released-security-audit/) et le protocole de routage anonyme utilise le réseau Tor qui a également été audité. + +Briar a un [cahier des charges](https://code.briarproject.org/briar/briar-spec) entièrement publié. + +Briar prend en charge la confidentialité persistante en utilisant le protocole de [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) et [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) Bramble. + +## Autres options + +!!! warning "Avertissement" + + Ces messagers ne disposent pas de la fonction Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), et bien qu'ils répondent à certains besoins que nos recommandations précédentes ne peuvent pas satisfaire, nous ne les recommandons pas pour les communications sensibles ou à long terme. Toute compromission de la clé parmi les destinataires du message affecterait la confidentialité de **toutes** les communications passées. + +### Element + +!!! recommendation + + ![Logo d'Element](assets/img/messengers/element.svg){ align=right } + + **Element** est le client de référence pour le protocole [Matrix](https://matrix.org/docs/guides/introduction), un [standard ouvert](https://matrix.org/docs/spec) pour la communication décentralisée sécurisée en temps réel. + + Les messages et les fichiers partagés dans les salons privés (ceux qui nécessitent une invitation) sont par défaut E2EE, tout comme les appels vocaux et vidéo individuels. + + [:octicons-home-16: Page d'accueil](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Les photos de profil, les réactions et les surnoms ne sont pas chiffrés. + +Les appels vocaux et vidéo de groupe ne sont [pas](https://github.com/vector-im/element-web/issues/12878) E2EE, et utilisent Jitsi, mais cela devrait changer avec [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Les appels de groupe n'ont [pas d'authentification](https://github.com/vector-im/element-web/issues/13074) actuellement, ce qui signifie que les participants ne faisant pas partie de la salle peuvent également se joindre aux appels. Nous vous recommandons de ne pas utiliser cette fonctionnalité pour les réunions privées. + +Le protocole Matrix lui-même [prend théoriquement en charge la PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), mais ce [n'est pas actuellement pris en charge par Element](https://github.com/vector-im/element-web/issues/7101) car elle rompt certains aspects de l'expérience utilisateur tels que la sauvegarde des clés et l'historique des messages partagés. + +Le protocole a fait l'objet d'un [audit](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) indépendant en 2016. La spécification du protocole Matrix se trouve dans leur [documentation](https://spec.matrix.org/latest/). Le cliquet cryptographique [Olm](https://matrix.org/docs/projects/other/olm) utilisé par Matrix est une implémentation de l'[algorithme Cliquet Double](https://signal.org/docs/specifications/doubleratchet/) de Signal. + +### Session + +!!! recommendation + + ![Logo de Session](assets/img/messengers/session.svg){ align=right } + + **Session** est une messagerie décentralisée axée sur les communications privées, sécurisées et anonymes. Session prend en charge les messages directs, les discussions de groupe et les appels vocaux. + + Session utilise le réseau décentralisé [Oxen Service Node Network](https://oxen.io/) pour stocker et acheminer les messages. Chaque message chiffré est acheminé via trois nœuds dans le Oxen Service Node Network, ce qui rend pratiquement impossible pour les nœuds de compiler des informations significatives sur ceux qui utilisent le réseau. + + [:octicons-home-16: Page d'accueil](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session permet l'E2EE dans les chats individuels ou des groupes fermés pouvant compter jusqu'à 100 membres. Les groupes ouverts n'ont aucune restriction sur le nombre de membres, mais sont ouverts par conception. + +Session ne prend [pas](https://getsession.org/blog/session-protocol-technical-information) en charge PFS, c'est-à-dire lorsqu'un système de chiffrement change automatiquement et fréquemment les clés qu'il utilise pour chiffrer et déchiffrer des informations, de sorte que si la dernière clé est compromise, elle expose une plus petite partie des informations sensibles. + +Oxen a demandé un audit indépendant pour Session en mars 2020. L'audit [s'est conclu](https://getsession.org/session-code-audit) en Avril 2021 : "Le niveau de sécurité global de cette application est bon et la rend utilisable pour les personnes soucieuses de la protection de leur vie privée." + +Session a un [livre blanc](https://arxiv.org/pdf/2002.04609.pdf) décrivant les spécifications techniques de l'application et du protocole. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Doit avoir des clients open-source. +- Doit utiliser E2EE pour les messages privés par défaut. +- Doit supporter E2EE pour tous les messages. +- Doit avoir fait l'objet d'un audit indépendant. + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Devrait prendre en charge la Confidentialité Persistante. +- Devrait avoir des serveurs open-source. +- Devrait être décentralisé, c'est-à-dire fédéré ou P2P. +- Devrait utiliser E2EE pour tous les messages par défaut. +- Devrait prendre en charge Linux, macOS, Windows, Android et iOS. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/router.md b/i18n/fr/router.md new file mode 100644 index 00000000..7c96ad4c --- /dev/null +++ b/i18n/fr/router.md @@ -0,0 +1,51 @@ +--- +title: "Micrologiciel de routeur" +icon: material/router-wireless +--- + +Vous trouverez ci-dessous quelques systèmes d'exploitation alternatifs, qui peuvent être utilisés sur des routeurs, des points d'accès Wi-Fi, etc. + +## OpenWrt + +!!! recommendation + + ![Logo OpenWrt](assets/img/router/openwrt.svg#only-light){ align=right } + ![Logo OpenWrt](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** est un système d'exploitation basé sur Linux ; il est principalement utilisé sur les périphériques embarqués pour acheminer le trafic réseau. Il comprend util-linux, uClibc, et BusyBox. Tous les composants ont été optimisés pour les routeurs domestiques. + + [:octicons-home-16: Page d'accueil](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Code source" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribuer } + +Vous pouvez consulter le [tableau de matériel](https://openwrt.org/toh/start) d'OpenWrt pour vérifier si votre périphérique est pris en charge. + +## OPNsense + +!!! recommendation + + ![logo OPNsense](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** est une plateforme de routage et de pare-feu open source basée sur FreeBSD qui intègre de nombreuses fonctionnalités avancées telles que la mise en forme du trafic, l'équilibrage de charge et des capacités VPN, avec de nombreuses autres fonctionnalités disponibles sous forme de plugins. OPNsense est généralement déployé comme pare-feu de périmètre, routeur, point d'accès sans fil, serveur DHCP, serveur DNS et point de terminaison VPN. + + [:octicons-home-16: Page d'accueil](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Code source" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribuer } + +OPNsense a été développé à l'origine comme un fork de [pfSense](https://fr.wikipedia.org/wiki/PfSense), et les deux projets sont connus pour être des distributions de pare-feu gratuites et fiables qui offrent des fonctionnalités que l'on ne trouve souvent que dans les pare-feu commerciaux coûteux. Lancé en 2015, les développeurs d'OPNsense [ont cité](https://docs.opnsense.org/history/thefork.html) un certain nombre de problèmes de sécurité et de qualité du code de pfSense qui, selon eux, nécessitaient un fork du projet, ainsi que des préoccupations concernant l'acquisition majoritaire de pfSense par Netgate et l'orientation future du projet pfSense. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Doit être open-source. +- Doit recevoir des mises à jour régulières. +- Doivent prendre en charge une grande variété de matériel. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/search-engines.md b/i18n/fr/search-engines.md new file mode 100644 index 00000000..50b76b6b --- /dev/null +++ b/i18n/fr/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Moteurs de Recherche" +icon: material/search-web +--- + +Utilisez un moteur de recherche qui ne construit pas un profil publicitaire en fonction de vos recherches. + +Les recommandations formulées ici sont fondées sur les mérites de la politique de confidentialité de chaque service. Il n'y a **aucune garantie** que ces politiques de confidentialité soient respectées. + +Envisagez d'utiliser un [VPN](vpn.md) ou [Tor](https://www.torproject.org/) si votre modèle de menace nécessite de cacher votre adresse IP du fournisseur de recherche. + +## Brave Search + +!!! recommendation + + ![Logo de Brave Search](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** est développé par Brave et fournit des résultats provenant principalement de son propre index indépendant. L'index est optimisé en se basant sur Google Search et peut donc fournir des résultats contextuellement plus précis que d'autres solutions. + + Brave Search comprend des fonctionnalités uniques telles que Discussions, qui met en évidence les résultats axés sur la conversation, comme les messages des forums. + + Nous vous recommandons de désactiver [Mesures d'utilisation anonymes](https://search.brave.com/help/usage-metrics) car ells sont activées par défaut et peuvent être désactivées dans les paramètres. + + [:octicons-home-16: Page d'accueil](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search est basé aux États-Unis. Leur [politique de confidentialité](https://search.brave.com/help/privacy-policy) indique qu'ils collectent des données d'utilisation agrégées, notamment le système d'exploitation et le navigateur utilisés, mais qu'aucune information permettant d'identifier une personne n'est collectée. Les adresses IP sont traitées temporairement, mais ne sont pas conservées. + +## DuckDuckGo + +!!! recommendation + + ![Logo DuckDuckGo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** est l'un des moteurs de recherche privés les plus populaires. Parmi les fonctionnalités de recherche notables de DuckDuckGo figurent les [bangs](https://duckduckgo.com/bang) et de nombreuses [réponses instantanées](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). Le moteur de recherche s'appuie sur une API commerciale de Bing pour fournir la plupart des résultats, mais il utilise également de nombreuses [autres sources](https://help.duckduckgo.com/results/sources/) pour les réponses instantanées et d'autres résultats non primaires. + + DuckDuckGo est le moteur de recherche par défaut du navigateur Tor et l'une des rares options disponibles sur le navigateur Safari d'Apple. + + [:octicons-home-16: Page d'accueil](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo est basé aux États-Unis. Leur [politique de confidentialité](https://duckduckgo.com/privacy) indique qu'ils **font** enregistrer vos recherches à des fins d'amélioration des produits, mais pas votre adresse IP ou toute autre information d'identification personnelle. + +DuckDuckGo propose deux [autres versions](https://help.duckduckgo.com/features/non-javascript/) de son moteur de recherche, toutes deux ne nécessitant pas de JavaScript. Ces versions manquent toutefois de fonctionnalités. Ces versions peuvent également être utilisées conjointement avec leur [adresse oignon Tor](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) en ajoutant [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) ou [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) pour la version respective. + +## SearXNG + +!!! recommendation + + ![Logo SearXNG](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** est un métamoteur de recherche open-source, auto-hébergeable, qui agrège les résultats d'autres moteurs de recherche sans stocker lui-même d'informations. C'est un fork activement maintenu de [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Page d'accueil](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Instances publiques"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Code source" } + +SearXNG est un proxy entre vous et les moteurs de recherche qu'il agrège. Vos requêtes de recherche seront toujours envoyées aux moteurs de recherche dont SearXNG tire ses résultats. + +Lorsque vous auto-hébergez, il est important que d'autres personnes utilisent également votre instance pour que vous puissiez vous fondre dans la masse. Vous devriez faire attention à l'endroit et à la manière dont vous hébergez SearXNG, car les personnes qui recherchent du contenu illégal sur votre instance pourraient attirer l'attention des autorités. + +Lorsque vous utilisez une instance SearXNG, assurez-vous d'aller lire sa politique de confidentialité. Les instances SearXNG pouvant être modifiées par leurs propriétaires, elles ne reflètent pas nécessairement leur politique de confidentialité. Certaines instances fonctionnent en tant que service caché Tor, ce qui peut garantir une certaine confidentialité tant que vos requêtes de recherche ne contiennent pas de DCP (données à caractère personnelles). + +## Startpage + +!!! recommendation + + ![Logo de Startpage](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Logo de Startpage](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** est un moteur de recherche privé connu pour servir les résultats de recherche de Google. L'une des caractéristiques uniques de Startpage est la [Vue anonyme](https://www.startpage.com/en/anonymous-view/), qui s'efforce de normaliser l'activité des utilisateurs afin de rendre plus difficile leur identification. Cette fonction peut être utile pour masquer [quelques](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) propriétés du réseau et du navigateur. Contrairement à ce que son nom suggère, il ne faut pas compter sur cette fonction pour assurer l'anonymat. Si vous recherchez l'anonymat, utilisez plutôt le [Navigateur Tor](tor.md#tor-browser). + + [:octicons-home-16: Page d'accueil](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning "Avertissement" + + Startpage limite régulièrement l'accès au service à certaines adresses IP, comme les IP réservées aux VPN ou à Tor. [DuckDuckGo](#duckduckgo) et [Brave Search](#brave-search) sont des options plus conviviales si votre modèle de menace nécessite de cacher votre adresse IP au fournisseur de recherche. + +Startpage est basée aux Pays-Bas. Selon leur [politique de confidentialité](https://www.startpage.com/en/privacy-policy/), ils enregistrent des détails tels que : le système d'exploitation, le type de navigateur et la langue. Ils n'enregistrent pas votre adresse IP, vos requêtes de recherche ou d'autres informations à caractère personnel. + +L'actionnaire majoritaire de Startpage est System1 qui est une société de technologie publicitaire. Nous ne pensons pas que ce soit un problème car ils ont une [politique de confidentialité](https://system1.com/terms/privacy-policy)distincte. L'équipe de Privacy Guides a contacté Startpage [en 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) pour dissiper toute inquiétude quant à l'investissement considérable de System1 dans ce service. Nous avons été satisfaits des réponses que nous avons reçues. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Exigences minimales + +- Ne doit pas collecter d'informations permettant d'identifier une personne, conformément à sa politique de confidentialité. +- Ne doit pas permettre aux utilisateurs de créer un compte chez eux. + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Doit être basé sur des logiciels open-source. +- Ne doit pas bloquer les adresses IP des nœuds de sortie Tor. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/tools.md b/i18n/fr/tools.md new file mode 100644 index 00000000..227aeddc --- /dev/null +++ b/i18n/fr/tools.md @@ -0,0 +1,442 @@ +--- +title: "Outils de protection de la vie privée" +icon: material/tools +hide: + - toc +--- + +Si vous cherchez une solution spécifique à un problème, voici les outils matériels et logiciels que nous recommandons dans diverses catégories. Les outils de protection de la vie privée que nous recommandons sont principalement choisis en fonction de leurs fonctionnalités de sécurité, tout en mettant l'accent sur les outils décentralisés et à code source ouvert. Ils sont applicables à divers modèles de menaces, allant de la protection contre les programmes mondiaux de surveillance de masse à l'atténuation des attaques en passant par l'évitement des grandes entreprises technologiques, mais vous seul pouvez déterminer ce qui répondra le mieux à vos besoins. + +Si vous souhaitez obtenir de l'aide pour déterminer les meilleurs outils de protection de la vie privée et les programmes alternatifs adaptés à vos besoins, lancez une discussion sur notre [forum](https://discuss.privacyguides.net/) ou sur notre communauté [Matrix](https://matrix.to/#/#privacyguides:matrix.org) ! + +Pour plus de détails sur chaque projet, les raisons pour lesquelles ils ont été choisis, et d'autres conseils ou astuces que nous recommandons, cliquez sur le lien "En savoir plus" dans chaque section, ou cliquez sur la recommandation en question pour accéder à cette section spécifique de la page. + +## Réseau Tor + +
+ +- ![Logo Tor Browser](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Logo Orbot](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Logo Snowflake](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Logo Snowflake](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake n'augmente pas la confidentialité, mais il vous permet de contribuer facilement au réseau Tor et d'aider les personnes dans les réseaux censurés à obtenir une meilleure confidentialité. + +[En savoir plus :material-arrow-right-drop-circle:](tor.md) + +## Navigateurs web de bureau + +
+ +- ![Logo Firefox](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Logo Brave](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Ressources Supplémentaires + +
+ +- ![Logo uBlock Origin](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Navigateurs web mobiles + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Ressources Supplémentaires + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Systèmes d'exploitation + +### Mobile + +
+ +- ![Logo GrapheneOS](assets/img/android/grapheneos.svg#only-light){ .twemoji }![Logo GrapheneOS](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![Logo DivestOS](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](android.md) + +#### Applications Android + +
+ +- ![Logo Aurora Store](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Logo Shelter](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Logo Auditeur](assets/img/android/auditor.svg#only-light){ .twemoji }![Logo GrapheneOS](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditeur (Appareils pris en charge)](android.md#auditor) +- ![Logo caméra sécurisée](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Logo caméra sécurisée](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Caméra sécurisée](android.md#secure-camera) +- ![Logo Secure PDF Viewer](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![Logo Secure PDF Viewer](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](android.md#general-apps) + +### Bureau/PC + +
+ +- ![Logo Qubes OS](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Logo Fedora](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![logo openSUSE Tumbleweed](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![logo Arch](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Logo Fedora Silverblue](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![Logo nixOS](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Logo Whonix](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Logo Tails](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](desktop.md) + +### Micrologiciel de routeur + +
+ +- ![Logo OpenWrt](assets/img/router/openwrt.svg#only-light){ .twemoji }![Logo OpenWrt](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![Logo OPNsense](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](router.md) + +## Fournisseurs de services + +### Stockage cloud + +
+ +- ![Logo Proton Drive](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### Fournisseurs de DNS + +Nous [recommandons](dns.md#recommended-providers) un certain nombre de serveurs DNS chiffrés en fonction de divers critères, tels que [Mullvad](https://mullvad.net/fr/help/dns-over-https-and-dns-over-tls) et [Quad9](https://quad9.net/) entre autres. Nous vous recommandons de lire nos pages sur les DNS avant de choisir un fournisseur. Dans de nombreux cas, l'utilisation d'un autre fournisseur de DNS n'est pas recommandée. + +[En savoir plus :material-arrow-right-drop-circle:](dns.md) + +#### Proxys DNS chiffrés + +
+ +- ![Logo RethinkDNS](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![Logo RethinkDNS](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![Logo dnscrypt-proxy](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Solutions auto-hébergées + +
+ +- ![Logo AdGuard Home](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Logo Pi-hole](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Logo Proton Mail](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Logo Mailbox.org](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji } ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](email.md) + +#### Services d'alias d'e-mails + +
+ +- ![Logo AnonAddy](assets/img/email/anonaddy.svg#only-light){ .twemoji }![Logo AnonAddy](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![Logo SimpleLogin](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### E-mail auto-hébergé + +
+ +- ![Logo mailcow](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Logo Mail-in-a-Box](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Moteurs de Recherche + +
+ +- ![Logo Brave Search](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![Logo DuckDuckGo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![Logo SearXNG](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Logo Startpage](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](search-engines.md) + +### Fournisseurs de VPN + +??? danger "Les VPN ne fournissent pas l'anonymat" + + L'utilisation d'un VPN ne rendra **pas** votre navigation anonyme et n'ajoutera pas de sécurité supplémentaire à un trafic non sécurisé (HTTP). + + Si vous recherchez l' **anonymat**, vous devriez utiliser le navigateur Tor **au lieu** d'un VPN. + + Si vous recherchez plus de **sécurité**, vous devez toujours vous assurer que vous vous connectez aux sites web en utilisant HTTPS. Un VPN ne remplace pas les bonnes pratiques de sécurité. + + [En savoir plus :material-arrow-right:](vpn.md) + +
+ +- ![Logo Proton VPN](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](vpn.md) + +## Logiciels + +### Synchronisation de calendrier + +
+ +- ![Logo Tutanota](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Logo Calendrier Proton](assets/img/calendar/proton-calendar.svg){ .twemoji } [Calendrier Proton](calendar.md#proton-calendar) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](calendar.md) + +### Rédaction de données et de métadonnées + +
+ +- ![Logo MAT2](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![Logo ExifEraser](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Logo Metapho](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![Logo PrivacyBlur](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![Logo ExifTool](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](data-redaction.md) + +### Logiciels de messagerie électronique + +
+ +- ![Logo Thunderbird](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Logo Apple Mail](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Logo Canary Mail](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![Logo FairEmail](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![Logo GNOME Evolution](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![Logo K-9 Mail](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Logo Kontact](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Logo Mailvelope](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP dans le webmail standard)](email-clients.md#mailvelope-browser) +- ![Logo NeoMutt](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](email-clients.md) + +### Logiciels de chiffrement + +??? info "Chiffrement du disque du système d'exploitation" + + Pour chiffrer le disque de votre système d'exploitation, nous recommandons généralement d'utiliser l'outil de chiffrement fourni par votre système d'exploitation, qu'il s'agisse de **BitLocker** sur Windows, **FileVault** sur macOS ou **LUKS** sur Linux. Ces outils sont inclus dans le système d'exploitation et utilisent généralement des éléments de chiffrement matériel tels qu'un TPM, ce que ne font pas d'autres logiciels de chiffrement intégral de disque comme VeraCrypt. VeraCrypt convient toujours aux disques qui ne contiennent pas de systèmes d'exploitation, comme les disques externes, en particulier les disques auxquels on peut accéder à partir de plusieurs systèmes d'exploitation. + + [En savoir plus :material-arrow-right:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Logo Cryptomator](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Logo Picocrypt](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![Logo VeraCrypt](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![Logo VeraCrypt](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Logo Hat.sh](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Logo Hat.sh](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Logo Kryptor](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Logo Tomb](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](encryption.md) + +#### Clients OpenPGP + +
+ +- ![Logo GnuPG](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![Logo GPG4Win](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![Logo GPG Suite](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![Logo OpenKeychain](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### Partage et synchronisation de fichiers + +
+ +- ![Logo Send](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![Logo OnionShare](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![Logo FreedomBox](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Logo Nextcloud](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Logo Syncthing](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](file-sharing.md) + +### Clients applicatifs + +
+ +- ![Logo du bibliothécaire](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Logo du bibliothécaire](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Logo Nitter](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![Logo FreeTube](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Logo Yattee](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube ; iOS, tvOS, macOS)](frontends.md#yattee) +- ![Logo NewPipe](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Logo Invidious](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Logo Invidious](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Logo Piped](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](frontends.md) + +### Outils d'authentification multi-facteurs + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Logo Aegis](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Logo Raivo OTP](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### Agrégateurs d'actualités + +
+ +- ![Logo Akregator](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Logo Feeder](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Logo Fluent Reader](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![Logo GNOME Feeds](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Logo Miniflux](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Logo Miniflux](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![Logo NetNewsWire](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Logo Newsboat](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](news-aggregators.md) + +### Bloc-notes + +
+ +- ![Logo Joplin](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Logo Standard Notes](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Logo Cryptee](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Logo Cryptee](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Logo Org-mode](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](notebooks.md) + +### Gestionnaires de mots de passe + +
+ +- ![Logo Bitwarden](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![Logo 1Password](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Logo Psono](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![Logo KeePassXC](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![Logo KeePassDX](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Logo Strongbox](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![Logo gopass](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](passwords.md) + +### Outils de productivité + +
+ +- ![Logo Nextcloud](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Logo LibreOffice](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![Logo OnlyOffice](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](productivity.md) + +### Communication en temps réel + +
+ +- ![Logo Signal](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Logo Briar](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![Logo SimpleX Chat](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Logo Element](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Logo Session](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](real-time-communication.md) + +### Clients de streaming vidéo + +
+ +- ![Logo LBRY](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/tor.md b/i18n/fr/tor.md new file mode 100644 index 00000000..205054a6 --- /dev/null +++ b/i18n/fr/tor.md @@ -0,0 +1,124 @@ +--- +title: "Réseau Tor" +icon: simple/torproject +--- + +![Logo Tor](assets/img/self-contained-networks/tor.svg){ align=right } + +Le réseau **Tor** est un groupe de serveurs gérés par des bénévoles qui vous permet de vous connecter gratuitement et d'améliorer votre confidentialité et votre sécurité sur Internet. Les particuliers et les organisations peuvent également partager des informations sur le réseau Tor avec des "services cachés .onion" sans compromettre leur vie privée. Parce que le trafic Tor est difficile à bloquer et à tracer, Tor est un outil efficace pour contourner la censure. + +[:octicons-home-16:](https://www.torproject.org/fr/){ .card-link title="Page d'accueil"} +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/fr/){ .card-link title="Service Onion" } +[:octicons-info-16:](https://tb-manual.torproject.org/fr/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Code Source" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuer } + +Tor fonctionne en acheminant votre trafic Internet via ces serveurs gérés par des volontaires, au lieu d'établir une connexion directe avec le site que vous essayez de visiter. Cela permet de masquer la provenance du trafic, et aucun serveur sur le chemin de la connexion n'est en mesure de voir le chemin complet de la provenance et de la destination du trafic, ce qui signifie que même les serveurs que vous utilisez pour vous connecter ne peuvent pas briser votre anonymat. + +
+ ![Chemin de Tor](assets/img/how-tor-works/tor-path.svg#only-light) + ![Chemin de Tor](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Chemin du circuit de Tor - Les nœuds du chemin ne peuvent voir que les serveurs auxquels ils sont directement connectés, par exemple le nœud "d'Entrée" indiqué peut voir votre adresse IP, et l'adresse du nœud "Central", mais n'a aucun moyen de voir quel site Web vous visitez.
+
+ +- [Plus d'informations sur le fonctionnement de Tor :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Se connecter à Tor + +Il existe plusieurs façons de se connecter au réseau Tor à partir de votre appareil, la plus utilisée étant le **Navigateur Tor**, un fork de Firefox conçu pour la navigation anonyme sur les ordinateurs de bureau et Android. En plus des applications listées ci-dessous, il existe également des systèmes d'exploitation conçus spécifiquement pour se connecter au réseau Tor tels que [Whonix](desktop.md#whonix) sur [Qubes OS](desktop.md#qubes-os), qui offrent une sécurité et des protections encore plus importantes que le navigateur Tor standard. + +### Navigateur Tor + +!!! recommendation + + ![Logo de Tor Browser](assets/img/browsers/tor.svg){ align=right } + + Le **Navigateur Tor** est le choix idéal si vous avez besoin d'anonymat, car il vous donne accès au réseau et aux ponts Tor, et il inclut des paramètres par défaut et des extensions qui sont automatiquement configurées par les niveaux de sécurité par défaut : *Normal*, *Plus sûr* et *Le plus sûr*. + + [:octicons-home-16: Page d'accueil](https://www.torproject.org/fr/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/fr/){ .card-link title="Service Onion" } + [:octicons-info-16:](https://tb-manual.torproject.org/fr/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Code Source" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger "Danger" + + Vous ne devriez **jamais** installer des extensions supplémentaires sur le navigateur Tor, y compris celles que nous suggérons pour Firefox. Les extensions de navigateur et les paramètres non standard vous distinguent des autres sur le réseau Tor, rendant ainsi votre navigateur plus facile à la [prise d'empreintes numérique](https://support.torproject.org/fr/glossary/browser-fingerprinting/). + +Le Navigateur Tor est conçu pour empêcher la prise d'empreintes numérique, ou l'identification en fonction de la configuration de votre navigateur. Par conséquent, il est impératif de ne **pas** modifier le navigateur au-delà des [niveaux de sécurité](https://tb-manual.torproject.org/fr/security-settings/) par défaut. + +### Orbot + +!!! recommendation + + ![Logo Orbot](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** est un VPN Tor gratuit pour smartphones qui achemine le trafic de n'importe quelle application sur votre appareil à travers le réseau Tor. + + [:octicons-home-16: Page d'accueil](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Politique de Confidentialité" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Code Source" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +Pour résister aux attaques par analyse de trafic, pensez à activer l'option *Isoler l'adresse de destination* dans :material-menu: → **Paramètres** → **Connectivité**. Cela utilisera un circuit Tor complètement différent (différents relais intermédiaires et nœuds de sortie) pour chaque domaine auquel vous vous connectez. + +!!! tip "Astuces pour Android" + + Orbot peut proxy des applications individuelles si elles supportent le proxying SOCKS ou HTTP. Il peut également proxy toutes vos connexions réseau en utilisant [VpnService](https://developer.android.com/reference/android/net/VpnService) et peut être utilisé avec le killswitch VPN dans :gear: **Paramètres** → **Réseau & internet** → **VPN** → :gear: → **Bloquer les connexions sans VPN**. + + Orbot est souvent obsolète sur le [dépôt F-Droid](https://guardianproject.info/fdroid) du Guardian Project et sur le [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), alors envisagez à la place de télécharger directement depuis le [dépôt GitHub](https://github.com/guardianproject/orbot/releases). + + Toutes les versions sont signées en utilisant la même signature, elles devraient donc être compatibles entre elles. + +## Relais et Ponts + +### Snowflake + +!!! recommendation + + ![Logo Snowflake](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Logo Snowflake](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** vous permet de donner de la bande passante au Projet Tor en faisant fonctionner un "proxy Snowflake" dans votre navigateur. + + Les personnes censurées peuvent utiliser les proxys Snowflake pour se connecter au réseau Tor. Snowflake est un excellent moyen de contribuer au réseau même si vous n'avez pas le savoir-faire technique pour gérer un relais ou un pont Tor. + + [:octicons-home-16: Page d'accueil](https://snowflake.torproject.org/?lang=fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Code Source" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/fr-fr/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Laissez cette page ouverte pour être un proxy Snowflake") + +??? tip "Snowflake intégré" + + Vous pouvez activer Snowflake dans votre navigateur en cliquant sur le bouton ci-dessous et en laissant cette page ouverte. Vous pouvez également installer Snowflake en tant qu'extension de navigateur pour qu'il s'exécute toujours lorsque votre navigateur est ouvert, mais l'ajout d'extensions tierces peut augmenter votre surface d'attaque. + +
+ Si l'intégration n'apparaît pas pour vous, assurez-vous que vous ne bloquez pas le cadre tiers de `torproject.org`. Vous pouvez également consulter [cette page](https://snowflake.torproject.org/embed.html). + +Snowflake n'améliore en rien votre vie privée et n'est pas utilisé pour se connecter au réseau Tor dans votre navigateur personnel. Toutefois, si votre connexion Internet n'est pas censurée, vous devriez envisager de l'utiliser pour aider les personnes se trouvant sur des réseaux censurés à améliorer elles-mêmes leur vie privée. Il n'y a pas besoin de s'inquiéter des sites web auxquels les gens accèdent via votre proxy - leur adresse IP de navigation visible correspondra à leur nœud de sortie Tor, pas à la vôtre. + +Faire fonctionner un proxy Snowflake est peu risqué, encore moins que de faire fonctionner un relais ou un pont Tor qui ne sont déjà pas des entreprises particulièrement risquées. Toutefois, il achemine le trafic par le biais de votre réseau, ce qui peut avoir un impact à certains égards, surtout si votre réseau a une bande passante limitée. Assurez-vous de comprendre [le fonctionnement de Snowflake](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) avant de décider de faire tourner un proxy. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/video-streaming.md b/i18n/fr/video-streaming.md new file mode 100644 index 00000000..cc500bc7 --- /dev/null +++ b/i18n/fr/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Streaming vidéo" +icon: material/video-wireless +--- + +La principale menace liée à l'utilisation d'une plateforme de streaming vidéo est que vos habitudes de streaming et vos listes d'abonnement pourraient être utilisées pour établir votre profil. Vous devriez combiner ces outils avec un [VPN](vpn.md) ou [Tor](https://www.torproject.org/) pour rendre plus difficile le profilage de votre utilisation. + +## LBRY + +!!! recommendation + + ![Logo LBRY](assets/img/video-streaming/lbry.svg){ align=right } + + **Le réseau LBRY** est un réseau décentralisé de partage de vidéos. Il utilise un réseau de type [BitTorrent](https://fr.wikipedia.org/wiki/BitTorrent) pour stocker le contenu vidéo, et une [chaîne de blocs](https://fr.wikipedia.org/wiki/Blockchain) pour stocker les index de ces vidéos. Le principal avantage de cette conception est la résistance à la censure. + + **Le client de bureau LBRY** vous aide à regarder des vidéos à partir du réseau LBRY et stocke votre liste d'abonnement dans votre propre portefeuille LBRY. + + [:octicons-home-16: Page d'accueil](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note "À noter" + + Seul le client de bureau **LBRY** est recommandé, car le site web [Odysee](https://odysee.com) et les clients LBRY dans F-Droid, le Play Store et l'App Store ont une synchronisation et une télémétrie obligatoires. + +!!! warning "Avertissement" + + Lorsque vous regardez et hébergez des vidéos, votre adresse IP est visible par le réseau LBRY. Il utilise un réseau de type [BitTorrent](https://wikipedia.org/wiki/BitTorrent) pour stocker le contenu vidéo, et une [blockchain](https://wikipedia.org/wiki/Blockchain) pour stocker les index de ces vidéos. + +Nous vous recommandons **d'éviter** de synchroniser votre portefeuille avec LBRY Inc., car la synchronisation des portefeuilles chiffrés n'est pas encore prise en charge. note + +Vous pouvez désactiver l'option *Enregistrer les données d'hébergement pour aider le réseau LBRY* dans :gear: **Paramètres** → **Paramètres Avancés**, pour éviter d'exposer votre adresse IP et les vidéos regardées lorsque vous utilisez LBRY pendant une période prolongée. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Ne doit pas nécessiter un compte centralisé pour visionner les vidéos. + - L'authentification décentralisée, par exemple via la clé privée d'un portefeuille mobile, est acceptable. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/fr/vpn.md b/i18n/fr/vpn.md new file mode 100644 index 00000000..cddfdfd7 --- /dev/null +++ b/i18n/fr/vpn.md @@ -0,0 +1,323 @@ +--- +title: "Services VPN" +icon: material/vpn +--- + +Trouvez un opérateur VPN sans journalisation qui n'est pas là pour vendre ou lire votre trafic Web. + +??? danger "Les VPN ne fournissent pas l'anonymat" + + L'utilisation d'un VPN ne rendra **pas** votre navigation anonyme et n'ajoutera pas de sécurité supplémentaire à un trafic non sécurisé (HTTP). + + Si vous recherchez l' **anonymat**, vous devriez utiliser le navigateur Tor **au lieu** d'un VPN. + + Si vous recherchez plus de **sécurité**, vous devez toujours vous assurer que vous vous connectez aux sites web en utilisant HTTPS. Un VPN ne remplace pas les bonnes pratiques de sécurité. + + [Télécharger Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Mythes sur Tor & FAQ](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904){ .md-button } + +??? question "Quand les VPN sont-ils utiles ?" + + Si vous recherchez à protéger votre **vie privé** vis-à-vis de votre fournisseur d'accès internet, sur un réseau Wi-Fi public ou lors du torrenting de fichiers, un VPN peut être la solution pour vous, à condition que vous compreniez les risques encourus. + + [Plus d'infos](#vpn-overview){ .md-button } + +## Fournisseurs Recommandés + +!!! abstract "Citères" + + Les fournisseurs que nous recommandons utilisent le chiffrement, acceptent le Monero, prennent en charge WireGuard & OpenVPN, et ont une politique de non journalisation. Lisez notre [liste complète de critères](#our-criteria) pour plus d'informations. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** est un concurrent solide dans l'espace VPN, et ils sont en service depuis 2016. Proton AG est basé en Suisse et propose une offre gratuite limitée, ainsi qu'une option premium plus complète. + + [:octicons-home-16: Page d'accueil](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Pays" + + Proton VPN a [des serveurs dans 63 pays](https://protonvpn.com/vpn-servers) (1). En choisissant un fournisseur de VPN dont le serveur est le plus proche de vous vous réduirez la latence du trafic réseau que vous envoyez. Cela est dû à un itinéraire plus court (moins de sauts) vers la destination. + + Nous pensons également qu'il est préférable pour la sécurité des clés privées du fournisseur de VPN qu'il utilise des [serveurs dédiés](https://en.wikipedia.org/wiki/Dedicated_hosting_service), plutôt que des solutions partagées moins chères (avec d'autres clients) telles que les [serveurs privés virtuels](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. En date du 2022-09-16 + +??? success "Audités de manière indépendante" + + Depuis janvier 2020, Proton VPN a fait l'objet d'un audit indépendant réalisé par SEC Consult. SEC Consult a trouvé quelques vulnérabilités à risque moyen et faible dans les applications Windows, Android et iOS de Proton VPN, qui ont toutes été "correctement corrigées" par Proton VPN avant la publication des rapports. Aucun des problèmes identifiés n'aurait permis à un attaquant d'accéder à distance à votre appareil ou à votre trafic. Vous pouvez consulter les rapports individuels pour chaque plateforme à l'adresse [protonvpn.com](https://protonvpn.com/blog/open-source/). En avril 2022, Proton VPN a fait l'objet d'un [autre audit](https://protonvpn.com/blog/no-logs-audit/) et le rapport a été [produit par Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). Une [lettre d'attestation](https://proton.me/blog/security-audit-all-proton-apps) a été fournie pour les applications de Proton VPN le 9 novembre 2021 par [Securitum](https://research.securitum.com). + +??? success "Clients Open Source" + + Proton VPN fournit le code source de ses clients de bureau et mobiles dans son [organisation GitHub](https://github.com/ProtonVPN). + +??? check "Accepte l'Argent Liquide" + + Proton VPN, en plus d'accepter les cartes de crédit/débit et PayPal, accepte le Bitcoin, et **l'argent liquide/la monnaie locale** comme formes anonymes de paiement. + +??? success "Supporte WireGuard" + + Proton VPN supporte le protocole WireGuard® la plupart du temps. [WireGuard](https://www.wireguard.com) est un protocole plus récent qui utilise de la [cryptographie](https://www.wireguard.com/protocol/) de pointe. De plus, WireGuard vise à être plus simple et plus performant. + + Proton VPN [recommande](https://protonvpn.com/blog/wireguard/) l'utilisation de WireGuard avec leur service. Sur les applications Windows, macOS, iOS, Android, ChromeOS et Android TV de Proton VPN, WireGuard est le protocole par défaut ; cependant, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) pour le protocole n'est pas présent dans leur application Linux. + +??? warning "Redirection de Port Distant" + + Proton VPN ne supporte actuellement que la [redirection de ports](https://protonvpn.com/support/port-forwarding/) distants sur Windows, ce qui peut avoir un impact sur certaines applications. En particulier les applications Peer-to-Peer comme les clients Torrent. + +??? success "Clients Mobile" + + En plus de fournir des fichiers de configuration OpenVPN standard, Proton VPN dispose de clients mobiles pour [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), et [GitHub](https://github.com/ProtonVPN/android-app/releases) permettant de se connecter facilement à leurs serveurs. + +??? info "Fonctionnalités supplémentaires" + + Les clients VPN de Proton prennent en charge l'authentification à deux facteurs sur toutes les plateformes, sauf Linux pour le moment. Proton VPN possède ses propres serveurs et centres de données en Suisse, en Islande et en Suède. Ils proposent le blocage des publicités et des domaines de logiciels malveillants connus avec leur service DNS. De plus, Proton VPN propose également des serveurs "Tor" vous permettant de vous connecter facilement aux sites oignon, mais nous vous recommandons toujours fortement d'utiliser [le navigateur officiel Tor](https://www.torproject.org/fr/) à cet effet. + +!!! danger "La fonction Killswitch ne fonctionne pas sur les Macs à processeur Intel". + + Des crashs système [peuvent se produire](https://protonvpn.com/support/macos-t2-chip-kill-switch/) sur les Macs basés sur Intel lors de l'utilisation du killswitch VPN. Si vous avez besoin de cette fonction, et que vous utilisez un Mac avec un chipset Intel, vous devriez envisager d'utiliser un autre service VPN. + +### IVPN + +!!! recommendation + + ![Logo IVPN](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** est un autre fournisseur de VPN premium, et il est en activité depuis 2009. IVPN est basé à Gibraltar. + + [:octicons-home-16: Page d'accueil](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Pays" + + IVPN possède [des serveurs dans 35 pays](https://www.ivpn.net/server-locations) (1). En choisissant un fournisseur de VPN dont le serveur est le plus proche de vous vous réduirez la latence du trafic réseau que vous envoyez. Cela est dû à un itinéraire plus court (moins de sauts) vers la destination. + + Nous pensons également qu'il est préférable pour la sécurité des clés privées du fournisseur de VPN qu'il utilise des [serveurs dédiés](https://en.wikipedia.org/wiki/Dedicated_hosting_service), plutôt que des solutions partagées moins chères (avec d'autres clients) telles que les [serveurs privés virtuels](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. En date du 2022-09-16 + +??? success "Audités de manière indépendante" + + IVPN a fait l'objet d'un [audit de non-journalisation de Cure53](https://cure53.de/audit-report_ivpn.pdf) qui s'est conclu en accord avec la déclaration de non-journalisation d'IVPN. IVPN a également réalisé un [rapport complet de tests de pénétration par Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) en janvier 2020. IVPN a également déclaré qu'il prévoyait de publier des [rapports annuels](https://www.ivpn.net/blog/independent-security-audit-concluded) à l'avenir. Une autre étude a été réalisée [en avril 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) et a été fournie par Cure53 [sur leur site web](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Clients Open Source" + + Depuis février 2020 [les applications IVPN sont désormais open source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Le code source peut être obtenu auprès de leur [organisation GitHub](https://github.com/ivpn). + +??? success "Accepte l'Argent Liquide et le Monero" + + En plus d'accepter les cartes de crédit/débit et PayPal, IVPN accepte le Bitcoin, le **Monero** et **l'argent liquide/la monnaie locale** (sur les plans annuels) comme formes de paiement anonymes. + +??? success "Supporte WireGuard" + + IVPN supporte le protocole WireGuard®. [WireGuard](https://www.wireguard.com) est un protocole plus récent qui utilise de la [cryptographie](https://www.wireguard.com/protocol/) de pointe. De plus, WireGuard vise à être plus simple et plus performant. + + IVPN [recommande](https://www.ivpn.net/wireguard/) l'utilisation de WireGuard avec leur service et, de ce fait, ce protocole est le protocole par défaut sur toutes les applications d'IVPN. IVPN propose également un générateur de configuration WireGuard à utiliser avec l'[application](https://www.wireguard.com/install/) officielle WireGuard. + +??? success "Redirection de Port Distant" + + La [redirection de port](https://fr.wikipedia.org/wiki/Redirection_de_port) distants est possible avec une offre Pro. La redirection de port [peut être activée](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via l'espace client. La redirection de port n'est disponible sur IVPN que lorsque l'on utilise les protocoles WireGuard ou OpenVPN et est [désactivée sur les serveurs US](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Clients Mobile" + + En plus de fournir des fichiers de configuration OpenVPN standard, IVPN dispose de clients mobiles pour [App Store] (https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play] (https://play.google.com/store/apps/details?id=net.ivpn.client), et [GitHub](https://github.com/ivpn/android-app/releases) permettant de se connecter facilement à leurs serveurs. + +??? info "Fonctionnalités supplémentaires" + + Les clients IVPN prennent en charge l'authentification à deux facteurs (les clients de Mullvad ne le font pas). IVPN offre également la fonctionnalité "[AntiTraqueurs](https://www.ivpn.net/antitracker)", qui bloque les réseaux publicitaires et les trackers au niveau du réseau. + +### Mullvad + +!!! recommendation + + ![Logo Mullvad](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** est un VPN rapide et peu coûteux qui met l'accent sur la transparence et la sécurité. Ils sont en activité depuis **2009**. Mullvad est basé en Suède et n'a pas de période d'essai gratuit. + + [:octicons-home-16: Page d'accueil](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Pays" + + Mullvad possède [des serveurs dans 41 pays](https://mullvad.net/servers/) (1). En choisissant un fournisseur de VPN dont le serveur est le plus proche de vous vous réduirez la latence du trafic réseau que vous envoyez. Cela est dû à un itinéraire plus court (moins de sauts) vers la destination. + + Nous pensons également qu'il est préférable pour la sécurité des clés privées du fournisseur de VPN qu'il utilise des [serveurs dédiés](https://en.wikipedia.org/wiki/Dedicated_hosting_service), plutôt que des solutions partagées moins chères (avec d'autres clients) telles que les [serveurs privés virtuels](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. En date du 2023-01-19 + +??? success "Audités de manière indépendante" + + Les clients VPN de Mullvad ont été audités par Cure53 et Assured AB dans un rapport de test de pénétration [publié sur cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). Les chercheurs en sécurité ont conclu : + + > Cure53 et Assured AB sont satisfaits des résultats de l'audit et le logiciel laisse une impression globalement positive. Grâce au dévouement de l'équipe interne du complexe du VPN Mullvad, les testeurs n'ont aucun doute sur le fait que le projet est sur la bonne voie du point de vue de la sécurité. + + En 2020, un deuxième audit [a été annoncé](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) et le [rapport d'audit final](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) a été mis à disposition sur le site internet de Cure53 : + + > Les résultats de ce projet de mai-juin 2020 ciblant le complexe Mullvad sont plutôt positifs. [...] L'écosystème applicatif utilisé par Mullvad laisse une impression solide et structurée. La structure globale de l'application permet de déployer facilement des correctifs et corrections de manière structurée. Plus que tout, les résultats repérés par Cure53 montrent l'importance d'un audit et d'une réévaluation constante des vecteurs de fuite actuels, afin de toujours garantir la confidentialité des utilisateurs finaux. Ceci étant dit, Mullvad fait un excellent travail en protégeant l'utilisateur final contre les fuites courantes de DCP et les risques liés à la confidentialité. + + En 2021, un audit des infrastructures [a été annoncé] (https://mullvad.net/fr/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) et le [rapport d'audit final] (https://cure53.de/pentest-report_mullvad_2021_v1.pdf) a été mis à disposition sur le site web de Cure53. Un autre rapport a été commandé [en juin 2022](https://mullvad.net/fr/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) et est disponible sur [le site web d'Assured](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Clients Open Source" + + Mullvad fournit le code source de ses clients de bureau et mobiles dans son [organisation GitHub](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepte l'Argent Liquide et le Monero" + + Mullvad, en plus d'accepter les cartes de crédit/débit et PayPal, accepte le Bitcoin, le Bitcoin Cash, le **Monero** et le **liquide/monnaie locale** comme formes de paiement anonyme. Ils acceptent également Swish et les virements bancaires. + +??? success "Supporte WireGuard" + + Mullvad prend en charge le protocole WireGuard®. [WireGuard](https://www.wireguard.com) est un protocole plus récent qui utilise de la [cryptographie](https://www.wireguard.com/protocol/) de pointe. De plus, WireGuard vise à être plus simple et plus performant. + + Mullvad [recommande](https://mullvad.net/fr/help/why-wireguard/) l'utilisation de WireGuard avec leur service. Il s'agit du seul protocole ou celui par défaut sur les applications Android, iOS, macOS et Linux de Mullvad, mais sous Windows, vous devez l'[activer manuellement](https://mullvad.net/fr/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad propose également un générateur de configuration WireGuard à utiliser avec l'[application](https://www.wireguard.com/install/) officielle WireGuard. + +??? success "Supporte IPv6" + + Mullvad soutient l'avenir du réseau [IPv6](https://en.wikipedia.org/wiki/IPv6). Leur réseau vous permet [d'accéder à des services hébergés sur IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/), contrairement à d'autres fournisseurs qui bloquent les connexions IPv6. + +??? success "Redirection de Port Distant" + + La [redirection de port] à distance (https://en.wikipedia.org/wiki/Port_forwarding) est autorisée pour les personnes qui effectuent des paiements ponctuels, mais pas pour les comptes ayant un mode de paiement récurrent ou par abonnement. Ceci afin d'empêcher Mullvad de pouvoir vous identifier sur la base de votre utilisation du port et des informations d'abonnement stockées. Voir [Redirection de port avec Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) pour plus d'informations. + +??? success "Clients Mobile" + + Mullvad a publié des clients [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) et [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn), qui prennent tous deux en charge une interface facile à utiliser, au lieu de vous demander de configurer manuellement votre connexion WireGuard. Le client Android est également disponible sur [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Fonctionnalités supplémentaires" + + Mullvad est très transparent quant aux nœuds qu'il [possède ou loue](https://mullvad.net/en/servers/). Ils utilisent [ShadowSocks](https://shadowsocks.org) dans leur configuration ShadowSocks OpenVPN, ce qui les rend plus résistants aux pare-feu avec l'[Inspection Approfondie des Paquets](https://en.wikipedia.org/wiki/Deep_packet_inspection) qui tentent de bloquer les VPN. Supposément, [la Chine doit utiliser une méthode différente pour bloquer les serveurs ShadowSocks](https://github.com/net4people/bbs/issues/22). Le site web de Mullvad est également accessible via Tor à l'adresse [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Critères + +!!! danger "Danger" + + Il est important de noter que l'utilisation d'un fournisseur VPN ne vous rendra pas anonyme, mais qu'elle vous permettra de mieux protéger votre vie privée dans certaines situations. Un VPN n'est pas un outil pour des activités illégales. Ne vous fiez pas à une politique de "non-journalisation". + +Nous exigeons de tous nos fournisseurs VPN recommandés qu'ils fournissent des fichiers de configuration OpenVPN utilisables dans n'importe quel client. **Si** un VPN fournit son propre client personnalisé, nous exigeons un killswitch pour bloquer les fuites de données du réseau lors de la déconnexion. Nous vous suggérons de vous familiariser avec cette liste avant de choisir un fournisseur VPN, et de mener vos propres recherches pour vous assurer que le fournisseur VPN que vous choisissez est le plus digne de confiance possible. + +### Technologie + +Nous exigeons de tous nos fournisseurs VPN recommandés qu'ils fournissent des fichiers de configuration OpenVPN utilisables dans n'importe quel client. **Si** un VPN fournit son propre client personnalisé, nous exigeons un killswitch pour bloquer les fuites de données du réseau lors de la déconnexion. + +**Le Meilleur Cas:** + +- Prise en charge de protocoles forts tels que WireGuard & OpenVPN. +- Killswitch intégré dans les clients. +- Support multi-sauts. Le multi-sauts est important pour garder les données privées en cas de compromission d'un seul noeud. +- Si des clients VPN sont fournis, ils doivent être [open source](https://en.wikipedia.org/wiki/Open_source), comme le logiciel VPN qui y est généralement intégré. Nous pensons que la disponibilité du [code source](https://en.wikipedia.org/wiki/Source_code) offre une plus grande transparence sur ce que fait réellement votre appareil. + +**Dans le meilleur des cas :** + +- Prise en charge de WireGuard et d'OpenVPN. +- Killswitch avec des options hautement configurables (activer/désactiver sur certains réseaux, au démarrage, etc.) +- Clients VPN faciles à utiliser +- Supporte [IPv6](https://en.wikipedia.org/wiki/IPv6). Nous nous attendons à ce que les serveurs autorisent les connexions entrantes via IPv6 et vous permettent d'accéder aux services hébergés sur des adresses IPv6. +- La capacité de [redirection de port à distance](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) aide à créer des connexions lors de l'utilisation de logiciels de partage de fichiers P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)), de Freenet ou de l'hébergement d'un serveur (par exemple, Mumble). + +### Confidentialité + +Nous préférons que nos prestataires recommandés collectent le moins de données possible. Ne pas recueillir de renseignements personnels sur l'inscription et accepter des modes de paiement anonymes sont requis. + +**Le Meilleur Cas:** + +- Option de paiement en Monero ou en espèces. +- Aucune information personnelle requise pour s'inscrire : Seuls le nom d'utilisateur, le mot de passe et l'e-mail sont requis. + +**Dans le meilleur des cas :** + +- Accepte Monero, espèces et autres formes d'options de paiement anonymes (cartes-cadeaux, etc.) +- Aucune information personnelle acceptée (nom d'utilisateur généré automatiquement, pas d'e-mail requis, etc.) + +### Sécurité + +Un VPN est inutile s'il ne peut même pas fournir une sécurité adéquate. Nous exigeons de tous nos fournisseurs recommandés qu'ils respectent les normes de sécurité en vigueur pour leurs connexions OpenVPN. Idéalement, ils utiliseraient par défaut des schémas de chiffrement plus évolutifs. Nous exigeons également qu'un tiers indépendant procède à un audit de la sécurité du fournisseur, idéalement de manière très complète et de manière répétée (chaque année). + +**Le Meilleur Cas:** + +- Schémas de chiffrement forts : OpenVPN avec authentification SHA-256 ; poignée de main RSA-2048 ou mieux ; chiffrage des données AES-256-GCM ou AES-256-CBC. +- Confidentialité Persistante (PFS). +- Des audits de sécurité publiés par une société tierce réputée. + +**Dans le meilleur des cas :** + +- Chiffrement le plus fort : RSA-4096. +- Confidentialité Persistante (PFS). +- Des audits de sécurité complets publiés par une société tierce réputée. +- Des programmes de primes aux bugs et/ou un processus coordonné de divulgation des vulnérabilités. + +### Confiance + +Vous ne confieriez pas vos finances à une personne ayant une fausse identité, alors pourquoi lui confier vos données internet ? Nous exigeons de nos fournisseurs recommandés qu'ils rendent public leur propriété ou leur direction. Nous aimerions également voir des rapports de transparence fréquents, notamment en ce qui concerne la manière dont les demandes de gouvernement sont traitées. + +**Le Meilleur Cas:** + +- Une direction ou un propriétaire public. + +**Dans le meilleur des cas :** + +- Une direction publique. +- Rapports de transparence fréquents. + +### Marketing + +Avec les fournisseurs de VPN que nous recommandons, nous aimons voir un marketing responsable. + +**Le Meilleur Cas:** + +- Doit héberger lui-même ses outils d'analyse de traffic (pas de Google Analytics, etc.). Le site du fournisseur doit également se conformer à [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) pour les personnes qui souhaitent se désinscrire. + +Ne doit pas avoir de marketing irresponsable : + +- Garantir la protection de l'anonymat à 100%. Lorsque quelqu'un prétend que quelque chose est à 100%, cela signifie qu'il n'y a aucune certitude d'échec. Nous savons que les gens peuvent assez facilement se désanonymiser de plusieurs façons, par exemple : + - Réutiliser des informations personnelles (par exemple, des comptes de messagerie, des pseudonymes uniques, etc.) auxquelles ils ont accédé sans logiciel d'anonymat (Tor, VPN, etc.) + - [Empreinte digitale des navigateurs](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Affirmer qu'un seul circuit VPN est « plus anonyme » que Tor, qui est un circuit de 3 sauts ou plus qui change régulièrement. +- Utilisez un langage responsable, par exemple, il est acceptable de dire qu'un VPN est "déconnecté" ou "non connecté", mais dire qu'une personne est "exposée", "vulnérable" ou "compromise" est une utilisation inutile d'un langage alarmant qui peut être incorrect. Par exemple, cette personne peut simplement être sur le service d'un autre fournisseur de VPN ou utiliser Tor. + +**Dans le meilleur des cas :** + +Un marketing responsable qui est à la fois éducatif et utile au consommateur pourrait inclure : + +- Une comparaison précise pour savoir quand utiliser Tor ou d'autres [réseaux autonomes](tor.md) . +- Disponibilité du site web du fournisseur VPN sur un [Service caché](https://en.wikipedia.org/wiki/.onion) .onion + +### Fonctionnalités Supplémentaires + +Bien qu'il ne s'agisse pas d'exigences strictes, nous avons tenu compte de certains facteurs pour déterminer les fournisseurs à recommander. Ceux-ci incluent la fonctionnalité de blocage des publicités/traqueurs, les canaris de mandats, les connexions multi-sauts, un excellent support client, le nombre de connexions simultanées autorisées, etc. + +--8<-- "includes/abbreviations.fr.txt" diff --git a/i18n/he/404.md b/i18n/he/404.md new file mode 100644 index 00000000..a7b2c89f --- /dev/null +++ b/i18n/he/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - לא נמצא + +לא מצאנו את העמוד שחיפשת! אולי חיפשת אחד כזה? + +- [מבוא למודל איומים](basics/threat-modeling.md) +- [ספקי DNS מומלצים](dns.md) +- [דפדפני האינטרנט הטובים ביותר לשולחן העבודה](desktop-browsers.md) +- [ספקי ה-VPN הטובים ביותר](vpn.md) +- [פורום Privacy Guides](https://discuss.privacyguides.net) +- [הבלוג שלנו](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/CODE_OF_CONDUCT.md b/i18n/he/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/he/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/he/about/criteria.md b/i18n/he/about/criteria.md new file mode 100644 index 00000000..8faaa12d --- /dev/null +++ b/i18n/he/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: קריטריונים כלליים +--- + +!!! example "עבודה בתהליך" + + העמוד הבא הוא עבודה בתהליך ואינו משקף את הקריטריונים המלאים להמלצות שלנו בשלב זה. דיון עבר בנושא זה: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +להלן כמה דברים שחייבים לחול על כל ההגשות ל-Privacy Guides. לכל קטגוריה יהיו דרישות נוספות להכללה. + +## גילוי פיננסי נאות + +איננו מרוויחים כסף מהמלצה על מוצרים מסוימים, איננו משתמשים בקישורי שותפים, ואיננו נותנים התחשבות מיוחדת לתורמי הפרויקט. + +## הנחיות כלליות + +אנו מיישמים את סדרי העדיפויות הבאים כאשר אנו שוקלים המלצות חדשות: + +- **מאובטח**: על הכלים לפעול לפי שיטות אבטחה מומלצות בכל מקום שניתן. +- **זמינות מקור**: פרויקטי קוד פתוח מועדפים בדרך כלל על פני חלופות קנייניות שוות. +- **חוצה פלטפורמות**: בדרך כלל אנו מעדיפים שההמלצות יהיו חוצות פלטפורמות, כדי למנוע נעילת ספקים. +- **פיתוח פעיל**: את הכלים שאנו ממליצים עליהם לפתח באופן פעיל, פרויקטים לא מתוחזקים יוסרו ברוב המקרים. +- **שימושיות**: כלים צריכים להיות נגישים לרוב משתמשי המחשב, אין צורך ברקע טכני יתר על המידה. +- **מתועד**: לכלים צריך להיות תיעוד ברור ונרחב לשימוש. + +## הגשות עצמיות של מפתחים + +יש לנו דרישות אלה לגבי מפתחים שרוצים להגיש את הפרויקט או התוכנה שלהם לשיקול. + +- חייב לחשוף את ההשתייכות, כלומר את עמדתך בפרויקט המוגש. + +- חייב להיות מסמך לבן אבטחה אם מדובר בפרויקט הכולל טיפול במידע רגיש כמו מסנג'ר, מנהל סיסמאות, אחסון מוצפן בענן וכו'. + - סטטוס ביקורת של צד שלישי. אנחנו רוצים לדעת אם יש לך אחד, או שיש לך אחד מתוכנן. במידת האפשר נא לציין מי יבצע את הביקורת. + +- חייב להסביר מה הפרויקט מביא לשולחן בכל הנוגע לפרטיות. + - האם זה פותר בעיה חדשה כלשהי? + - למה שמישהו ישתמש בזה על פני האלטרנטיבות? + +- חייבים לציין מהו מודל האיום המדויק עם הפרויקט שלהם. + - למשתמשים פוטנציאליים צריך להיות ברור מה הפרויקט יכול לספק ומה לא. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/about/donate.md b/i18n/he/about/donate.md new file mode 100644 index 00000000..7a9cba6a --- /dev/null +++ b/i18n/he/about/donate.md @@ -0,0 +1,52 @@ +--- +title: תמיכה בנו +--- + + +נדרשים הרבה [אנשים](https://github.com/privacyguides/privacyguides.org/graphs/contributors) ו[עבודה](https://github.com/privacyguides/privacyguides.org/pulse/monthly) כדי לעדכן את Privacy Guides ולהפיץ את הבשורה על פרטיות ומעקב המוני. אם אתה אוהב את מה שאנחנו עושים, שקול להיות מעורב על ידי [עריכת האתר](https://github.com/privacyguides/privacyguides.org) או [תרומה בתרגום](https://crowdin.com/project/privacyguides). + +אם אתה רוצה לתמוך בנו כלכלית, השיטה הנוחה ביותר עבורנו היא תרומה באמצעות Open Collective, אתר אינטרנט המופעל על ידי המארח הפיסקאלי שלנו. Open Collective מקבל תשלומים באמצעות כרטיס אשראי/חיוב, PayPal והעברות בנקאיות. + +[לתרומה ב - OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +תרומות שנעשו ישירות אלינו ב-Open Collective ניתנות לניכוי מס בדרך כלל בארה"ב, מכיוון שהמארח הפיסקאלי שלנו (The Open Collective Foundation) הוא ארגון רשום 501(c)3. לאחר התרומה תקבלו קבלה מקרן הקולקטיב הפתוח. Privacy Guides אינם מספקים ייעוץ פיננסי, ועליכם ליצור קשר עם יועץ המס שלכם כדי לברר אם זה חל עליכם. + +אם אתה כבר עושה שימוש בחסויות GitHub, אתה יכול גם לתת חסות לארגון שלנו שם. + +[תנו לנו חסות ב-GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## תומכים + +תודה מיוחדת לכל אלה שתומכים במשימה שלנו! :heart: + +*שימו לב: סעיף זה טוען ווידג'ט ישירות מ-Open Collective. סעיף זה אינו משקף תרומות שניתנו מחוץ לקולקטיב הפתוח, ואין לנו שליטה על התורמים הספציפיים המופיעים בסעיף זה.* + + + +## כיצד אנו משתמשים בתרומות + +Privacy Guides הוא ארגון **ללא מטרות רווח **. אנו משתמשים בתרומות למגוון מטרות, כולל: + +**רישומי דומיין** +: + +יש לנו כמה שמות דומיין כמו `privacyguides.org` שעולים לנו בסביבות 10 דולר בשנה כדי לשמור על הרישום שלהם. + +**אחסון אתרים** +: + +התנועה לאתר זה משתמשת במאות גיגה-בייט של נתונים בחודש, אנו משתמשים במגוון ספקי שירותים כדי לעמוד בקצב התנועה הזו. + +**שירותים מקוונים** +: + +אנו מארחים [שירותי אינטרנט](https://privacyguides.net) לבדיקה והצגה של מוצרי פרטיות שונים שאנחנו אוהבים ו[ממליצים](../tools.md) עליהם. חלקם זמינים לציבור לשימוש הקהילה שלנו (SearXNG, Tor וכו '), וחלקם מסופקים עבור חברי הצוות שלנו (דוא"ל וכו '). + +**רכישת מוצרים** +: + +מדי פעם אנו רוכשים מוצרים ושירותים לצורך בדיקת [הכלים המומלצים שלנו](../tools.md). + +אנחנו עדיין עובדים עם המארח הפיסקאלי שלנו (הקרן הקולקטיבית הפתוחה) כדי לקבל תרומות של מטבעות קריפטוגרפיים, כרגע החשבונאות אינה אפשרית להרבה עסקאות קטנות יותר, אבל זה אמור להשתנות בעתיד. בינתיים, אם ברצונך לבצע תרומה גדולה (> $100) של מטבע מוצפן, אנא צור קשר עם [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/about/index.md b/i18n/he/about/index.md new file mode 100644 index 00000000..5e70b81c --- /dev/null +++ b/i18n/he/about/index.md @@ -0,0 +1,63 @@ +--- +title: "אודות Privacy Guides" +--- + +**Privacy Guides** הוא אתר בעל מוטיבציה חברתית המספק מידע להגנה על אבטחת הנתונים ופרטיותך. אנחנו קולקטיב ללא מטרות רווח המופעל כולו על ידי [חברי צוות](https://discuss.privacyguides.net/g/team) מתנדבים ותורמים. + +[:material-hand-coin-outline: תמכו בפרויקט](donate.md ""){.md-button.md-button--primary} + +## הצוות שלנו + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: דף הבית](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: אימייל](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: אימייל](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: דף הבית](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: דף הבית](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +בנוסף, [אנשים רבים](https://github.com/privacyguides/privacyguides.org/graphs/contributors) תרמו לפרויקט. גם אתה יכול, אנחנו בקוד פתוח ב-GitHub! + +חברי הצוות שלנו בודקים את כל השינויים שבוצעו באתר ומטפלים בתפקידים אדמיניסטרטיביים כגון אירוח אתרים ופיננסים, אולם הם אינם מרוויחים באופן אישי מכל תרומה כלשהי לאתר זה. הדוחות הכספיים שלנו מתארחים באופן שקוף על ידי Open Collective Foundation 501(c)( 3) בכתובת [opencollective.com/privacyguides](https://opencollective.com/privacyguides). תרומות ל-Privacy Guides ניתנות לניכוי מס בדרך כלל בארצות הברית. + +## רישיון אתר + +*להלן סיכום הניתן לקריאה על ידי אדם (ולא תחליף ל) [הרישיון](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: אלא אם צוין אחרת, התוכן המקורי באתר זה זמין תחת [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). משמעות הדבר היא שאתה חופשי להעתיק ולהפיץ מחדש את החומר בכל מדיום או פורמט לכל מטרה, אפילו מסחרית; כל עוד אתה נותן קרדיט מתאים ל`Privacy Guides (www.privacyguides.org)` ומספק קישור לרישיון. אתה רשאי לעשות זאת בכל דרך סבירה, אך לא בכל דרך שמציעה שPrivacy Guides מאשרים אותך או את השימוש שלך. אם תערבב מחדש, תשנה או תבנה על התוכן של אתר זה, אינך רשאי להפיץ את החומר שהשתנה. + +רישיון זה נועד למנוע מאנשים לחלוק את עבודתנו מבלי לתת קרדיט מתאים, וכדי למנוע מאנשים לשנות את העבודה שלנו באופן שעלול לשמש כדי להטעות אנשים. אם אתה מוצא את התנאים של רישיון זה מגבילים מדי עבור הפרויקט שאתה עובד עליו, אנא פנה אלינו בכתובת `jonah@privacyguides.org`. אנו שמחים לספק אפשרויות רישוי חלופיות לפרויקטים בעלי כוונות טובות במרחב הפרטיות! + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/about/notices.md b/i18n/he/about/notices.md new file mode 100644 index 00000000..6046549b --- /dev/null +++ b/i18n/he/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "הודעות וכתבי ויתור" +hide: + - toc +--- + +## הצהרה משפטית + +Privacy Guides אינו משרד עורכי דין. ככזה, אתר Privacy Guides והתורמים אינם מספקים ייעוץ משפטי. החומר וההמלצות באתר ובמדריכים שלנו אינם מהווים ייעוץ משפטי ואף לא תרומה לאתר או תקשורת עם מדריכי פרטיות או תורמים אחרים על האתר שלנו יוצרים יחסי עורך דין-לקוח. + +הפעלת אתר זה, כמו כל מאמץ אנושי, כרוכה בחוסר ודאות ובפשרות. אנו מקווים שהאתר הזה יעזור, אבל הוא עשוי לכלול טעויות ולא יכול לטפל בכל מצב. אם יש לך שאלות כלשהן לגבי מצבך, אנו ממליצים לך לעשות מחקר משלך, לחפש מומחים אחרים ולהשתתף בדיונים עם קהילת Privacy Guides. אם יש לך שאלות משפטיות, עליך להתייעץ עם היועץ המשפטי שלך לפני שתמשיך הלאה. + +Privacy Guides הוא פרויקט קוד פתוח שנתרם לו תחת רישיונות הכוללים תנאים שלצורך הגנה על האתר והתורמים לו, מבהירים שהפרויקט ואתר מדריכי הפרטיות מוצעים "כפי שהם", ללא אחריות, ומתנערים מאחריות עבור נזקים הנובעים משימוש באתר או כל המלצות הכלולות בו. Privacy Guides אינם מתחייבים או מציגים מצגים כלשהם בנוגע לדיוק, התוצאות הסבירות או המהימנות של השימוש בחומרים באתר או הקשורים אחרת לחומרים כאלה באתר או באתרי צד שלישי כלשהם המקושרים באתר זה. + +Privacy Guides בנוסף אינם מתחייבים כי אתר זה יהיה זמין כל הזמן, או זמין בכלל. + +## רישיונות + +אלא אם צוין אחרת, כל התוכן באתר זה זמין תחת התנאים של [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +זה לא כולל קוד של צד שלישי המוטמע במאגר זה, או קוד שבו צוין אחרת רישיון מחליף. להלן דוגמאות בולטות, אך ייתכן שרשימה זו אינה כוללת: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) מורשה תחת רישיון [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +חלקים מההודעה הזו עצמה אומצו מ [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) ב- GitHub. משאב זה והדף עצמו משוחררים תחת [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +משמעות הדבר היא שאתה יכול להשתמש בתוכן הניתן לקריאה על ידי אדם במאגר זה עבור הפרויקט שלך, לפי התנאים המפורטים בטקסט של Creative Commons Attribution-NoDerivatives 4.0 International Public License. אתה רשאי לעשות זאת בכל דרך סבירה, אך לא בכל דרך שמציעה שPrivacy Guides מאשרים אותך או את השימוש שלך. **אינך רשאי** להשתמש במיתוג Privacy Guides בפרויקט שלך ללא אישור מפורש מפרויקט זה. סימני המסחר של המותג של מדריכי הפרטיות כוללים את סימן המילה "Privacy Guides" ואת לוגו המגן. + +אנו מאמינים שסמלי הלוגו ותמונות אחרות ב`נכסים` המתקבלים מספקי צד שלישי הם נחלת הכלל או ב**שימוש הוגן**. על קצה המזלג, [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) החוקית יכולה להשתמש בתמונות המוגנות בזכויות יוצרים על מנת לזהות את הנושא לצורך הערות הציבור. עם זאת, ייתכן שסמלים אלה ותמונות אחרות עדיין יהיו כפופות לחוקי סימנים מסחריים בתחומי שיפוט אחד או יותר. לפני השימוש בתוכן זה, אנא ודא שהוא משמש לזיהוי הישות או הארגון המחזיקים בסימן המסחרי וכי יש לך את הזכות להשתמש בו לפי החוקים החלים בנסיבות השימוש המיועד שלך. *בעת העתקת תוכן מאתר זה, אתה האחראי הבלעדי לוודא שאינך מפר סימן מסחרי או זכויות יוצרים של מישהו אחר.* + +כאשר אתה תורם למאגר זה אתה עושה זאת תחת הרישיונות הנ"ל, ואתה מעניק לPrivacy Guides רישיון תמידי, כלל עולמי, לא בלעדי, ניתן להעברה, ללא תמלוגים, בלתי חוזר עם הזכות לתת רישיון משנה לזכויות כאלה באמצעות שכבות מרובות של בעלי רישיונות משנה, לשכפל, לשנות, להציג, לבצע ולהפיץ את התרומה שלך כחלק מהפרויקט שלנו. + +## שימוש מקובל + +אין להשתמש באתר זה בכל דרך שגורמת או עלולה לגרום נזק לאתר או פגיעה בזמינות או נגישותם של מדריכי הפרטיות, או בכל דרך שהיא בלתי חוקית, בלתי חוקית, הונאה, מזיקה, או בקשר לכל לא חוקי, מטרה או פעילות בלתי חוקית, הונאה או מזיקה. + +אין לערוך פעילויות איסוף נתונים שיטתיות או אוטומטיות באתר זה או ביחס אליו ללא הסכמה מפורשת בכתב, לרבות: + +* סריקות אוטומטיות מוגזמות +* התקפות מניעת שירות +* גירוד +* כריית נתונים +* 'מסגור' (IFrames) + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/about/privacy-policy.md b/i18n/he/about/privacy-policy.md new file mode 100644 index 00000000..d04ce5ff --- /dev/null +++ b/i18n/he/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "מדיניות פרטיות" +--- + +Privacy Guides הוא פרויקט קהילתי המופעל על ידי מספר תורמים מתנדבים פעילים. הרשימה הציבורית של חברי הצוות נמצא [ב - GitHub](https://github.com/orgs/privacyguides/people). + +## נתונים שאנו אוספים ממבקרים + +הפרטיות של המבקרים באתר שלנו חשובה לנו, לכן איננו עוקבים אחר אנשים בודדים. כמבקר באתר שלנו: + +- לא נאסף מידע אישי +- לא מאוחסן בדפדפן מידע כגון עוגיות +- אין מידע משותף עם, שנשלח או נמכר לצדדים שלישיים +- אין שיתוף מידע עם חברות פרסום +- שום מידע לא נכרה ונקצר עבור מגמות אישיות והתנהגותיות +- שום מידע אינו מפיק רווחים + +תוכל לצפות בנתונים שאנו אוספים בדף ה[סטטיסטיקה](statistics.md) שלנו. + +אנו מפעילים התקנה באחסון עצמי של [Plausible Analytics](https://plausible.io) כדי לאסוף נתוני שימוש אנונימיים למטרות סטטיסטיות. המטרה היא לעקוב אחר מגמות כוללות בתנועה באתר שלנו, זה לא לעקוב אחר מבקרים בודדים. כל הנתונים הם במצטבר בלבד. לא נאספים נתונים אישיים. + +הנתונים שנאספו כוללים את מקורות ההפניה, הדפים העליונים, משך הביקור, מידע מהמכשירים (סוג המכשיר, מערכת ההפעלה, המדינה והדפדפן) שבהם נעשה שימוש במהלך הביקור ועוד. ניתן לקבל מידע נוסף על האופן שבו מתקבל על הדעת ואוסף מידע באופן שמכבד פרטיות [כאן](https://plausible.io/data-policy). + +## נתונים שאנו אוספים מבעלי חשבונות + +באתרים ובשירותים מסוימים שאנו מספקים, תכונות רבות עשויות לדרוש חשבון. לדוגמה, ייתכן שחשבון יידרש לפרסם ולהשיב לנושאים בפלטפורמת פורום. + +כדי להירשם לרוב החשבונות, נאסוף שם, שם משתמש, אימייל וסיסמה. במקרה שאתר דורש יותר מידע מאשר רק נתונים אלה, זה יסומן באופן ברור ויצוין בהצהרת פרטיות נפרדת לכל אתר. + +אנו משתמשים בנתוני החשבון שלך כדי לזהות אותך באתר וליצור דפים ספציפיים לך, כגון דף הפרופיל שלך. אנחנו גם נשתמש בנתוני החשבון שלך כדי לפרסם פרופיל ציבורי עבורך בשירותים שלנו. + +אנו משתמשים בדוא"ל שלך כדי: + +- להודיע לך על פוסטים ופעילות אחרת באתרים או בשירותים. +- אפס את הסיסמא שלך ועזור לשמור על אבטחת החשבון שלך. +- ליצור עמך קשר בנסיבות מיוחדות הקשורות לחשבון שלך. +- פנה אליך בנוגע לבקשות משפטיות, כגון בקשות הסרה של DMCA. + +באתרים ובשירותים מסוימים תוכל לספק מידע נוסף עבור חשבונך, כגון ביוגרפיה קצרה, אווטאר, המיקום שלך או תאריך הלידה שלך. אנו הופכים מידע זה לזמין לכל מי שיכול לגשת לאתר או לשירות המדובר. מידע זה אינו נדרש כדי להשתמש באף אחד מהשירותים שלנו וניתן למחוק אותו בכל עת. + +אנו נאחסן את נתוני החשבון שלך כל עוד חשבונך יישאר פתוח. לאחר סגירת חשבון, אנו עשויים לשמור חלק מנתוני החשבון שלך או את כולם בצורה של גיבויים או ארכיונים למשך עד 90 יום. + +## יצירת קשר + +לצוות Privacy Guides אין בדרך כלל גישה לנתונים אישיים מחוץ לגישה מוגבלת הניתנת דרך חלק מלוחות הניהול. פניות בנוגע למידע האישי שלך יש לשלוח ישירות אל: + +```text +Jonah Aragon +מנהל שירותים +jonah@privacyguides.org +``` + +לכל השאלות האחרות, ניתן ליצור קשר עם כל חבר בצוות שלנו. + +עבור תלונות במסגרת GDPR באופן כללי יותר, אתה יכול להגיש תלונות לרשויות הפיקוח המקומיות על הגנת הנתונים שלך. בצרפת זו הנציבות הלאומית למידע אינפורמטיקה וחופשיות שמטפלת ומטפלת בתלונות. הם מספקים [תבנית מכתב תלונה](https://www.cnil.fr/en/plaintes) לשימוש. + +## אודות מדיניות זו + +אנו נפרסם גרסאות חדשות של הצהרה זו [כאן](privacy-policy.md). אנו עשויים לשנות את האופן שבו אנו מכריזים על שינויים בגרסאות עתידיות של מסמך זה. בינתיים אנו עשויים לעדכן את פרטי הקשר שלנו בכל עת מבלי להודיע על שינוי. אנא עיין ב[מדיניות הפרטיות](privacy-policy.md) לקבלת הפרטים העדכניים ביותר ליצירת קשר בכל עת. + +ניתן למצוא גרסה מלאה של [היסטוריה](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) של דף זה ב-GitHub. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/about/privacytools.md b/i18n/he/about/privacytools.md new file mode 100644 index 00000000..a5f82f35 --- /dev/null +++ b/i18n/he/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "שאלות נפוצות PrivacyTools" +--- + +# למה עברנו מ - PrivacyTools + +בספטמבר 2021, כל תורם פעיל הסכים פה אחד לעבור מ- PrivacyTools לעבודה באתר זה: Privacy Guides. החלטה זו התקבלה מכיוון שהמייסד והבקר של PrivacyTools על שם הדומיין נעלם לתקופה ממושכת ולא ניתן היה ליצור איתו קשר. + +לאחר שבנה אתר מכובד ומערכת של שירותים על PrivacyTools.io, זה גרם לדאגות חמורות לעתיד של PrivacyTools, כמו כל הפרעה עתידית יכולה לחסל את הארגון כולו ללא שיטת התאוששות. המעבר הזה הועבר לקהילת ה - PrivacyTools חודשים רבים מראש באמצעות מגוון ערוצים, כולל הבלוג שלה, טוויטר, רדיט ו - ומסטודון, כדי להבטיח שהתהליך כולו יעבור בצורה חלקה ככל האפשר. עשינו זאת כדי להבטיח שאף אחד לא יישמר באפלה, שהייתה דרך הפעולה שלנו מאז שנוצר הצוות שלנו, וכדי לוודא שמדריכי הפרטיות הוכרו כאותו ארגון אמין ש - PrivacyTools היה לפני המעבר. + +לאחר שהמהלך הארגוני הושלם, המייסד של PrivacyTools חזר והחל להפיץ מידע מוטעה על פרויקט מדריכי הפרטיות (Privacy Guides). הם ממשיכים להפיץ מידע מוטעה בנוסף להפעלת חוות קישורים בתשלום בדומיין PrivacyTools. אנו יוצרים דף זה כדי להבהיר את כל התפיסות המוטעות. + +## מה זה PrivacyTools? + +PrivacyTools נוצרה בשנת 2015 על ידי "BurungHantu", שרצתה ליצור משאב מידע על פרטיות - כלים מועילים בעקבות גילויי סנודן. האתר צמח לפרויקט קוד פתוח משגשג עם [תורמים רבים](https://github.com/privacytools/privacytools.io/graphs/contributors), חלקם קיבלו בסופו של דבר אחריות ארגונית שונה, כגון הפעלת שירותים מקוונים כמו מטריקס ומסטודון, ניהול ובדיקה של שינויים באתר ב- GitHub, מציאת נותני חסות לפרויקט, כתיבת פוסטים בבלוגים והפעלת פלטפורמות הסברה למדיה חברתית כמו טוויטר וכו '. + +החל משנת 2019, BurungHantu התרחק יותר ויותר מהפיתוח הפעיל של האתר והקהילות, והחל לעכב תשלומים שהוא היה אחראי עליהם הקשורים לשרתים שהפעלנו. כדי להימנע מכך שמנהל המערכת שלנו ישלם את עלויות השרת מכיסו הפרטי, שינינו את שיטות התרומה המפורטות באתר מחשבונות PayPal והקריפטו האישיים של BurungHantu לדף OpenCollective חדש ב- [אוקטובר 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). היו לכך יתרונות נוספים של הפיכת הכספים שלנו לשקופים לחלוטין, ערך שאנו מאמינים בו מאוד, ופטורים ממס בארצות הברית, מכיוון שהם הוחזקו על ידי הקרן הקולקטיבית הפתוחה 501(c)3. שינוי זה הוסכם פה אחד על ידי הקבוצה ועבר ללא עוררין. + +## למה המשכנו הלאה + +בשנת 2020, היעדרותו של BurungHantu גדלה הרבה יותר מורגשת. בשלב מסוים, נדרשנו לשנות את שרתי השמות של הדומיין לשרתי השמות הנשלטים על ידי מנהל המערכת שלנו כדי להימנע משיבושים עתידיים, ושינוי זה הושלם רק חודש לאחר הבקשה הראשונית. הוא היה נעלם מחדרי הצ'אט הציבורי והצ'אט של הצוות הפרטי במטריקס במשך חודשים בכל פעם, מדי פעם צץ כדי לתת משוב קטן או להבטיח להיות פעיל יותר לפני שייעלם שוב. + +באוקטובר 2020, מנהל מערכת PrivacyTools (Jonah) [עזב](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) הפרויקט בגלל קשיים אלה, והעביר את השליטה לתורם ותיק אחר. Jonah הפעיל כמעט כל שירות של PrivacyTools ושימש *דה פקטו* כמוביל פרויקט לפיתוח אתרים בהיעדרו של BurungHantu, ולכן עזיבתו הייתה שינוי משמעותי בארגון. בזמנו, בגלל השינויים הארגוניים המשמעותיים הללו, הבטיח BurungHantu לצוות הנותר שהוא יחזור לקחת פיקוד על הפרויקט בהמשך. ==צוות PrivacyTools פנה באמצעות מספר שיטות תקשורת במהלך החודשים הבאים, אך לא קיבל כל תגובה.== + +## הסתמכות על שם דומיין + +בתחילת 2021, צוות PrivacyTools הגביר את הדאגה לגבי עתיד הפרויקט, מכיוון ששם הדומיין היה אמור לפוג ב-1 במרץ 2021. הדומיין חודש בסופו של דבר על ידי BurungHantu ללא תגובה. + +החששות של הצוות לא טופלו, והבנו שזו תהיה בעיה בכל שנה: אם הדומיין היה פג הוא היה מאפשר לגנוב אותו על ידי פולשים או ספאמרים, ובכך להרוס את המוניטין של הארגון. כמו כן, לא היינו מצליחים ליצור קשר עם הקהילה כדי להודיע להם על מה שהתרחש. + +מבלי ליצור קשר עם BurungHantu, החלטנו שדרך הפעולה הטובה ביותר תהיה לעבור לדומיין חדש בזמן שעדיין הייתה לנו שליטה מובטחת על הדומיין הישן, מתישהו לפני מרץ 2022. כך נוכל להפנות באופן נקי את כל משאבי ה - PrivacyTools לאתר החדש ללא כל הפרעה בשירות. החלטה זו התקבלה חודשים רבים מראש והועברה לכל הצוות בתקווה שבורונגהאנטו ייצור קשר ויבטיח את המשך תמיכתו בפרויקט, מכיוון שעם שם מותג מוכר וקהילות גדולות באינטרנט, ההתרחקות מ -" PrivacyTools "הייתה התוצאה הפחות רצויה האפשרית. + +באמצע שנת 2021 צוות PrivacyTools פנה לJonah, שהסכים להצטרף מחדש לצוות כדי לעזור במעבר. + +## קריאה לקהילה לפעולה + +בסוף יולי 2021, אנחנו [הודענו](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) לקהילת PrivacyTools של הכוונה שלנו לבחור שם חדש ולהמשיך את הפרויקט על דומיין חדש, להיות [נבחר](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) ב-2 אוגוסט 2022. בסופו של דבר, "מדריכי פרטיות" נבחר,`privacyguides.org` כאשר הדומיין כבר היה בבעלות יונה(Jonah) לפרויקט צדדי משנת 2020 שלא פותח. + +## שליטה ב - r/privacytoolsIO + +במקביל לבעיות המתמשכות באתר האינטרנט של privacytools.io, צוות המודים r/privacytoolsIO התמודד עם אתגרים בניהול הסאב רדיט (subreddit). הסאב - רדיט תמיד הופעל באופן עצמאי מפיתוח האתר, אך BurungHantu היה גם המנחה הראשי של הסאב - רדיט, והוא היה המנחה היחיד שקיבל הרשאות "שליטה מלאה ". u/trai_dep היה המנחה הפעיל היחיד באותה תקופה, and [פורסם](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) בקשה למנהלי Reddit ב-28 ביוני 2021, בבקשה לקבל את תפקיד המנחה הראשי והרשאות שליטה מלאה, על מנת לבצע את השינויים הדרושים ב- Subreddit. + +Reddit דורש כי subreddits יהיו מנחים פעילים. אם המנחה הראשי אינו פעיל במשך תקופה ארוכה (כגון שנה) ניתן למנות מחדש את מנחה הראשי בתור. כדי שבקשה זו תיענה, בורונגהאנטו (BurungHantu) היה חייב להיעדר לחלוטין מכל פעילות Reddit למשך תקופה ארוכה, דבר שעלה בקנה אחד עם התנהגותו בפלטפורמות אחרות. + +> אם הוסרת בתור מנחה מ - subreddit באמצעות בקשה ל Reddit, זה בגלל שחוסר התגובה שלך וחוסר הפעילות שלך הכשירו את ה - subreddit להעברת r/redditrequest. +> +> r/redditrequest היא הדרך של Reddit לוודא שלקהילות יש מנחים פעילים והיא חלק מ [הקוד התנהגות של מנחה](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## תחילת המעבר + +ב -14 בספטמבר 2021, הכרזנו [:](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) על תחילת ההגירה שלנו לדומיין חדש זה: + +> [...] מצאנו צורך לבצע את ההחלפה מוקדם מאשר מאוחר כדי להבטיח שאנשים יגלו על המעבר הזה בהקדם האפשרי. זה נותן לנו מספיק זמן כדי להעביר את שם הדומיין, שכרגע מפנה ל - www.privacyguides.org, ובתקווה נותן לכולם מספיק זמן להבחין בשינוי, לעדכן סימניות ואתרים וכו '. + +השינוי [כרוך:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- מפנה את www.privacytools.io אל [www.privacyguides.org](https://www.privacyguides.org). +- אחסון קוד המקור בארכיון ב- GitHub כדי לשמר את העבודה הקודמת שלנו ואת מעקב הבעיות שלנו, שבו המשכנו להשתמש במשך חודשים של פיתוח עתידי של אתר זה. +- פרסום הודעות ב - subreddit שלנו ובקהילות שונות אחרות המודיעות לאנשים על השינוי הרשמי. +- סגירה רשמית של שירותי privacytools.io, כמו Matrix ו - Mastodon, ועידוד משתמשים קיימים לעבור בהקדם האפשרי. + +נראה שהדברים מתנהלים בצורה חלקה, ורוב הקהילה הפעילה שלנו עברה לפרויקט החדש שלנו בדיוק כפי שקיווינו. + +## בעקבות האירועים + +בערך שבוע לאחר המעבר, BurungHantu חזר לאינטרנט בפעם הראשונה מזה כמעט שנה, אולם אף אחד בצוות שלנו לא היה מוכן לחזור ל- PrivacyTools בגלל חוסר האמינות ההיסטורי שלו. במקום להתנצל על היעדרותו הממושכת, הוא מיד יצא להתקפה ומיצב את המעבר למדריכי פרטיות כהתקפה נגדו ונגד הפרויקט שלו. לאחר מכן הוא[ מחק ](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) רבים מהפוסטים הללו כאשר צוין על ידי הקהילה כי הוא נעדר ונטש את הפרויקט. + +בשלב זה, BurungHantu טען שהוא רוצה להמשיך לעבוד על privacytools.io בכוחות עצמו וביקש שנסיר את ההפניה מ- www.privacytools.io ל-[www.privacyguides.org](https://www.privacyguides.org). אנו מחויבים ומבקשים ממנו לשמור על תת - הדומיינים של Matrix, Mastodon ו - Peer YouTube פעילים כדי שנוכל להפעיל כשירות ציבורי לקהילה שלנו למשך מספר חודשים לפחות, כדי לאפשר למשתמשים בפלטפורמות אלה לעבור בקלות לחשבונות אחרים. בשל האופי הפדרלי של השירותים שסיפקנו, הם היו קשורים לשמות דומיין ספציפיים, דבר שהקשה מאוד על ההעברה (ובמקרים מסוימים בלתי אפשרי). + +לצערנו, מכיוון שהשליטה ב - r/privacytoolsIO subreddit לא הוחזרה לבורונגהאנטו על פי דרישתו (מידע נוסף בהמשך), סאב-דומיינים אלה נותקו [](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) בתחילת אוקטובר, ובכך הסתיימו כל אפשרויות ההעברה למשתמשים שעדיין משתמשים בשירותים אלה. + +בעקבות זאת, BurungHantu עשה האשמות שווא על Jonah כדי לגנוב תרומות מהפרויקט. לBurungHantu הייתה יותר משנה מאז האירוע לכאורה, אך הוא מעולם לא הודיע על כך לאיש עד לאחר העברת מדריכי הפרטיות. בורונגהאנטו התבקש שוב ושוב להוכיח ולהגיב על הסיבה לשתיקתו על ידי הקבוצה [והקהילה](https://twitter.com/TommyTran732/status/1526153536962281474), ולא עשה זאת. + +BurungHantu גם עשה פוסט טוויטר בטענה כי "עורך דין" פנה אליו בטוויטר והיה מתן ייעוץ, בניסיון נוסף להציק לנו לתת לו שליטה על ה subreddit שלנו, וכחלק ממסע ההכפשה שלו למי בוץ סביב ההשקה של מדריכי פרטיות תוך התחזות לקורבן. + +## PrivacyTools.io עכשיו + +נכון ל -25 בספטמבר 2022, אנו רואים שהתוכניות הכוללות של BurungHantu מתגשמות ב - privacytools.io, וזו בדיוק הסיבה שהחלטנו ליצור את הדף המסביר את זה היום. האתר שהוא מפעיל נראה כגרסה מותאמת SEO של האתר שממליצה על כלים בתמורה לפיצוי כספי. לאחרונה, IVPN ו - Mullvad, שני ספקי VPN כמעט - באופן אוניברסלי [המומלצים](../vpn.md) על ידי קהילת הפרטיות וראוי לציון על עמדתם נגד תוכניות שותפים הוסרו מ PrivacyTools. במקומם? NordVPN, ‏ Surfshark, ‏ Express_end} ו - hide.me; תאגידי VPN ענקיים עם פלטפורמות ונהלים עסקיים לא אמינים, הידועים לשמצה בזכות השיווק האגרסיבי שלהם ותוכניות השותפים שלהם. + +==**PrivacyTools הפך בדיוק לסוג האתר [שהזהרנו מפניו](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) בבלוג PrivacyTools ב-2019 blog in 2019.**== ניסינו לשמור על מרחק מ-PrivacyTools מאז המעבר, אבל ההטרדה המתמשכת שלהם כלפי הפרויקט שלנו ועכשיו הניצול האבסורדי שלהם את האמינות שהמותג שלהם זכה לה במשך 6 שנים של תרומות קוד פתוח מטריד אותנו מאוד. אלה מאיתנו שנלחמים למען הפרטיות לא נלחמים אחד נגד השני, ולא מקבלים את עצתנו מהמציע הגבוה ביותר. + +## r/privacytoolsIO עכשיו + +לאחר השקת [r/privacyGuides](https://www.reddit.com/r/privacyguides), זה לא היה מעשי עבור u/trai_dep להמשיך ולנהל את שתי subreddits, ועם הקהילה על לוח המעבר, r/privacytoolsIO [יצר](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) הגבלה על הסאב ופוסט ב -1 בנובמבר, 2021: + +> [...] הצמיחה של הסאב הזה הייתה תוצאה של מאמץ רב, לאורך מספר שנים, על ידי צוות privacyGuides.org. ועל ידי כל אחד מכם. +> +> Subreddit הוא עבודה רבה לאדמינים ולמודים. כמו גינה, היא דורשת טיפול סבלני וטיפול יומיומי. זו לא משימה עבור חובבנים או אנשים מאותגרים במחויבות. הוא לא יכול לשגשג תחת גנן שנוטש אותו לכמה שנים, ואז מופיע ודורש את היבול של השנה כמחווה בשבילם. זה לא הוגן כלפי הקבוצה שנוצרה לפני שנים. זה לא הוגן כלפיך. [...] + +Subreddits אינם שייכים לאף אחד, והם במיוחד לא שייכים לבעלי מותג. הם שייכים לקהילות שלהם, והקהילה ומנהליה החליטו לתמוך במעבר ל - r/PrivacyGuides. + +בחודשים שחלפו מאז, BurungHantu איים והתחנן להחזרת שליטה subreddit לחשבונו ב [הפרה](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) של כללי Reddit: + +> נקמה מכל מנחה בנוגע לבקשות הסרה אסורה. + +עבור קהילה עם אלפים רבים של מנויים שנותרו, אנו מרגישים שזה יהיה מאוד לא מכובד להחזיר את השליטה בפלטפורמה המסיבית לאדם שנטש אותה במשך יותר משנה, וכיום מפעיל אתר שלדעתנו מספק מידע באיכות נמוכה מאוד. שימור השנים של דיונים קודמים בקהילה זו חשוב לנו יותר, ולכן u/trai_dep ושאר צוות המתינות של ה subreddit קיבל את ההחלטה לשמור על r/privacytoolsIO כפי שהוא. + +## OpenCollective עכשיו + +פלטפורמת גיוס הכספים שלנו, OpenCollective, היא מקור נוסף למחלוקת. עמדתנו היא כי OpenCollective הוקמה על ידי הצוות שלנו ומנוהלת על ידי הצוות שלנו כדי לממן שירותים שאנו מפעילים כיום ואשר PrivacyTools כבר לא עושה. [פנינו](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) לכל התורמים שלנו בנוגע למעבר שלנו למדריכי פרטיות, וקיבלנו תמיכה פה אחד מהספונסרים והקהילה שלנו. + +לפיכך, הכספים ב - OpenCollective שייכים למדריכי פרטיות, הם ניתנו לפרויקט שלנו, ולא לבעלים של דומיין ידוע. בהודעה שניתנה לתורמים ב -17 בספטמבר 2021, הצענו החזרים לכל תורם שלא מסכים עם העמדה שנקטנו, אבל אף אחד לא קיבל את ההצעה הזו: + +> אם נותני החסות או התומכים לא מסכימים עם האירועים האחרונים האלה או מרגישים שהוטעו על ידם ורוצים לבקש החזר כספי בנסיבות חריגות אלה, יש ליצור קשר עם מנהל הפרויקט שלנו על ידי שליחת אימייל לכתובת jonah@triplebit.net. + +## קריאה נוספת + +נושא זה נדון בהרחבה בקהילותינו במקומות שונים, ונראה כי רוב האנשים הקוראים דף זה כבר מכירים את האירועים שהובילו למעבר למדריכי הפרטיות. חלק מהפוסטים הקודמים שלנו בעניין עשויים לכלול פרטים נוספים שהשמטנו כאן לקיצור. הקישורים למטה למען ההשלמה. + +- [28 ביוני 2021 בקשה לשליטה ב - r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [27 ביולי 2021 הודעה על כוונותינו לעבור לבלוג PrivacyTools, נכתב על ידי הצוות](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [13 בספטמבר 2021 הודעה על תחילת המעבר שלנו למדריכי פרטיות ב - r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [17 בספטמבר 2021 הכרזה על OpenCollective מאת Jona](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [30 בספטמבר 2021 שרשור טוויטר המפרט את רוב האירועים המתוארים כעת בדף זה](https://twitter.com/privacy_guides/status/1443633412800225280) +- [1 באוקטובר 2021 פוסט מאת u/dng99 שציין כשל בתת - דומיין](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [2 באפריל 2022 תגובה מאת u/dng99 לפוסט ההאשמות של PrivacyTools](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [16 במאי 2022 מענה @TommyTran732 בטוויטר](https://twitter.com/TommyTran732/status/1526153497984618496) +- [ספטמבר 3, 2022 פוסט על הפורום של Techlore על ידי @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/about/services.md b/i18n/he/about/services.md new file mode 100644 index 00000000..a1550fca --- /dev/null +++ b/i18n/he/about/services.md @@ -0,0 +1,40 @@ +# שירותי Privacy Guides + +אנו מפעילים מספר שירותי אינטרנט כדי לבדוק תכונות ולקדם פרויקטים מגניבים מבוזרים, מאוחדים ו/או בקוד פתוח. רבים מהשירותים הללו זמינים לציבור והם מפורטים להלן. + +[:material-comment-alert: דווח על בעיה](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- דומיין: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- זמינות: ציבורית +- מקור: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- דומיין: [code.privacyguides.dev](https://code.privacyguides.dev) +- זמינות: להזמנה בלבד + ניתן להעניק גישה לפי בקשה לכל צוות שעובד על פיתוח או תוכן הקשורים ל*Privacy Guides*. +- מקור: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- דומיין: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- זמינות: להזמנה בלבד + ניתן להעניק גישה על פי בקשה לחברי צוות Privacy Guides, מנהלי Matrix, מנהלי קהילת Matrix של צד שלישי, מפעילי בוטים של Matrix ואנשים אחרים הזקוקים לנוכחות אמינה של Matrix. +- מקור: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- דומיין: [search.privacyguides.net](https://search.privacyguides.net) +- זמינות: ציבורית +- מקור: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- דומיין: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- זמינות: חצי ציבורי + אנו מארחים את Invidious בעיקר כדי להגיש סרטוני YouTube משובצים באתר האינטרנט שלנו, מופע זה אינו מיועד לשימוש כללי ועשוי להיות מוגבל בכל עת. +- מקור: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/about/statistics.md b/i18n/he/about/statistics.md new file mode 100644 index 00000000..f36d47be --- /dev/null +++ b/i18n/he/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: סטטיסטיקת תנועה +--- + +## סטטיסטיקה לאתר + + +
סטטיסטיקה מופעלת על ידי Plausible Analytics
+ + + + +## סטטיסטיקת בלוג + + +
סטטיסטיקה מופעלת על ידי Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/advanced/communication-network-types.md b/i18n/he/advanced/communication-network-types.md new file mode 100644 index 00000000..84df9cc7 --- /dev/null +++ b/i18n/he/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "סוגי רשתות תקשורת" +icon: 'material/transit-connection-variant' +--- + +ישנן מספר ארכיטקטורות רשת הנפוצות להעברת הודעות בין אנשים. רשתות אלו יכולות לספק הבטחות פרטיות שונות, וזו הסיבה שכדאי לקחת בחשבון את [מודל האיום](../basics/threat-modeling.md) שלך בעת ההחלטה באיזו אפליקציה להשתמש. + +[מסנג'רים (הודעות מיידיות) מומלצות](../real-time-communication.md ""){.md-button} + +## רשתות מרכזיות + +![דיאגרמת רשתות מרכזיות](../assets/img/layout/network-centralized.svg){ align=left } + +מסנג'רים מרכזיים הם אלה שבהם כל המשתתפים נמצאים באותו שרת או רשת של שרתים הנשלטים על ידי אותו ארגון. + +כמה מהמסנג'רים שמאפשרים לך באחסון עצמי להגדיר שרת משלך. אירוח עצמי יכול לספק הבטחות פרטיות נוספות, כגון ללא יומני שימוש או גישה מוגבלת למטא נתונים (נתונים על מי מדבר עם מי). מסנג'רים מרכזיים המתארחים בעצמם מבודדים וכולם חייבים להיות באותו שרת כדי לתקשר. + +**יתרונות:** + +- ניתן ליישם תכונות ושינויים חדשים מהר יותר. +- קל יותר להתחיל איתו ולמצוא אנשי קשר. +- רוב הבוגרות והיציבות כוללות מערכות אקולוגיות, מכיוון שקל יותר לתכנת אותן בתוכנה מרכזית. +- בעיות פרטיות עשויות להצטמצם כאשר אתה סומך על שרת שאתה מארח בעצמך. + +**חסרונות:** + +- יכול לכלול <[שליטה או גישה מוגבלת](https://drewdevault.com/2018/08/08/Signal.html). זה יכול לכלול דברים כמו: +- [אסור לחבר לקוחות צד שלישי](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) לרשת הריכוזית שעשויה לספק התאמה אישית גדולה יותר או חוויה טובה יותר. לרוב מוגדר בתנאים והגבלות של שימוש. +- תיעוד לקוי או ללא תיעוד עבור מפתחי צד שלישי. +- [הבעלות](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), מדיניות הפרטיות והתפעול של השירות יכול להשתנות בקלות כאשר ישות יחידה שולטת בו, ועלולה לסכן את השירות מאוחר יותר. +- אירוח עצמי דורש מאמץ וידע כיצד להקים שירות. + +## רשתות פדרציה + +![דיאגרמת רשתות מאוחדות](../assets/img/layout/network-decentralized.svg){ align=left } + +מסנג'רים מאוחדים משתמשים במספר שרתים עצמאיים מבוזרים המסוגלים לדבר זה עם זה (אימייל הוא דוגמה אחת לשירות מאוחד). הפדרציה מאפשרת למנהלי מערכת לשלוט בשרת שלהם ועדיין להיות חלק מרשת התקשורת הגדולה יותר. + +כאשר הם באירוח עצמי, חברי שרת מאוחד יכולים לגלות ולתקשר עם חברים בשרתים אחרים, אם כי שרתים מסוימים עשויים לבחור להישאר פרטיים על ידי שהם לא מאוחדים (למשל, שרת צוות עבודה). + +**יתרונות:** + +- מאפשר שליטה רבה יותר על הנתונים שלך בעת הפעלת השרת שלך. +- מאפשר לך לבחור עם מי לסמוך על הנתונים שלך על ידי בחירה בין מספר שרתים "ציבוריים ". +- לעתים קרובות מאפשר לקוחות צד שלישי שיכולים לספק חוויה מקורית, מותאמת אישית או נגישה יותר. +- ניתן לאמת שתוכנת השרת תואמת לקוד המקור הציבורי, בהנחה שיש לך גישה לשרת או שאתה בוטח באדם שעושה זאת (למשל, בן משפחה). + +**חסרונות:** + +- הוספת תכונות חדשות היא מורכבת יותר מכיוון שיש לתקנן ולבדוק תכונות אלה כדי להבטיח שהן פועלות עם כל השרתים ברשת. +- בשל הנקודה הקודמת, תכונות יכולות להיות חסרות, או לא שלמות או לעבוד בדרכים בלתי צפויות בהשוואה לפלטפורמות מרכזיות, כגון העברת הודעות במצב לא מקוון או מחיקת הודעות. +- מטא נתונים מסוימים עשויים להיות זמינים (לדוגמה, מידע כמו "מי מדבר עם מי", אך לא תוכן הודעה בפועל אם נעשה שימוש ב-E2EE). +- שרתים מאוחדים דורשים בדרך כלל לתת אמון במנהל השרת שלך. הם עשויים להיות חובבים או לא "מקצוענים באבטחה" ועשויים שלא להגיש מסמכים סטנדרטיים כמו מדיניות פרטיות או תנאי שירות המפרטים את אופן השימוש בנתונים שלך. +- מנהלי שרתים בוחרים לפעמים לחסום שרתים אחרים, המהווים מקור להתעללות בלתי מנוונת או לשבור כללים כלליים של התנהגות מקובלת. זה יפריע ליכולת שלך לתקשר עם חברי שרתים אלה. + +## רשתות עמית לעמית + +![דיאגרמת P2P](../assets/img/layout/network-distributed.svg){ align=left } + +מסנג'רים P2P מתחברים ל[רשת מבוזרת](https://en.wikipedia.org/wiki/Distributed_networking) של צמתים כדי להעביר הודעה לנמען ללא שרת של צד שלישי. + +לקוחות (עמיתים) מוצאים זה את זה בדרך כלל באמצעות [רשת מחשוב מבוזרת](https://en.wikipedia.org/wiki/Distributed_computing). דוגמאות לכך כוללות [טבלאות Hash מפוזרות](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), המשמשות את [טורנטים](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) ו[IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) למשל. גישה נוספת היא רשתות מבוססות קרבה, שבהן נוצר חיבור באמצעות WiFi או Bluetooth (לדוגמה, Briar או פרוטוקול הרשת החברתית [Scuttlebutt](https://www.scuttlebutt.nz)). + +לאחר שעמית מצא מסלול ליצירת קשר באמצעות כל אחת מהשיטות הללו, נוצר קשר ישיר ביניהן. למרות שהודעות מוצפנות בדרך כלל, צופה עדיין יכול להסיק את המיקום והזהות של השולח והנמען. + +רשתות P2P אינן משתמשות בשרתים, שכן עמיתים מתקשרים ישירות ביניהם ולכן לא ניתן לארח אותם בעצמם. עם זאת, חלק מהשירותים הנוספים עשויים להסתמך על שרתים מרכזיים, כגון גילוי משתמשים או העברת הודעות לא מקוונות, שיכולים להפיק תועלת מאירוח עצמי. + +**יתרונות:** + +- מידע מינימלי חשוף לצדדים שלישיים. +- פלטפורמות P2P מודרניות מיישמות E2EE כברירת מחדל. אין שרתים שעלולים ליירט ולפענח את השידורים שלך, בניגוד למודלים מרכזיים ומאגדים. + +**חסרונות:** + +- סט תכונות מצומצם: +- ניתן לשלוח הודעות רק כאשר שני העמיתים מחוברים, עם זאת, הלקוח שלך עשוי לאחסן הודעות באופן מקומי כדי לחכות לאיש הקשר שיחזור לאינטרנט. +- בדרך כלל מגביר את השימוש בסוללה במכשירים ניידים, מכיוון שהלקוח חייב להישאר מחובר לרשת המבוזרת כדי ללמוד מי מחובר. +- ייתכן שחלק מתכונות המסנג'ר הנפוצות לא יושמו או בצורה חלקית, כגון מחיקת הודעות. +- כתובת ה-IP שלך ושל אנשי הקשר איתם אתה מתקשר עשויה להיחשף אם לא תשתמש בתוכנה בשילוב עם [VPN](../vpn.md) או [Tor](../tor.md). במדינות רבות יש צורה כלשהי של מעקב המוני ו/או שמירת מטא נתונים. + +## ניתוב אנונימי + +![דיאגרמת ניתוב אנונימית](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +מסנג'ר המשתמש ב[ניתוב אנונימי](https://doi.org/10.1007/978-1-4419-5906-5_628) מסתיר את זהות השולח, המקבל או ראיות לכך שהם תקשרו. באופן אידיאלי, מסנג'ר צריך להסתיר את שלושתם. + +ישנן [הרבה](https://doi.org/10.1145/3182658) דרכים שונות ליישם ניתוב אנונימי. אחד המפורסמים ביותר הוא [ניתוב בצל](https://en.wikipedia.org/wiki/Onion_routing) (כלומר [Tor](tor-overview.md)), שמתקשרת הודעות מוצפנות באמצעות [רשת שכבת-על](https://en.wikipedia.org/wiki/Overlay_network) וירטואלית המסתירה את המיקום של כל צומת כמו גם את הנמען והשולח של כל הודעה. השולח והנמען לעולם אינם מקיימים אינטראקציה ישירה ורק נפגשים דרך צומת מפגש סודי כך שאין דליפה של כתובות IP או מיקום פיזי. צמתים אינם יכולים לפענח הודעות, וגם לא את היעד הסופי; רק הנמען יכול. כל צומת מתווך יכול לפענח רק חלק שמציין לאן לשלוח את ההודעה שעדיין מוצפנת בשלב הבא, עד שהוא מגיע לנמען שיכול לפענח אותה במלואה, ומכאן "שכבות הבצל." + +אירוח עצמי של צומת ברשת ניתוב אנונימית אינו מספק למארח יתרונות פרטיות נוספים, אלא תורם לעמידות הרשת כולה בפני התקפות זיהוי לטובת כולם. + +**יתרונות:** + +- מידע מינימלי עד לא נחשף לגורמים אחרים. +- ניתן להעביר הודעות בצורה מבוזרת גם אם אחד הצדדים לא מקוון. + +**חסרונות:** + +- הפצת הודעות איטית. +- לעתים קרובות מוגבל לפחות סוגי מדיה, בעיקר טקסט, מכיוון שהרשת איטית. +- פחות אמין אם צמתים נבחרים על ידי ניתוב אקראי, חלק מהצמתים עשויים להיות רחוקים מאוד מהשולח והמקבל, להוסיף זמן השהייה או אפילו לא לשדר הודעות אם אחד הצמתים אינו מקוון. +- מורכב יותר להתחיל, שכן נדרשת יצירה וגיבוי מאובטח של מפתח פרטי קריפטוגרפי. +- בדיוק כמו פלטפורמות מבוזרות אחרות, הוספת תכונות מורכבת יותר עבור מפתחים מאשר בפלטפורמה מרכזית. לפיכך, תכונות עשויות להיות חסרות או מיושמות באופן חלקי, כגון העברת הודעות לא מקוונות או מחיקת הודעות. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/advanced/dns-overview.md b/i18n/he/advanced/dns-overview.md new file mode 100644 index 00000000..0ec0a1a4 --- /dev/null +++ b/i18n/he/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "סקירה כללית של DNS" +icon: material/dns +--- + +[מערכת שמות הדומיין](https://en.wikipedia.org/wiki/Domain_Name_System) היא 'ספר הטלפונים של האינטרנט'. DNS מתרגם שמות דומיין לכתובות IP כך שדפדפנים ושירותים אחרים יכולים לטעון משאבי אינטרנט, דרך רשת מבוזרת של שרתים. + +## מה זה DNS? + +כאשר אתה מבקר באתר אינטרנט, מוחזרת כתובת מספרית. לדוגמה, כאשר אתה מבקר ב-`privacyguides.org`, הכתובת `192.98.54.105` מוחזרת. + +DNS קיים מאז [הימים הראשונים](https://en.wikipedia.org/wiki/Domain_Name_System#History) של האינטרנט. בקשות DNS המבוצעות אל ומשרתי DNS **אינן** מוצפנות בדרך כלל. בסביבה מגורים, לקוח מקבל שרתים על ידי ספק שירותי האינטרנט באמצעות [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +בקשות DNS לא מוצפנות יכולות להיות **למעקב** בקלות ו**לשנות** בזמן העברה. בחלקים מסוימים של העולם, ספקי האינטרנט מצווים לבצע [סינון DNS](https://en.wikipedia.org/wiki/DNS_blocking) פרימיטיבי. כאשר אתה מבקש כתובת IP של דומיין חסום, ייתכן שהשרת לא יגיב או שיגיב עם כתובת IP אחרת. מכיוון שפרוטוקול ה-DNS אינו מוצפן, ספק שירותי האינטרנט (או כל מפעיל רשת) יכול להשתמש ב-[DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) כדי לנטר בקשות. ספקי שירותי אינטרנט יכולים גם לחסום בקשות על סמך מאפיינים משותפים, ללא קשר לשרת ה-DNS שבו נעשה שימוש. DNS לא מוצפן משתמש תמיד ב[פורט](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 ותמיד משתמש ב-UDP. + +להלן, אנו דנים ומספקים מדריך כדי להוכיח את מה שצופה מבחוץ עשוי לראות באמצעות DNS רגיל לא מוצפן ו[DNS מוצפן](#what-is-encrypted-dns). + +### DNS לא מוצפן + +1. שימוש ב-[`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (חלק מ-[>פרויקט Wireshark](https://en.wikipedia.org/wiki/Wireshark)) אנו יכולים לנטר ולתעד את זרימת מנות האינטרנט. פקודה זו מתעדת מנות העומדות בכללים שצוינו: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. לאחר מכן נוכל להשתמש ב[`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS וכו') או [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) כדי לשלוח את בדיקת ה-DNS לשני השרתים. תוכנות כגון דפדפני אינטרנט מבצעות חיפושים אלו באופן אוטומטי, אלא אם כן הם מוגדרים לשימוש ב-DNS מוצפן. + + === "לינוקס, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "ווינדוס" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. לאחר מכן, אנו רוצים [לנתח](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) את התוצאות: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +אם אתה מפעיל את פקודת Wireshark למעלה, החלונית העליונה מציגה את "[מסגרות](https://en.wikipedia.org/wiki/Ethernet_frame)", והחלונית התחתונה מציגה את כל הנתונים אודות המסגרת שנבחרה. פתרונות סינון וניטור ארגוניים (כגון אלה שנרכשו על ידי ממשלות) יכולים לבצע את התהליך באופן אוטומטי, ללא אינטראקציה אנושית, ויכולים לצבור מסגרות אלה כדי לייצר נתונים סטטיסטיים שימושיים לצופה ברשת. + +| מספר. | זמן | מקור | יעד | פרוטוקול | אורך | מידע | +| ----- | -------- | --------- | --------- | -------- | ---- | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +צופה יכול לשנות כל אחת מהחבילות הללו. + +## מה זה "DNS מוצפן"? + +DNS מוצפן יכול להתייחס לאחד ממספר פרוטוקולים, הנפוצים שבהם הם: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) הייתה אחת השיטות הראשונות להצפנת שאילתות DNS. DNSCrypt פועל על יציאה 443 ועובד עם פרוטוקולי התחבורה TCP או UDP. DNSCrypt מעולם לא הוגש ל[כוח המשימה להנדסת אינטרנט (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) וגם לא עבר דרך [בקשה להערות (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments), כך שלא נעשה בו שימוש נרחב מחוץ לכמה [יישומים](https://dnscrypt.info/implementations). כתוצאה מכך, הוא הוחלף במידה רבה על ידי [DNS על HTTPS](#dns-over-https-doh) הפופולרי יותר. + +### DNS על TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) היא שיטה נוספת להצפנת תקשורת DNS שהיא מוגדרת ב-[RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). התמיכה יושמה לראשונה ב-Android 9, iOS 14 וב-Linux ב-[systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) בגרסה 237. ההעדפה בתעשייה התרחקה מ-DoT ל-DoH בשנים האחרונות, מכיוון ש-DoT הוא [פרוטוקול מורכב](https://dnscrypt.info/faq/) ובעל תאימות משתנה ל-RFC על פני המימושים הקיימים. Dot פועלת גם על פורט ייעודי 853 שניתן לחסום בקלות על ידי חומות אש מגבילות. + +### DNS דרך HTTPS (DoH) + +[**DNS דרך HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) כפי שהוגדר ב [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) חבילות שאילתות ב [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) פרוטוקול ומספק אבטחה עם HTTPS. תמיכה נוספה לראשונה בדפדפני אינטרנט כגון Firefox 60 ו-Chrome 83. + +יישום מקורי של DoH הופיע ב-iOS 14, macOS 11, Microsoft Windows ו-אנדרואיד 13 (עם זאת, הוא לא יופעל [>כברירת מחדל](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). תמיכת שולחן העבודה הכללית של לינוקס ממתינה ל[יישום](https://github.com/systemd/systemd/issues/8639) של systemd כך ש[עדיין נדרשת התקנת תוכנת צד שלישי](../dns.md#encrypted-dns-proxies). + +## מה יכול גורם חיצוני לראות? + +בדוגמה זו נתעד מה קורה כאשר אנו מבקשים בקשת DoH: + +1. ראשית, התחל `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. שנית, הגש בקשה עם `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. לאחר הגשת הבקשה, נוכל לעצור את לכידת החבילות עם CTRL + C. + +4. נתח את התוצאות ב-Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +אנו יכולים לראות את[הקמת החיבור](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) ואת [לחיצת יד TLS](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) המתרחשת עם כל חיבור מוצפן. כאשר מסתכלים על חבילות "האפליקציה" שלאחר מכן, אף אחת מהן לא מכילה את הדומיין שביקשנו או את כתובת ה-IP שהוחזרה. + +## מדוע** לא כדאי** לי להשתמש ב- DNS מוצפן? + +במקומות שבהם קיים סינון (או צנזורה) באינטרנט, לביקור במשאבים אסורים עשויות להיות השלכות משלו, שכדאי לשקול ב[מודל האיומים](../basics/threat-modeling.md) שלך. אנו **לא** מציעים להשתמש ב-DNS מוצפן למטרה זו. השתמש ב-[Tor](https://torproject.org) או ב-[VPN](../vpn.md) במקום זאת. אם אתה משתמש ב-VPN, עליך להשתמש בשרתי ה-DNS של ה-VPN שלך. כשאתה משתמש ב-VPN, אתה כבר סומך עליהם בכל פעילות הרשת שלך. + +כאשר אנו מבצעים חיפוש DNS, זה בדרך כלל בגלל שאנו רוצים לגשת למשאב. להלן, נדון בכמה מהשיטות שעלולות לחשוף את פעילויות הגלישה שלך גם בעת שימוש ב-DNS מוצפן: + +### כתובת IP + +הדרך הפשוטה ביותר לקבוע את פעילות הגלישה עשויה להיות להסתכל על כתובות ה-IP שהמכשירים שלך ניגשים אליהם. לדוגמה, אם הצופה יודע ש-`privacyguides.org` נמצא בכתובת `198.98.54.105`, והמכשיר שלך מבקש נתונים מ-`198.98.54.105`, יש יש סיכוי טוב שאתה מבקר בPrivacy Guides. + +שיטה זו שימושית רק כאשר כתובת ה-IP שייכת לשרת המארח רק מעט אתרים. זה גם לא מאוד שימושי אם האתר מתארח בפלטפורמה משותפת (למשל Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger וכו'). זה גם לא מאוד שימושי אם השרת מתארח מאחורי [פרוקסי הפוך](https://en.wikipedia.org/wiki/Reverse_proxy), הנפוץ מאוד באינטרנט המודרני. + +### ציון שם השרת (SNI) + +ציון שם שרת משמש בדרך כלל כאשר כתובת IP מארחת אתרים רבים. זה יכול להיות שירות כמו Cloudflare, או הגנה אחרת של [מניעת מניעת שירות](https://en.wikipedia.org/wiki/Denial-of-service_attack). + +1. התחל לתעד שוב עם `tshark`. הוספנו מסנן עם כתובת ה-IP שלנו כדי שלא תלכוד הרבה מנות: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. לאחר מכן נבקר בכתובת [https://privacyguides.org](https://privacyguides.org). + +3. לאחר ביקור באתר, אנו רוצים לעצור את לכידת החבילה עם CTRL + C. + +4. בשלב הבא אנו רוצים לנתח את התוצאות: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + אנו נראה את יצירת החיבור, ולאחר מכן את לחיצת היד TLS עבור אתר מדריכי הפרטיות Privacy Guides. סביב מסגרת 5. אתה תראה "שלום לקוח ". + +5. מרחיבים את המשולש ▸ ליד כל שדה: + + ```text + אבטחת שכבת▸ תחבורה + ▸ TLSv1.3 שכבת שיא: פרוטוקול לחיצת יד: לקוח שלום + פרוטוקול ▸ לחיצת יד: לקוח שלום + ▸ סיומת: server_name (len=22) + סיומת סימון שם ▸ שרת + ``` + +6. אנו יכולים לראות את ערך SNI אשר חושף את האתר בו אנו מבקרים. הפקודה `tshark` יכולה לתת לך את הערך ישירות עבור כל החבילות המכילות ערך SNI: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +משמעות הדבר היא שגם אם אנו משתמשים בשרתי "DNS מוצפן", הדומיין ככל הנראה ייחשף דרך SNI. פרוטוקול [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) מביא איתו את [לקוח מוצפן Hello](https://blog.cloudflare.com/encrypted-client-hello/), המונע דליפה מסוג זה. + +ממשלות, ובפרט סין [](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) ורוסיה [](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), כבר החלו לחסום את סין [](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) או הביעו רצון לעשות זאת. לאחרונה רוסיה [החלה לחסום אתרים](https://github.com/net4people/bbs/issues/108) המשתמשים בתקן זה [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) סטנדרטי. הסיבה לכך היא ש [QUIC](https://en.wikipedia.org/wiki/QUIC) פרוטוקול המהווה חלק מ HTTP/3 דורש שגם `ClientHello` יהיה מוצפן. + +### פרוטוקול סטטוס תעודה מקוון (OCSP) + +דרך נוספת שהדפדפן שלך יכול לחשוף את פעילויות הגלישה שלך היא באמצעות [פרוטוקול מצב אישור מקוון](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). בעת ביקור באתר HTTPS, הדפדפן עשוי לבדוק אם [אישור](https://en.wikipedia.org/wiki/Public_key_certificate) של האתר בוטלה. זה נעשה בדרך כלל באמצעות פרוטוקול HTTP, כלומר הוא **לא** מוצפן. + +בקשת ה-OCSP מכילה את האישור "[מספר סידורי](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", שהוא ייחודי. הוא נשלח ל"מגיב OCSP" על מנת לבדוק את מצבו. + +אנו יכולים לדמות מה דפדפן יעשה באמצעות הפקודה [`openssl`](https://en.wikipedia.org/wiki/OpenSSL). + +1. קבל את אישור השרת והשתמש בו[`sed`](https://en.wikipedia.org/wiki/Sed) כדי לשמור רק את החלק החשוב ולכתוב אותו לקובץ: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. קבל את תעודת הביניים. רשויות התעודה [(CA)](https://en.wikipedia.org/wiki/Certificate_authority) בדרך כלל לא חותמות על אישור ישירות; הן משתמשות במה שמכונה "תעודת ביניים ". + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. האישור הראשון ב-`pg_and_intermediate.cert` הוא למעשה אישור השרת משלב 1. אנו יכולים להשתמש ב - `SED` שוב כדי למחוק עד המופע הראשון של הסוף: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. קבל את התגובה OCSP עבור אישור השרת: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. אם ברצוננו לראות את כל פרטי התעודה, נוכל להשתמש ב: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. התחל את לכידת החבילה: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. הגש את בקשת ה - OCSP: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. פתח את הלכידה: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + יהיו שתי מנות עם פרוטוקול "OCSP ";" בקשה "ו -" תגובה ". עבור "בקשה" אנו יכולים לראות את "המספר הסידורי" על ידי הרחבת המשולש ▸ ליד כל שדה: + + ```bash + ▸ פרוטוקול מצב אישור מקוון + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + עבור "התגובה" אנו יכולים לראות גם את "המספר הסידורי ": + + ```bash + פרוטוקול מצב אישור▸ מקוון + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ תגובות: פריט 1 + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. לחלופין,`tshark` השתמש כדי לסנן את המנות עבור המספר הסידורי: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +אם למשקיף הרשת יש את האישור הציבורי, הזמין לציבור, הוא יכול להתאים את המספר הסידורי לאישור הזה ולכן לקבוע את האתר שבו אתה מבקר. התהליך יכול להיות אוטומטי ויכול לשייך כתובות IP למספרים סידוריים. אפשר גם לבדוק ביומני [שקיפות אישורים](https://en.wikipedia.org/wiki/Certificate_Transparency) עבור המספר הסידורי. + +## האם להשתמש ב - DNS מוצפן? + +הכנו את תרשים הזרימה הזה כדי לתאר מתי *כדאי* להשתמש ב-DNS מוצפן: + +``` mermaid +גרף TB + התחל[Start] -> אנונימי{מנסה להיות
אנונימי?} + אנונימי--> | כן | tor(השתמש ב Tor) + אנונימי --> | לא | צנזורה{הימנע
צינזור?} + צנזורה --> | כן | vpnOrTor(השתמש ב - VPN
או Tor) + צנזורה --> | אין פרטיות{רוצה פרטיות
מספק שירותי אינטרנט?} + פרטיות --> | כן | vpnOrTor + פרטיות --> | לא | גועל נפש {ISP עושה

הפניות גועליות?} + דוחה --> | כן | מוצפןDNS (השתמש ב - DNS
מוצפן
עם צד שלישי) + דוחה --> | לא | ISPDNS {האם ספק שירותי האינטרנט תומך ב - DNS מוצפן
?} + ispDNS --> | כן | useISP (השתמש ב - DNS
מוצפן
עם ISP) + ispDNS --> | לא | כלום(אל תעשה כלום) +``` + +יש להשתמש ב-DNS מוצפן עם צד שלישי רק כדי לעקוף הפניות מחדש ו[חסימת DNS](https://en.wikipedia.org/wiki/DNS_blocking) בסיסית, כאשר אתה יכול להיות בטוח שלא יהיו לכך השלכות או שאתה מעוניין בספק שעושה חלק בסיסי סִנוּן. + +[רשימת שרתי DNS מומלצים](../dns.md ""){.md-button} + +## מהו DNSSEC? + +[תוספי אבטחת מערכת שמות דומיין](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) היא תכונה של DNS המאמתת תגובות לחיפושי שמות דומיין. הוא אינו מספק הגנת פרטיות לאותם חיפושים, אלא מונע מתוקפים לתמרן או להרעיל את התגובות לבקשות DNS. + +במילים אחרות, DNSSEC חותם נתונים דיגיטליים כדי להבטיח את תקפותם. על מנת להבטיח חיפוש מאובטח, החתימה מתרחשת בכל רמה בתהליך חיפוש ה-DNS. כתוצאה מכך, ניתן לסמוך על כל התשובות מה-DNS. + +תהליך החתימה של DNSSEC דומה למישהו שחתום על מסמך משפטי בעט; אותו אדם חותם בחתימה ייחודית שאף אחד אחר לא יכול ליצור, ומומחה בית המשפט יכול להסתכל על החתימה הזו ולוודא שהמסמך נחתם על ידי אותו אדם. חתימות דיגיטליות אלו מבטיחות שלא בוצע שיבוש בנתונים. + +DNSSEC מיישמת מדיניות חתימה דיגיטלית היררכית בכל שכבות ה-DNS. לדוגמה, במקרה של חיפוש `privacyguides.org`, שרת DNS שורש יחתום על מפתח עבור שרת השמות `.org` ו-`.org` nameserver יחתום על מפתח עבור שרת השמות הסמכותי של `privacyguides.org`. + +מותאם מ[סקירה כללית של תוספי אבטחת DNS (DNSSEC)](https://cloud.google.com/dns/docs/dnssec) על ידי Google ו-DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) מאת Cloudflare, שניהם ברישיון תחת [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## מהו מזעור QName? + +QNAME הוא "שם מוסמך", לדוגמה`privacyguides.org`. מזעור QName מצמצם את כמות המידע הנשלחת משרת ה - DNS לשרת [שם סמכותי](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +במקום לשלוח את הדומיין `privacyguides.org`, מזעור QNAME פירושו ששרת ה- DNS ישאל בשביל כל הרשומות המסתיימות ב-`.org`. תיאור טכני נוסף מוגדר ב [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## מהי רשת משנה של לקוח EDNS (ECS)? + +[רשת המשנה של לקוח EDNS](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) היא שיטה לפותר DNS רקורסיבי לציון [רשת משנה](https://en.wikipedia.org/wiki/Subnetwork) עבור [המארח או הלקוח](https://en.wikipedia.org/wiki/Client_(computing)) שמבצע את שאילתת ה-DNS. + +זה נועד "לזרז" את מסירת הנתונים על ידי מתן תשובה ללקוח השייך לשרת הקרוב אליו כגון [תוכן רשת מסירה](https://en.wikipedia.org/wiki/Content_delivery_network), המשמשות לעתים קרובות בהזרמת וידאו והגשת יישומי אינטרנט של JavaScript. + +תכונה זו כרוכה בעלות פרטיות, מכיוון שהיא מספרת לשרת ה-DNS מידע על מיקומו של הלקוח. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/advanced/tor-overview.md b/i18n/he/advanced/tor-overview.md new file mode 100644 index 00000000..4d178fe1 --- /dev/null +++ b/i18n/he/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "סקירה כללית של Tor" +icon: 'simple/torproject' +--- + +Tor היא רשת מבוזרת בחינם לשימוש המיועדת לשימוש באינטרנט עם כמה שיותר פרטיות. בשימוש נכון, הרשת מאפשרת גלישה ותקשורת פרטית ואנונימית. + +## בניית נתיב + +TorTor פועלת על ידי ניתוב התעבורה שלך דרך רשת המורכבת מאלפי שרתים המופעלים בהתנדבות הנקראים צמתים (או ממסרים). + +בכל פעם שאתה מתחבר ל-Tor, הוא יבחר שלושה צמתים לבניית נתיב לאינטרנט - נתיב זה נקרא "מעגל." לכל אחד מהצמתים הללו יש פונקציה משלו: + +### צומת הכניסה + +צומת הכניסה, המכונה לעתים קרובות צומת השמירה, הוא הצומת הראשון שאליו מתחבר לקוח ה-Tor שלך. צומת הכניסה מסוגל לראות את כתובת ה-IP שלך, אולם הוא לא יכול לראות למה אתה מתחבר. + +שלא כמו הצמתים האחרים, לקוח Tor יבחר באקראי צומת כניסה ויישאר איתו במשך חודשיים עד שלושה כדי להגן עליך מפני התקפות מסוימות.[^1] + +### הצומת האמצעי + +הצומת האמצעי הוא הצומת השני שאליו מתחבר לקוח ה-Tor שלך. הוא יכול לראות מאיזה צומת הגיעה התנועה - צומת הכניסה - ולאיזה צומת היא עוברת הבא. הצומת האמצעי לא יכול לראות את כתובת ה-IP שלך או את הדומיין שאליו אתה מתחבר. + +עבור כל מעגל חדש, הצומת האמצעי נבחר באקראי מבין כל צמתי ה- Tor הזמינים. + +### צומת היציאה + +צומת היציאה הוא הנקודה שבה תעבורת האינטרנט שלך עוזבת את רשת Tor ומועברת ליעד הרצוי. צומת היציאה לא יכול לראות את כתובת ה-IP שלך, אבל הוא יודע לאיזה אתר הוא מתחבר. + +צומת היציאה ייבחר באקראי מבין כל צמתי ה-Tor הזמינים שהופעלו עם דגל ממסר יציאה.[^2] + +
+ ![נתיב טור](../assets/img/how-tor-works/tor-path.svg#only-light) + ![נתיב טור](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
מסלול מעגל טור
+
+ +## הצפנה + +Tor מצפין כל חבילה (גוש של נתונים משודרים) שלוש פעמים עם המפתחות מצומת היציאה, האמצע והכניסה - בסדר הזה. + +לאחר ש-Tor בנה מעגל, העברת הנתונים מתבצעת באופן הבא: + +1. ראשית: כאשר החבילה מגיעה לצומת הכניסה, השכבה הראשונה של ההצפנה מוסרת. בחבילה מוצפנת זו, צומת הכניסה ימצא חבילה מוצפנת נוספת עם כתובת הצומת האמצעית. לאחר מכן צומת הכניסה יעביר את החבילה לצומת האמצעי. + +2. שנית: כאשר הצומת האמצעי מקבל את החבילה מצומת הכניסה, גם הוא יסיר שכבת הצפנה עם המפתח שלו, והפעם ימצא חבילה מוצפנת עם כתובת צומת היציאה. הצומת האמצעי יעביר את החבילה לצומת היציאה. + +3. לבסוף: כאשר צומת היציאה יקבל את החבילה שלו, הוא יסיר את שכבת ההצפנה האחרונה עם המפתח שלו. צומת היציאה יראה את כתובת היעד ויעביר את החבילה לכתובת זו. + +להלן תרשים חלופי המציג את התהליך. כל צומת מסיר את שכבת ההצפנה שלו, וכאשר שרת היעד מחזיר נתונים, אותו תהליך קורה לגמרי הפוך. למשל, צומת היציאה לא יודע מי אתה, אבל הוא כן יודע מאיזה צומת הוא הגיע, ולכן הוא מוסיף שכבת הצפנה משלו ושולח אותו בחזרה. + +
+ ![הצפנת Tor](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![הצפנת Tor](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
שליחה וקבלה של נתונים דרך רשת Tor
+
+ +Tor מאפשר לנו להתחבר לשרת מבלי שאף גורם אחד ידע את כל הנתיב. צומת הכניסה יודע מי אתה, אבל לא לאן אתה הולך; הצומת האמצעי לא יודע מי אתה או לאן אתה הולך; וצומת היציאה יודע לאן אתה הולך, אבל לא מי אתה. מכיוון שצומת היציאה הוא זה שיוצר את החיבור הסופי, שרת היעד לעולם לא יידע את כתובת ה-IP שלך. + +## הסתייגויות + +למרות ש-Tor מספקת ערובות פרטיות חזקות, צריך להיות מודע לכך ש-Tor אינו מושלם: + +- ליריבים ממומנים היטב עם יכולת לצפות באופן פסיבי ברוב תעבורת הרשת על פני הגלובוס יש סיכוי לבטל את האנונימיות של משתמשי Tor באמצעות ניתוח תעבורה מתקדם. Tor גם לא מגן עליך מפני חשיפת עצמך בטעות, כגון אם אתה חולק יותר מדי מידע על זהותך האמיתית. +- צמתי יציאה של Tor יכולים גם לנטר את התעבורה שעוברת דרכם. המשמעות היא שתעבורה שאינה מוצפנת, כגון תעבורת HTTP רגילה, יכולה להיות מתועדת ולמעקב. אם תעבורה כזו מכילה מידע אישי מזהה, היא יכולה להפוך אותך לאנונימית לאותו צומת יציאה. לפיכך, אנו ממליצים להשתמש ב-HTTPS על פני Tor במידת האפשר. + +אם ברצונך להשתמש ב- Tor לגלישה באינטרנט, אנו ממליצים רק על דפדפן ה**רשמי** Tor - הוא נועד למנוע טביעת אצבע. + +- [דפדפן Tor :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## מקורות נוספים + +- [מדריך למשתמש של דפדפן Tor](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (יוטיוב) +- [Tor שירותי בצל - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (יוטיוב) + +--8<-- "includes/abbreviations.he.txt" + +[^1]: הממסר הראשון במעגל שלך נקרא "שומר כניסה" או "שומר". זהו ממסר מהיר ויציב שנשאר הראשון במעגל שלך למשך 2-3 חודשים על מנת להגן מפני התקפה ידועה לשבירת אנונימיות. שאר המעגל שלך משתנה עם כל אתר חדש שאתה מבקר בו, וכולם ביחד מספקים ממסרים אלה את הגנת הפרטיות המלאה של Tor. לקבלת מידע נוסף על אופן הפעולה של ממסרי מגן, עיין במאמר זה [בלוג פוסט](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) וגם [דף](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) על שומרי כניסה. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: דגל ממסר: (אי)-הסמכה מיוחדת של ממסרים עבור עמדות מעגל (לדוגמה, "שומר", "יציאה", "יציאה-גרועה"), מאפייני מעגל (לדוגמה, "מהיר", "יציב"), או תפקידים (לדוגמה, "רשות", "HSDir"), כפי שהוקצו על ידי רשויות המדריכים ומוגדרים יותר במפרט פרוטוקול הספרייה. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/he/android.md b/i18n/he/android.md new file mode 100644 index 00000000..e53e0fdd --- /dev/null +++ b/i18n/he/android.md @@ -0,0 +1,353 @@ +--- +title: "אנדרואיד" +icon: 'simple/android' +--- + +![לוגו אנדרואיד](assets/img/android/android.svg){ align=right } + +**פרויקט הקוד הפתוח של אנדרואיד** היא מערכת הפעלה ניידת בקוד פתוח בהובלת גוגל, המניעה את רוב המכשירים הניידים בעולם. רוב הטלפונים הנמכרים עם אנדרואיד שונו כך שיכללו אינטגרציות פולשניות ואפליקציות כגון שירותי Google Play, כך שתוכל לשפר משמעותית את הפרטיות שלך במכשיר הנייד שלך על ידי החלפת התקנת ברירת המחדל של הטלפון שלך בגרסת אנדרואיד ללא תכונות פולשניות אלו. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=דף הבית } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=תיעוד} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="קוד מקור" } + +אלו הן מערכות ההפעלה, המכשירים והאפליקציות של אנדרואיד שאנו ממליצים על מנת למקסם את האבטחה והפרטיות של המכשיר הנייד שלך. למידע נוסף על אנדרואיד: + +- [סקירה כללית של אנדרואיד :material-arrow-right-drop-circle:](os/android-overview.md) +- [מדוע אנו ממליצים על GrapheneOS על פני CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## נגזרות AOSP + +אנו ממליצים להתקין במכשיר שלך אחת ממערכות ההפעלה המותאמות אישית של אנדרואיד, המפורטות לפי סדר העדפה, בהתאם לתאימות המכשיר שלך למערכות הפעלה אלו. + +!!! note "הערה" + + למכשירי סוף החיים (כגון מכשירי "תמיכה מורחבת" של GrapheneOS או CalyxOS) אין תיקוני אבטחה מלאים (עדכוני קושחה) עקב הפסקת התמיכה של OEM. מכישירים אלה אינם יכולים להיחשב מאובטחים לחלוטין ללא קשר לתוכנה המותקנת. + +### GrapheneOS + +!!! recommendation + + ![לוגו GrapheneOS](assets/img/android/grapheneos.svg#only-light){ align=right } + ![לוגו GrapheneOS](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** היא הבחירה הטובה ביותר בכל הנוגע לפרטיות ואבטחה. + + GrapheneOS מספקת [הקשחת אבטחה](https://en.wikipedia.org/wiki/Hardening_(computing)) ושיפורי פרטיות נוספים. יש לו [מקצה זיכרון מוקשה](https://github.com/GrapheneOS/hardened_malloc), הרשאות רשת וחיישנים ועוד [תכונות אבטחה] שונות (https://grapheneos.org/features). GrapheneOS מגיעה גם עם עדכוני קושחה מלאים ו-builds חתומים, כך שאתחול מאומת נתמך באופן מלא. + + [:octicons-home-16: דף הבית](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=תרומה } + +GrapheneOS תומך ב-[Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), המריץ את [שירותי ](https://en.wikipedia.org/wiki/Google_Play_Services)Google Play בארגז חול מלא כמו כל אפליקציה רגילה אחרת. המשמעות היא שאתה יכול לנצל את רוב שירותי Google Play, כגון [הודעות דחיפה](https://firebase.google.com/docs/cloud-messaging/), תוך מתן שליטה מלאה על ההרשאות והגישה שלהם, ובזמן שהם מכילים אותם ל[פרופיל עבודה](os/android-overview.md#work-profile) או [פרופיל משתמש](os/android-overview.md#user-profiles) לבחירתך. + +טלפונים של Google Pixel הם המכשירים היחידים שעומדים כעת ב[דרישות אבטחת החומרה](https://grapheneos.org/faq#device-support) של GrapheneOS. + +### DivestOS + +!!! recommendation + + ![לוגו של DivestOS](assets/img/android/divestos.svg){ align=right } + + **DivestOS** הוא נגזרת חלקית של [LineageOS](https://lineageos.org/). + DivestOS יורשת [מכשירים נתמכים](https://divestos.org/index.php?page=devices&base=LineageOS) רבים מ-LineageOS. יש לו builds חתומים, מה שמאפשר לקבל [אתחול מאומת](https://source.android.com/security/verifiedboot) בחלק מהמכשירים שאינם Pixel. + + [:octicons-home-16: דף הבית](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="שירות בצל" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=לתרומה } + +ל - DivestOS יש פגיעות ליבה ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [שמתוקן](https://gitlab.com/divested-mobile/cve_checker) אוטומטית, פחות בועות קנייניות, וקובץ [מארחים](https://divested.dev/index.php?page=dnsbl) מותאם. ה-WebView המוקשה שלו, [Mulch](https://gitlab.com/divested-mobile/mulch), מאפשר [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) עבור כל הארכיטקטורות ו[חלוקת מצבי רשת](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), ומקבל עדכונים מחוץ לפס. DivestOS כוללת גם תיקוני ליבה מ-GrapheneOS ומאפשרת את כל תכונות האבטחה הזמינות של הליבה באמצעות [הקשחת defconfig](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). כל הליבות החדשות יותר מגרסה 3.4 כוללים עמוד מלא [חיטוי](https://lwn.net/Articles/334747/) ולכל ~22 הליבות המחוברים יש Clang [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) מופעל. + +DivestOS מיישמת כמה תיקוני הקשחת מערכת שפותחו במקור עבור GrapheneOS. DivestOS 16.0 ומעלה מיישמת את החלפת הרשאות [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) וחיישנים של GrapheneOS, [מקצית זיכרון מוקשחת](https://github.com/GrapheneOS/hardened_malloc), [השרצת מנהלים](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [קונסטיפיקציה](https://en.wikipedia.org/wiki/Const_(computer_programming)) של [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) ותיקוני התקשות [ביונית](https://en.wikipedia.org/wiki/Bionic_(software)) חלקית. תכונות 17.1 ומעלה של GrapheneOS לכל רשת [אפשרות אקראיות מלאה של ](https://en.wikipedia.org/wiki/MAC_address#Randomization)MAC, בקרת [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) ואתחול אוטומטי/Wi-Fi/Bluetooth [אפשרויות פסק זמן](https://grapheneos.org/features). + +DivestOS משתמשת ב-F-Droid כחנות האפליקציות המוגדרת כברירת מחדל. בדרך כלל, אנו ממליצים להימנע מ-F-Droid עקב [בעיות האבטחה](#f-droid) הרבות שלו. עם זאת, לעשות זאת ב-DivestOS לא כדאי; המפתחים מעדכנים את האפליקציות שלהם באמצעות מאגרי F-Droid משלהם ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) ו- [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). אנו ממליצים להשבית את אפליקציית F-Droid הרשמית ולהשתמש ב[Neo Store](https://github.com/NeoApplications/Neo-Store/) כאשר מאגרי DivestOS מופעלים כדי לשמור על רכיבים אלה מעודכנים. לגבי אפליקציות אחרות, השיטות המומלצות שלנו להשגתן עדיין חלות. + +!!! warning "אזהרה" + + עדכון קושחה של DivestOS [סטטוס](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) ובקרת איכות משתנים בין המכשירים שבהם הוא תומך. אנו עדיין ממליצים על GrapheneOS בהתאם לתאימות המכשיר שלך. עבור מכשירים אחרים, DivestOS היא אלטרנטיבה טובה. + + לא לכל המכשירים הנתמכים יש אתחול מאומת, וחלקם מבצעים אותו טוב יותר מאחרים. + +## מכשירי אנדרואיד + +בעת רכישת מכשיר, אנו ממליצים לרכוש אחד חדש ככל האפשר. התוכנה והקושחה של מכשירים ניידים נתמכות רק לזמן מוגבל, כך שקנייה חדשה מאריכה את תוחלת החיים עד כמה שניתן. + +הימנע מרכישת טלפונים ממפעילי רשתות סלולריות. לעתים קרובות יש להם **מטען אתחול נעול** ואינם תומכים ב[פתיחת נעילה של OEM](https://source.android.com/devices/bootloader/locking_unlocking). גרסאות טלפון אלה ימנעו ממך להתקין כל סוג של הפצת אנדרואיד חלופית. + +היה מאוד **זהיר** לגבי קניית טלפונים יד שניה משוק מקוון. בדוק תמיד את המוניטין של המוכר. אם המכשיר נגנב, קיימת אפשרות ל[רשימה שחורה של IMEI](https://www.gsma.com/security/resources/imei-blacklisting/). קיים גם סיכון שכרוך בהיותך קשור לפעילות של הבעלים הקודם. + +עוד כמה טיפים לגבי מכשירי אנדרואיד ותאימות מערכות הפעלה: + +- אל תקנו מכשירים שהגיעו או קרובים לסוף החיים שלהם, עדכוני קושחה נוספים חייבים להיות מסופקים על ידי היצרן. +- אל תקנו טלפונים טעונים מראש של LineageOS או /e/ OS או כל טלפון אנדרואיד ללא תמיכה מתאימה של [אתחול מאומת](https://source.android.com/security/verifiedboot) ועדכוני קושחה. גם למכשירים האלה אין דרך לבדוק אם התעסקו בהם. +- בקיצור, אם לא מופיעה כאן הפצת מכשיר או אנדרואיד, כנראה שיש סיבה טובה. עיין ב[פורום](https://discuss.privacyguides.net/) שלנו כדי למצוא פרטים! + +### גוגל פיקסל + +טלפונים של גוגל פיקסל הם המכשירים ה**היחידים** שאנו ממליצים לרכישה. לטלפונים של Pixel יש אבטחת חומרה חזקה יותר מכל מכשירי אנדרואיד אחרים הקיימים כיום בשוק, בשל תמיכת AVB נאותה עבור מערכות הפעלה של צד שלישי ושבבי אבטחה [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) הפועלים כאלמנט המאובטח. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + מכשירי **גוגל פיקסל** ידועים כבעלי אבטחה טובה ותומכים כראוי ב[אתחול מאומת](https://source.android.com/security/verifiedboot), גם בעת התקנת מערכות הפעלה מותאמות אישית. + + החל מ-**Pixel 6** ו-**6 Pro**, מכשירי Pixel מקבלים לפחות 5 שנים של עדכוני אבטחה מובטחים, מה שמבטיח תוחלת חיים ארוכה בהרבה בהשוואה ל-2-4 שנים שמציעות יצרניות OEM מתחרות בדרך כלל. + + [:material-shopping: חנות](https://store.google.com/category/phones){ .md-button .md-button--primary } + +רכיבים מאובטחים כמו Titan M2 מוגבלים יותר מסביבת הביצוע המהימנה של המעבד המשמשת את רוב הטלפונים האחרים מכיוון שהם משמשים רק לאחסון סודות, אישור חומרה והגבלת קצב, לא להפעלת תוכניות "מהימנות". טלפונים ללא Secure Element חייבים להשתמש ב-TEE עבור *כל* הפונקציות הללו, וכתוצאה מכך משטח התקפה גדול יותר. + +טלפונים של Google Pixel משתמשים במערכת הפעלה TEE בשם Trusty שהיא [קוד פתוח](https://source.android.com/security/trusty#whyTrusty), בניגוד לטלפונים רבים אחרים. + +ההתקנה של GrapheneOS בטלפון Pixel קלה עם [מתקין האינטרנט](https://grapheneos.org/install/web) שלהם. אם אתה לא מרגיש בנוח לעשות את זה בעצמך ומוכן להוציא קצת כסף נוסף, בדוק את [NitroPhone](https://shop.nitrokey.com/shop) שהם מגיעים טעונים מראש עם GrapheneOS מחברת [Nitrokey](https://www.nitrokey.com/about) המכובדת. + +עוד כמה טיפים לרכישת Google Pixel: + +- אם אתה מחפש מציאה על מכשיר פיקסל, אנו מציעים לקנות דגם "**a**", מיד לאחר יציאת ספינת הדגל הבאה. הנחות זמינות בדרך כלל מכיוון שגוגל תנסה לסלק את המלאי שלה. +- שקול אפשרויות מכות מחיר ומבצעים המוצעים בחנויות פיזיות. +- עיין באתרי עסקאות מקוונים של קהילות במדינה שלך. אלה יכולים להתריע על מכירות טובות. +- Google מספקת רשימה המציגה את [מחזור התמיכה](https://support.google.com/nexus/answer/4457705) עבור כל אחד מהמכשירים שלהם. המחיר ליום עבור מכשיר יכול להיות מחושב כך: $\text{עלות} \over \text {תאריך סוף החיים}-\text{דייט נוכחי}$, כלומר, ככל שהשימוש במכשיר ארוך יותר, העלות ליום נמוכה יותר. + +## אפליקציות כלליות + +אנו ממליצים על מגוון רחב של אפליקציות אנדרואיד ברחבי אתר זה. האפליקציות המפורטות כאן הן בלעדיות לאנדרואיד ומשפרות או מחליפות באופן ספציפי את פונקציונליות המערכת המרכזית. + +### Shelter + +!!! recommendation + + ![Shelter לוגו](assets/img/android/shelter.svg){ align=right } + + **Shelter** היא אפליקציה שעוזרת לך למנף את הפונקציונליות של פרופיל העבודה של אנדרואיד כדי לבודד או לשכפל אפליקציות במכשיר שלך. + + Shelter תומך בחסימת פרופילים חוצי חיפוש אנשי קשר ושיתוף קבצים בין פרופילים באמצעות מנהל הקבצים המוגדר כברירת מחדל ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: מאגר](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [simple-googleplay: Google Play:]( https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning "אזהרה" + + Shelter מומלץ מעל [Insular](https://secure-system.gitlab.io/Insular/) ו-[Island](https://github.com/oasisfeng/island) מכיוון שהוא תומך ב[חסימת חיפוש אנשי קשר](https://secure-system.gitlab.io/Insular/faq.html). + + כשאתה משתמש ב-Shelter, אתה נותן אמון מלא במפתח שלו, שכן Shelter פועל כ[מנהל מכשיר](https://developer.android.com/guide/topics/admin/device-admin) כדי ליצור את פרופיל העבודה, וכן יש לו גישה נרחבת לנתונים המאוחסנים בפרופיל העבודה. + +### Auditor + +!!! recommendation + + ![Auditor לוגו](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor לוגו](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** היא אפליקציה הממנפת תכונות אבטחת חומרה כדי לספק ניטור שלמות המכשיר עבור [מכשירים נתמכים](https://attestation.app/about#device-support). נכון לעכשיו, זה עובד רק עם GrapheneOS ומערכת ההפעלה הסטוק של המכשיר. + + [:octicons-home-16: דף הבית](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=תיעוד} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor מבצע אישור וזיהוי חדירה על ידי: + +- שימוש במודל [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) בין *מבקר* ו*בודק*, הזוג יוצר מפתח פרטי ב[מגובת החומרה מאגר המפתחות](https://source.android.com/security/keystore/) של *מבקר*. +- *auditor* יכול להיות מופע אחר של אפליקציית Auditor או [שירות אישור מרחוק](https://attestation.app). +- ה*auditor* מתעד את המצב והתצורה הנוכחיים של ה*auditee*. +- אם התעסקות במערכת ההפעלה של ה*auditee* תתרחש לאחר השלמת ההתאמה, המבקר יהיה מודע לשינוי במצב המכשיר ובתצורות. +- תקבל התראה על השינוי. + +לא נמסר מידע מזהה אישי לשירות האישורים. אנו ממליצים להירשם עם חשבון אנונימי ולאפשר אישור מרחוק לניטור רציף. + +אם [מודל האיום](basics/threat-modeling.md) שלך דורש פרטיות, תוכל לשקול להשתמש ב-[Orbot](tor.md#orbot) או ב-VPN כדי הסתר את כתובת ה-IP שלך משירות האישורים. כדי לוודא שהחומרה ומערכת ההפעלה שלך מקוריות, [בצע אישור מקומי](https://grapheneos.org/install/web#verifying-installation) מיד לאחר התקנת ההתקן ולפני כן לכל חיבור לאינטרנט. + +### Secure Camera + +!!! recommendation + + ![Secure camera לוגו](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera לוגו](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** היא אפליקציית מצלמה המתמקדת בפרטיות ואבטחה שיכולה לצלם תמונות, סרטונים וקודי QR. הרחבות של ספקי CameraX (פורטרט, HDR, ראיית לילה, ריטוש פנים ואוטומטי) נתמכות גם במכשירים זמינים. + + [:octicons-repo-16: מאגר](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +תכונות הפרטיות העיקריות כוללות: + +- הסרה אוטומטית של מטא נתונים של [Exif](https://en.wikipedia.org/wiki/Exif) (מופעל כברירת מחדל) +- שימוש בממשק ה-API החדש של [מדיה](https://developer.android.com/training/data-storage/shared/media), לכן [הרשאות אחסון](https://developer.android.com/training/data-storage) אינן נדרשות +- אין צורך בהרשאת מיקרופון אלא אם ברצונך להקליט קול + +!!! note "הערה" + + מטא נתונים אינם נמחקים כעת מקבצי וידאו אבל זה מתוכנן. + + המטא נתונים של כיוון התמונה לא נמחקים. אם תפעיל מיקום ב(Secure Camera) זה גם **לא** יימחק. אם ברצונך למחוק זאת מאוחר יותר, יהיה עליך להשתמש באפליקציה חיצונית כגון [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer לוגו](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer לוגו](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** הוא מציג PDF המבוסס על [pdf.js](https://en.wikipedia.org/wiki/PDF.js) שאינו דורש הרשאות כלשהן. ה-PDF מוזן לתוך [ארגז חול](https://en.wikipedia.org/wiki/Sandbox_(software_development))[webview](https://developer.android.com/guide/webapps/webview). המשמעות היא שזה לא דורש הרשאה ישירה כדי לגשת לתוכן או לקבצים. + + [תוכן-אבטחה-מדיניות](https://en.wikipedia.org/wiki/Content_Security_Policy) משמש כדי לאכוף שמאפייני JavaScript והסגנון ב-WebView הם תוכן סטטי לחלוטין. + + [:octicons-repo-16: מאגר](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## קבלת בקשות + +### GrapheneOS App Store + +חנות האפליקציות של GrapheneOS זמינה ב-[GitHub](https://github.com/GrapheneOS/Apps/releases). הוא תומך באנדרואיד 12 ומעלה ומסוגל לעדכן את עצמו. לחנות האפליקציות יש יישומים עצמאיים שנבנו על ידי פרויקט GrapheneOS כגון [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera) ו-[PDF Viewer](https://github.com/GrapheneOS/PdfViewer). אם אתם מחפשים אפליקציות אלו, אנו ממליצים בחום להשיג אותן מחנות האפליקציות של GrapheneOS במקום מחנות Play, שכן האפליקציות בחנות שלהן חתומות על ידי חתימת הפרויקט של ה-GrapheneOS שלגוגל אין גישה אליה. + +### Aurora Store + +חנות Google Play דורשת חשבון Google כדי להתחבר וזה לא נהדר לפרטיות. אתה יכול לעקוף את זה על ידי שימוש בלקוח חלופי, כגון Aurora Store. + +!!! recommendation + + ![Aurora Store לוגו](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** היא לקוח של חנות Google Play שאינה דורשת חשבון Google, שירותי Google Play או microG כדי להוריד אפליקציות. + + [:octicons-home-16: דף הבית](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store לא מאפשרת להוריד אפליקציות בתשלום עם תכונת החשבון האנונימי שלהן. אתה יכול לחלופין להתחבר עם חשבון Google שלך עם Aurora Store כדי להוריד אפליקציות שרכשת, מה שאכן נותן גישה לרשימת האפליקציות שהתקנת ל-Google, אולם אתה עדיין נהנה מכך שאינך דורש את לקוח Google Play המלא ואת Google Play שירותים או microG במכשיר שלך. + +### התראות RSS באופן ידני + +עבור אפליקציות ששוחררו בפלטפורמות כמו GitHub ו-GitLab, ייתכן שתוכל להוסיף עדכון RSS ל[צובר החדשות](/news-aggregators) שלך שיעזור לך לעקוב אחר מהדורות חדשות. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![שינויים ב-APK](./assets/img/android/rss-changes-light.png#only-light) ![שינויים ב-APK](./assets/img/android/rss-changes-dark.png#only-dark) + +#### Github + +ב-GitHub, באמצעות [Secure Camera](#secure-camera) כדוגמה, תנווט אל [ שלה. דף מהדורות](https://github.com/GrapheneOS/Camera/releases) וצרף את `.atom` לכתובת האתר: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +ב-GitLab, באמצעות [Aurora Store](#aurora-store) כדוגמה, תנווט אל [מאגר הפרויקטים שלה ](https://gitlab.com/AuroraOSS/AuroraStore) והוסף את `/-/tags?format=atom` לכתובת האתר: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### אימות טביעות אצבע של APK + +אם אתה מוריד קבצי APK להתקנה ידנית, תוכל לאמת את החתימה שלהם באמצעות [`apksigner`](https://developer.android.com/studio/command-line/apksigner) כלי, שהוא חלק מ[כלי בנייה](https://developer.android.com/studio/releases/build-tools) של אנדרואיד. + +1. התקן [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. הורד את [כלי שורת הפקודה של אנדרואיד סטודיו](https://developer.android.com/studio#command-tools). + +3. חלץ את הארכיון שהורד: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. הפעל את פקודת אימות החתימה: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. לאחר מכן ניתן להשוות את ה-hashes המתקבלים עם מקור אחר. מפתחים מסוימים כגון Signal [מראים את טביעות האצבע](https://signal.org/android/apk/) באתר האינטרנט שלהם. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![לוגו F-Droid](assets/img/android/f-droid.svg){ align=right width=120px } + +==אנחנו **לא** ממליצים כרגע על F-Droid כדרך להשיג אפליקציות.== F-Droid מומלצת לעתים קרובות כחלופה ל-Google Play, במיוחד בפרטיות קהילה. האפשרות להוסיף מאגרי צד שלישי ולא להיות מוגבלים לגן המוקף חומה של גוגל הובילה לפופולריות שלו. ל-F-Droid יש בנוסף [בניינים הניתנים לשחזור](https://f-droid.org/en/docs/Reproducible_Builds/) עבור יישומים מסוימים והוא מוקדש לתוכנות חינמיות וקוד פתוח. עם זאת, יש [בעיות בולטות](https://privsec.dev/posts/android/f-droid-security-issues/) עם לקוח F-Droid הרשמי, בקרת האיכות שלו, כיצד הם בונים, חותמים ומספקים חבילות. + +בשל תהליך בניית האפליקציות שלהם, אפליקציות במאגר ה-F-Droid הרשמי מפגרות לעתים קרובות בפיגור לגבי עדכונים. מנהלי F-Droid גם עושים שימוש חוזר במזהי חבילה בזמן חתימת אפליקציות עם המפתחות שלהם, וזה לא אידיאלי מכיוון שהוא נותן אמון אולטימטיבי לצוות F-Droid. + +מאגרים פופולריים אחרים של צד שלישי כגון [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) מקלים על חלק מהחששות הללו. מאגר IzzyOnDroid מושך רכיבים ישירות מ-GitHub והוא הדבר הטוב הבא למאגרים של המפתחים עצמם. עם זאת, זה לא משהו שאנחנו יכולים להמליץ עליו, מכיוון שאפליקציות בדרך כלל [מסירים](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) מהמאגר הזה כאשר הם מגיעים למאגר F-Droid הראשי. למרות שזה הגיוני (מכיוון שהמטרה של המאגר המסוים הזה היא לארח אפליקציות לפני שהן מתקבלות למאגר ה-F-Droid הראשי), זה יכול להשאיר אותך עם אפליקציות מותקנות שכבר לא מקבלים עדכונים. + +עם זאת, [F-Droid](https://f-droid.org/en/packages/) ו-[IzzyOnDroid](https://apt.izzysoft.de/fdroid/) הם ביתם של אינספור אפליקציות, כך שהם יכולים להוות כלי שימושי לחיפוש ולגלות אפליקציות קוד פתוח שתוכל להוריד דרך חנות Play, Aurora Store, או על ידי קבלת ה-APK ישירות מה- מפתח. חשוב לזכור שחלק מהאפליקציות במאגרים אלו לא עודכנו במשך שנים ועשויות להסתמך על ספריות שאינן נתמכות, בין היתר, מהוות סיכון אבטחה פוטנציאלי. אתה צריך להשתמש במיטב שיקול הדעת שלך כשאתה מחפש אפליקציות חדשות בשיטה זו. + +!!! note "הערה" + + במקרים נדירים מסוימים, מפתח אפליקציה יפיץ אותה רק באמצעות F-Droid ([Gadgetbridge](https://gadgetbridge.org/) היא דוגמה אחת לכך). אם אתה באמת צריך אפליקציה כזו, אנו ממליצים להשתמש ב-[Neo Store](https://github.com/NeoApplications/Neo-Store/) במקום באפליקציית F-Droid הרשמית כדי להשיג אותה. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### מערכות הפעלה + +- חייבת להיות תוכנת קוד פתוח. +- חייב לתמוך בנעילת bootloader עם תמיכת מפתח AVB מותאמת אישית. +- חייב לקבל עדכוני אנדרואיד גדולים בתוך 0-1 חודשים מהשחרור. +- חייב לקבל עדכוני תכונות אנדרואיד (גרסה מינורית) בתוך 0-14 ימים מהשחרור. +- חייב לקבל תיקוני אבטחה רגילים בתוך 0-5 ימים מהשחרור. +- חייבים **לא** להיות "rooted" מהקופסה. +- חייב **לא** להפעיל את שירותי Google Play כברירת מחדל. +- חייב **לא** לדרוש שינוי מערכת כדי לתמוך בשירותי Google Play. + +### מכשירים + +- חייב לתמוך לפחות באחת ממערכות ההפעלה המומלצות שלנו. +- חייב להימכר כרגע חדש בחנויות. +- חייב לקבל לפחות 5 שנים של עדכוני אבטחה. +- חייבת להיות חומרה ייעודית לרכיב מאובטח. + +### יישומים + +- יישומים בדף זה לא חייבים להיות ישימים לכל קטגוריית תוכנה אחרת באתר. +- יישומים כלליים צריכים להרחיב או להחליף את פונקציונליות הליבה של המערכת. +- יישומים צריכים לקבל עדכונים ותחזוקה שוטפים. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/assets/img/account-deletion/exposed_passwords.png b/i18n/he/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/he/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/he/assets/img/android/rss-apk-dark.png b/i18n/he/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/he/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/he/assets/img/android/rss-apk-light.png b/i18n/he/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/he/assets/img/android/rss-apk-light.png differ diff --git a/i18n/he/assets/img/android/rss-changes-dark.png b/i18n/he/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/he/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/he/assets/img/android/rss-changes-light.png b/i18n/he/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/he/assets/img/android/rss-changes-light.png differ diff --git a/i18n/he/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/he/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..625cb3e2 --- /dev/null +++ b/i18n/he/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + המכשיר + + שלך + + + + שליחת נתונים לאתר + + + + + קבלת נתונים מאתר אינטרנט + + + + + המכשיר + + שלך + + + + כניסה + + + + + אמצע + + + + + יציאה + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + כניסה + + + + + אמצע + + + + + יציאה + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/he/assets/img/how-tor-works/tor-encryption.svg b/i18n/he/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/he/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/he/assets/img/how-tor-works/tor-path-dark.svg b/i18n/he/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..1b697846 --- /dev/null +++ b/i18n/he/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + המכשיר + שלך + + + + כניסה + + + + + אמצע + + + + + יציאה + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/he/assets/img/how-tor-works/tor-path.svg b/i18n/he/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..22ef319c --- /dev/null +++ b/i18n/he/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + המכשיר + שלך + + + + כניסה + + + + + אמצע + + + + + יציאה + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/he/assets/img/multi-factor-authentication/fido.png b/i18n/he/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..81f4332c Binary files /dev/null and b/i18n/he/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/he/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/he/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..a1e6dcd2 Binary files /dev/null and b/i18n/he/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/he/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/he/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/he/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/he/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/he/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/he/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/he/basics/account-creation.md b/i18n/he/basics/account-creation.md new file mode 100644 index 00000000..14b6240b --- /dev/null +++ b/i18n/he/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "יצירת חשבון" +icon: 'material/account-plus' +--- + +לעתים קרובות אנשים נרשמים לשירותים מבלי לחשוב. אולי זה שירות סטרימינג כדי שתוכל לצפות בתוכנית החדשה שכולם מדברים עליה, או חשבון שנותן לך הנחה למקום האוכל המהיר האהוב עליך. לא משנה מה המקרה, עליך לשקול את ההשלכות על הנתונים שלך כעת ובהמשך בהמשך הקו. + +ישנם סיכונים הקשורים לכל שירות חדש שאתה משתמש בו. פרצות מידע; חשיפת פרטי הלקוח לצדדים שלישיים; עובדים סוררים שניגשים לנתונים; כולן אפשרויות שיש לקחת בחשבון בעת מתן המידע שלך. אתה צריך להיות בטוח שאתה יכול לסמוך על השירות, ולכן אנחנו לא ממליצים לאחסן נתונים יקרי ערך על שום דבר מלבד המוצרים הבוגרים ביותר שנבדקו בקרב. זה בדרך כלל אומר שירותים המספקים E2EE ועברו ביקורת קריפטוגרפית. ביקורת מגבירה את הביטחון שהמוצר תוכנן ללא בעיות אבטחה בולטות שנגרמו על ידי מפתח חסר ניסיון. + +יכול להיות גם קשה למחוק את החשבונות בשירותים מסוימים. לפעמים [החלפת נתונים](account-deletion.md#overwriting-account-information) הקשורים לחשבון יכולה להיות אפשרית, אך במקרים אחרים השירות ישמור היסטוריה שלמה של שינויים בחשבון. + +## תנאים והגבלות & מדיניות הפרטיות + +ה-ToS הם הכללים שאתה מסכים לפעול עליהם בעת השימוש בשירות. עם שירותים גדולים יותר כללים אלה נאכפים לרוב על ידי מערכות אוטומטיות. לפעמים המערכות האוטומטיות האלה יכולות לעשות טעויות. לדוגמה, אתה עשוי להיות חסום או נעול מחוץ לחשבון שלך בשירותים מסוימים בגלל שימוש במספר VPN או VOIP. ערעור על איסורים כאלה הוא לעתים קרובות קשה, וכרוך גם בתהליך אוטומטי, שלא תמיד מצליח. זו תהיה אחת הסיבות לכך שלא היינו מציעים להשתמש ב-Gmail לאימייל כדוגמה. אימייל חיוני לגישה לשירותים אחרים שאולי נרשמת אליהם. + +מדיניות הפרטיות היא האופן שבו השירות אומר שהם ישתמשו בנתונים שלך וכדאי לקרוא כדי שתבין כיצד ישמש הנתונים שלך. ייתכן שחברה או ארגון לא יהיו מחויבים על פי חוק לציית לכל הכלול במדיניות (זה תלוי בתחום השיפוט). אנו ממליצים לקבל מושג מה הם החוקים המקומיים שלך ומה הם מאפשרים לספק לאסוף. + +אנו ממליצים לחפש מונחים מסוימים כגון "איסוף נתונים", "ניתוח נתונים", "עוגיות", "מודעות" או שירותי "צד שלישי". לפעמים תוכל לבטל את הסכמתך לאיסוף נתונים או משיתוף הנתונים שלך, אבל עדיף לבחור שירות שמכבד את פרטיותך מלכתחילה. + +זכור שאתה גם נותן אמון בחברה או בארגון ושהם יצייתו למדיניות הפרטיות שלהם. + +## שיטות אימות + +בדרך כלל ישנן מספר דרכים להירשם לחשבון, כל אחת עם היתרונות והחסרונות שלה. + +### אימייל וסיסמא + +הדרך הנפוצה ביותר ליצור חשבון חדש היא באמצעות כתובת אימייל וסיסמה. בעת שימוש בשיטה זו, עליך להשתמש במנהל סיסמאות ולפעול לפי [שיטות עבודה מומלצות](passwords-overview.md) לגבי סיסמאות. + +!!! tip "טיפ" + + אתה יכול להשתמש במנהל הסיסמאות שלך כדי לארגן גם שיטות אימות אחרות! פשוט הוסף את הערך החדש ומלא את השדות המתאימים, אתה יכול להוסיף הערות לדברים כמו שאלות אבטחה או מפתח גיבוי. + +אתה תהיה אחראי על ניהול אישורי הכניסה שלך. לאבטחה נוספת, תוכל להגדיר [MFA](multi-factor-authentication.md) בחשבונות שלך. + +[מנהלי סיסמאות מומלצים](../passwords.md ""){.md-button} + +#### כינויי אימייל + +אם אינך רוצה לתת את כתובת האימייל האמיתית שלך לשירות, יש לך אפשרות להשתמש בכינוי. תיארנו אותם ביתר פירוט בדף ההמלצות של שירותי האימייל שלנו. בעיקרון, שירותי כינוי מאפשרים לך ליצור כתובות אימייל חדשות המעבירות את כל המיילים לכתובת הראשית שלך. זה יכול לעזור למנוע מעקב אחר שירותים ולעזור לך לנהל את האימיילים השיווקיים שמגיעים לפעמים עם תהליך ההרשמה. ניתן לסנן אותם באופן אוטומטי על סמך הכינוי שאליו הם נשלחים. + +אם שירות ייפרץ, ייתכן שתתחיל לקבל הודעות דיוג או דואר זבל לכתובת שבה השתמשת כדי להירשם. שימוש בכינויים ייחודיים עבור כל שירות יכול לסייע בזיהוי בדיוק איזה שירות נפרץ. + +[שירותי כינוי אימייל מומלצים](../email.md#email-aliasing-services ""){.md-button} + +### כניסה יחידה + +!!! note "הערה" + + אנו דנים בכניסה יחידה לשימוש אישי, לא למשתמשים ארגוניים. + +כניסה יחידה (SSO) היא שיטת אימות המאפשרת לך להירשם לשירות מבלי לשתף מידע רב, אם בכלל. בכל פעם שאתה רואה משהו בסגנון "היכנס עם *שם הספק*" בטופס הרשמה, זה SSO. + +כאשר אתה בוחר בכניסה יחידה לאתר, הוא יבקש מדף הכניסה של ספק ה-SSO שלך ולאחר מכן חשבונך יחובר. הסיסמה שלך לא תשותף, אבל חלק מהמידע הבסיסי יעשה זאת (תוכל לעיין בה במהלך בקשת ההתחברות). תהליך זה נחוץ בכל פעם שאתה רוצה להיכנס לאותו חשבון. + +היתרונות העיקריים הם: + +- **אבטחה**: אין סיכון להיות מעורב ב[הפרת נתונים](https://en.wikipedia.org/wiki/Data_breach) מכיוון האתר אינו שומר את האישורים שלך. +- **קלות שימוש**: מספר חשבונות מנוהלים על ידי התחברות אחת. + +אבל יש חסרונות: + +- **פרטיות**: ספק SSO יידע באילו שירותים אתה משתמש. +- **ריכוזיות**: אם חשבון SSO שלך נפגע או שאינך יכול להתחבר אליו, כל שאר החשבונות המחוברים אליו יושפעו. + +SSO יכול להיות שימושי במיוחד במצבים שבהם אתה יכול להפיק תועלת מאינטגרציה עמוקה יותר בין שירותים. לדוגמה, אחד מהשירותים הללו עשוי להציע SSO עבור האחרים. ההמלצה שלנו היא להגביל את SSO רק למקום שבו אתה צריך את זה ולהגן על החשבון הראשי באמצעות [MFA](multi-factor-authentication.md). + +כל השירותים המשתמשים ב-SSO יהיו מאובטחים כמו חשבון SSO שלך. לדוגמה, אם אתה רוצה לאבטח חשבון עם מפתח חומרה אבל השירות הזה לא תומך במפתחות חומרה, אתה יכול לאבטח את חשבון SSO שלך עם מפתח חומרה וכעת יש לך בעצם MFA חומרה בכל החשבונות שלך. עם זאת, ראוי לציין שאימות חלש בחשבון SSO שלך אומר שכל חשבון הקשור לכניסה זו יהיה גם חלש. + +### מספר טלפון + +אנו ממליצים להימנע משירותים הדורשים מספר טלפון לצורך הרשמה. מספר טלפון יכול לזהות אותך במספר שירותים ובהתאם להסכמי שיתוף נתונים זה יקל על המעקב אחר השימוש שלך, במיוחד אם אחד מהשירותים האלה נפרץ מכיוון שמספר הטלפון הוא לרוב **לא** מוצפן. + +כדאי להימנע מלמסור את מספר הטלפון האמיתי שלך אם אתה יכול. שירותים מסוימים יאפשרו שימוש במספרי VOIP, אולם אלה מפעילים לעתים קרובות מערכות זיהוי הונאה, מה שגורם לנעילה של חשבון, ולכן איננו ממליצים על כך עבור חשבונות חשובים. + +במקרים רבים תצטרך לספק מספר שממנו תוכל לקבל SMS או שיחות, במיוחד בעת קניות בינלאומיות, למקרה שיש בעיה בהזמנה שלך בבדיקת הגבול. מקובל ששירותים משתמשים במספר שלך כשיטת אימות; אל תיתן לעצמך להינעל מחוץ לחשבון חשוב כי רצית להיות חכם ולתת מספר מזויף! + +### שם משתמש וסיסמא + +שירותים מסוימים מאפשרים לך להירשם ללא שימוש בכתובת אימייל ורק דורשים ממך להגדיר שם משתמש וסיסמה. שירותים אלה עשויים לספק אנונימיות מוגברת בשילוב עם VPN או Tor. זכור שעבור חשבונות אלה סביר להניח ש**אין דרך לשחזר את חשבונך** במקרה שתשכח את שם המשתמש או הסיסמה שלך. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/basics/account-deletion.md b/i18n/he/basics/account-deletion.md new file mode 100644 index 00000000..710eea43 --- /dev/null +++ b/i18n/he/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "מחיקת חשבון" +icon: 'material/account-remove' +--- + +עם הזמן, זה יכול להיות קל לצבור מספר חשבונות מקוונים, שרבים מהם אולי כבר לא תשתמשו בהם. מחיקת חשבונות שאינם בשימוש היא צעד חשוב בהחזרת הפרטיות שלך, מכיוון שחשבונות רדומים חשופים לפרצות מידע. פרצת נתונים היא כאשר אבטחת השירות נפגעת ומידע מוגן נצפה, מועבר או נגנב על ידי שחקנים לא מורשים. פרצות מידע הן למרבה הצער כולן [נפוצות מדי](https://haveibeenpwned.com/PwnedWebsites) בימינו, ולכן תרגול היגיינה דיגיטלית טובה היא הדרך הטובה ביותר למזער את ההשפעה שיש להן על חייך. המטרה של מדריך זה היא אם כן לעזור לנווט אותך בתהליך המעיק של מחיקת חשבון, שלעתים קרובות מקשה על ידי [עיצוב מטעה](https://www.deceptive.design/), למען השיפור של הנוכחות המקוונת שלך. + +## איתור חשבונות ישנים + +### מנהל הסיסמאות + +אם יש לך מנהל סיסמאות שבו השתמשת במשך כל חייך הדיגיטליים, החלק הזה יהיה קל מאוד. לעתים קרובות, הם כוללים פונקציונליות מובנית לזיהוי אם פרטי הכניסה שלך נחשפו בפריצת נתונים - כגון דוח [פריצת הנתונים של Bitwarden](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![מאפיין הדוח 'פריצת נתונים' של Bitwarden](../assets/img/account-deletion/exposed_passwords.png) +
+ +גם אם לא השתמשת במנהל סיסמאות במפורש בעבר, יש סיכוי שהשתמשת במנהל הסיסמאות בדפדפן או בטלפון שלך מבלי לשים לב. לדוגמה: [מנהל הסיסמאות של Firefox](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [מנהל הסיסמאות של גוגל](https://passwords.google.com/intro) ו - [מנהל סיסמאות של Edge](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +פלטפורמות שולחניות כוללות לעתים קרובות מנהל סיסמאות שעשוי לעזור לך לשחזר סיסמאות ששכחת מהן: + +- מנהל אישורי Windows +- macOS [סיסמאות](https://support.apple.com/en-us/HT211145) +- iOS [סיסמאות](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, שאליו ניתן לגשת דרך [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) או [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### אימייל + +אם לא השתמשת במנהל סיסמאות בעבר או שאתה חושב שיש לך חשבונות שמעולם לא נוספו למנהל הסיסמאות שלך, אפשרות נוספת היא לחפש בחשבונ(ות) הדוא"ל שאתה מאמין שנרשמת אליהם. בלקוח האימייל שלך, חפש מילות מפתח כגון "אמת" או "ברוך הבא" כמעט בכל פעם שתבצע חשבון מקוון, השירות ישלח קישור לאימות או הודעת היכרות לאימייל שלך. זו יכולה להיות דרך טובה למצוא חשבונות ישנים ונשכחים. + +## מחיקת חשבונות ישנים + +### התחברות + +כדי למחוק את החשבונות הישנים שלך, תחילה עליך לוודא שתוכל להתחבר אליהם. שוב, אם החשבון היה במנהל הסיסמאות שלך, שלב זה קל. אם לא, אפשר לנסות לנחש את הסיסמה. אם לא, יש בדרך כלל אפשרויות להחזיר את הגישה לחשבון שלך, זמין בדרך כלל באמצעות קישור "שכחתי את הסיסמה" בדף הכניסה. ייתכן גם שחשבונות שנטשת כבר נמחקו - לפעמים שירותים מוחקים את כל החשבונות הישנים. + +כאשר מנסים לקבל גישה מחדש, אם האתר מחזיר הודעת שגיאה האומרת שדוא"ל אינו משויך לחשבון, או שאתה לעולם לא מקבל קישור לאיפוס לאחר מספר ניסיונות, אז אין לך חשבון תחת כתובת דוא"ל זו ועליך לנסות אחד אחר. אם אינך מצליח להבין באיזו כתובת דוא"ל השתמשת, או שכבר אין לך גישה לדוא"ל זה, תוכל לנסות ליצור קשר עם תמיכת הלקוחות של השירות. לצערנו, אין ערובה לכך שתוכל לקבל שוב גישה לחשבון שלך. + +### GDPR (תושבי EEA בלבד) + +לתושבי האזור הכלכלי האירופי יש זכויות נוספות בנוגע למחיקת נתונים המפורטים בסעיף [17](https://www.gdpr.org/regulation/article-17.html) של ה - GDPR. אם זה רלוונטי עבורך, קרא את מדיניות הפרטיות של כל שירות נתון כדי למצוא מידע על מימוש הזכות שלך למחיקה. קריאת מדיניות הפרטיות יכולה להיות חשובה, שכן חלק מהשירותים כוללים אפשרות "מחק חשבון" המשביתה רק את החשבון שלך ולמחיקת אמיתית עליך לנקוט פעולה נוספת. לפעמים מחיקה בפועל עשויה לכלול מילוי סקרים, שליחת אימייל לקצין הגנת המידע של השירות או אפילו הוכחת מקום מגוריך ב - EEA. אם אתם מתכננים ללכת בדרך זו,** אל תעשו ** שישכתב את המידע על חשבון שיש - הזהות שלך כתושב EEA עשוי להיות נדרש. שים לב כי המיקום של השירות אינו משנה; GDPR חל על כל מי שמשרת משתמשים באירופה. אם השירות אינו מכבד את זכותך למחיקה, באפשרותך ליצור קשר עם הלאום שלך [לרשות להגנת נתונים ](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) אתה יכול להיות זכאי לפיצוי כספי. + +### עריכת פרטי החשבון הקיים + +במצבים מסוימים שבהם אתה מתכנן לנטוש חשבון, ייתכן שיהיה הגיוני להחליף את פרטי החשבון בנתונים מזויפים. לאחר שווידאת שתוכל להתחבר, שנה את כל המידע בחשבונך למידע מזויף. הסיבה לכך היא שאתרים רבים ישמרו מידע שהיה ברשותך בעבר גם לאחר מחיקת החשבון. התקווה היא שהם יחליפו את המידע הקודם בנתונים החדשים ביותר שהזנת. עם זאת, אין ערובה לכך שלא יהיו גיבויים עם המידע הקודם. + +עבור הדוא"ל של החשבון, צור חשבון דוא"ל חלופי חדש באמצעות הספק שבחרת או צור כינוי באמצעות שירות [כינויי דוא"ל](../email.md#email-aliasing-services). לאחר מכן תוכל למחוק את כתובת הדוא"ל החלופית שלך לאחר שתסיים. אנו ממליצים שלא להשתמש בספקי דוא"ל זמניים, שכן לעתים קרובות ניתן להפעיל מחדש הודעות דוא"ל זמניות. + +### מחיקה + +אתה יכול לבדוק את [JustDeleteMe](https://justdeleteme.xyz) לקבלת הוראות למחיקת החשבון עבור שירות ספציפי. בחלק מהאתרים תהיה באדיבות אפשרות "מחק חשבון", בעוד שאחרים ירחיקו עד כדי להכריח אותך לדבר עם סוכן תמיכה. תהליך המחיקה יכול להשתנות מאתר לאתר, כאשר מחיקת חשבון בלתי אפשרית בחלקם. + +עבור שירותים שאינם מאפשרים מחיקת חשבון, הדבר הטוב ביותר לעשות הוא לזייף את כל המידע שלך כפי שהוזכר קודם ולחזק את אבטחת החשבון. לשם כך, אפשר [MFA](multi-factor-authentication.md) ואת כל תכונות האבטחה הנוספות המוצעות. כמו כן, שנה את הסיסמה לאחד שנוצר באופן אקראי שהוא הגודל המרבי המותר (מנהל סיסמאות [](../passwords.md) יכול להיות שימושי עבור זה). + +אם אתה מרוצה מכך שכל המידע שחשוב לך יוסר, תוכל לשכוח בבטחה מחשבון זה. אם לא, ייתכן שכדאי לשמור את פרטי הכניסה עם הסיסמאות האחרות, ומדי פעם להתחבר מחדש כדי לאפס את הסיסמה. + +גם כאשר אתה יכול למחוק חשבון, אין ערובה לכך שכל הפרטים שלך יוסרו. למעשה, חלק מהחברות מחויבות על פי חוק לשמור מידע מסוים, במיוחד כאשר מדובר בעסקאות פיננסיות. זה בעיקר מחוץ לשליטתך מה קורה לנתונים שלך כשמדובר באתרי אינטרנט ובשירותי ענן. + +## הימנעות מחשבונות חדשים + +כפי שאומר הפתגם הישן, "גרם של מניעה שווה קילו של תרופה." בכל פעם שאתה מתפתה להירשם לחשבון חדש, שאל את עצמך, "האם אני באמת צריך את זה? האם אני יכול להשיג את מה שאני צריך בלי חשבון?" לעתים קרובות זה יכול להיות הרבה יותר קשה למחוק חשבון מאשר ליצור אחד. וגם לאחר מחיקה או שינוי של המידע בחשבונך, עשויה להיות גרסה שמור של צד שלישי - כמו [ארכיון האינטרנט](https://archive.org/). הימנע מהפיתוי כאשר אתה מסוגל - העצמי העתידי שלך יודה לך! + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/basics/common-misconceptions.md b/i18n/he/basics/common-misconceptions.md new file mode 100644 index 00000000..001a7a98 --- /dev/null +++ b/i18n/he/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "תפיסות מוטעות נפוצות" +icon: 'material/robot-confused' +--- + +## "תוכנת קוד פתוח תמיד מאובטחת" או "תוכנה קניינית מאובטחת יותר" + +מיתוסים אלו נובעים ממספר דעות קדומות, אך האם קוד המקור זמין ואופן רישיון התוכנה אינו משפיע מטבעו על אבטחתה בשום צורה. == לתוכנת קוד פתוח יש את ה*פוטנציאל* להיות מאובטח יותר מתוכנה קניינית, אבל אין שום ערובה שזה המצב.== כאשר אתה מעריך תוכנה, עליך להסתכל על המוניטין והאבטחה של כל כלי על בסיס אישי. + +תוכנת קוד פתוח *ניתנת* לביקורת על ידי צדדים שלישיים, ולעתים קרובות היא שקופה יותר לגבי נקודות תורפה אפשריות מאשר עמיתים קנייניים. זה גם מאפשר לך לסקור את הקוד ולהשבית כל פונקציונליות חשודה שתמצא בעצמך. עם זאת, *אלא אם כן תעשה זאת*, אין ערובה שהקוד הוערך אי פעם, במיוחד עם פרויקטי תוכנה קטנים יותר. תהליך הפיתוח הפתוח נוצל לפעמים גם כדי להכניס פרצות חדשות אפילו לפרויקטים גדולים.[^1] + +בצד השני, תוכנה קניינית פחות שקופה, אבל זה לא מרמז על כך שהיא לא מאובטחת. פרויקטי תוכנה קנייניים גדולים ניתנים לביקורת פנימית ועל ידי סוכנויות צד שלישי, וחוקרי אבטחה בלתי תלויים עדיין יכולים למצוא נקודות תורפה עם טכניקות כמו הנדסה לאחור. + +כדי להימנע מהחלטות מוטות, *חיוני* שתעריך את תקני הפרטיות והאבטחה של התוכנה שבה אתה משתמש. + +## "שינוי באמון יכול להגביר את הפרטיות" + +אנחנו מדברים הרבה על "שינוי אמון" כאשר דנים בפתרונות כמו VPNs (המסיטים את האמון שאתה נותן בספק אינטרנט שלך לספק VPN). למרות שזה מגן על נתוני הגלישה שלך מספק האינטרנט שלך *באופן ספציפי*, לספק ה-VPN שתבחר עדיין יש גישה לנתוני הגלישה שלך: הנתונים שלך אינם מאובטחים לחלוטין מכל הצדדים. משמעות הדבר היא: + +1. עליך לנקוט משנה זהירות בעת בחירת ספק להעביר אליו אמון. +2. אתה עדיין צריך להשתמש בטכניקות אחרות, כמו E2EE, כדי להגן על הנתונים שלך לחלוטין. חוסר אמון בספק אחד בלבד כדי לסמוך על אחר אינו מאבטח הנתונים שלך. + +## "פתרונות המתמקדים בפרטיות הם אמינים מטבעם" + +התמקדות אך ורק במדיניות הפרטיות ושיווק של כלי או ספק יכול לעוור אותך לחולשותיו. כאשר אתה מחפש פתרון פרטי יותר, עליך לקבוע מהי הבעיה הבסיסית ולמצוא פתרונות טכניים לבעיה זו. לדוגמה, ייתכן שתרצה להימנע מ Google Drive, המעניק ל - גוגל גישה לכל הנתונים שלך. הבעיה הבסיסית במקרה זה היא חוסר ב-E2EE, אז כדאי לוודא שהספק אליו אתם עוברים מיישם את E2EE, או להשתמש בכלי (כמו [Cryptomator](../encryption.md#cryptomator-cloud)) המספק E2EE בכל ספק ענן. מעבר לספק "ממוקד פרטיות" (שאינו מיישם E2EE) לא פותר את הבעיה שלך: הוא פשוט מעביר את האמון מגוגל לספק הזה. + +מדיניות הפרטיות והנהלים העסקיים של ספקים שאתה בוחר חשובים מאוד, אך יש להתייחס אליהם כמשניים להבטחות טכניות לפרטיות שלך: אל תעביר אמון לספק אחר כאשר אמון בספק אינו דרישה כלל. + +## "מסובך זה יותר טוב" + +לעתים קרובות אנחנו רואים אנשים שמתארים מודלים של איום על פרטיות שהם מורכבים מדי. לעתים קרובות, פתרונות אלה כוללים בעיות כמו חשבונות דוא"ל רבים ושונים או התקנות מסובכות עם הרבה העברת חלקים ותנאים. התשובות הן בדרך כלל תשובות לשאלה "מהי הדרך הטובה ביותר לעשות *X*?" + +מציאת הפתרון "הטוב ביותר" עבורך לא בהכרח אומרת שאתה מחפש פתרון לא נכון עם עשרות תנאים - לעתים קרובות קשה לעבוד עם פתרונות אלה באופן מציאותי. כפי שציינו קודם לכן, אבטחה באה לעתים קרובות במחיר של נוחות. בהמשך אנו מספקים כמה טיפים: + +1. ==פעולות צריכות לשרת מטרה מסוימת:== תחשוב איך לעשות מה שאתה רוצה עם הכי פחות פעולות. +2. ==הסר נקודות כשל אנושיות:== אנחנו נכשלים, מתעייפים ושוכחים דברים. כדי לשמור על אבטחה, הימנע מהסתמכות על תנאים ותהליכים ידניים שאתה צריך לזכור. +3. ==השתמש ברמת ההגנה הנכונה עבור מה שאתה מתכוון.== לעתים קרובות אנו רואים המלצות על מה שנקרא פתרונות אכיפת חוק או הוכחת זימון. אלה דורשים לעתים קרובות ידע מומחה ובדרך כלל הם לא מה שאנשים רוצים. אין טעם לבנות מודל איום מורכב לאנונימיות אם ניתן בקלות לבטל את האנונימיות באמצעות פיקוח פשוט. + +אז איך זה עשוי להיראות? + +אחד מדגמי האיום המובהקים ביותר הוא כזה שבו אנשים *יודעים מי אתה* ואחד שבו הם לא יודעים. תמיד יהיו מצבים שבהם אתה חייב להצהיר על שמך החוקי ויש אחרים שבהם אתה לא צריך. + +1. **זהות ידועה** - זהות ידועה משמשת לדברים שבהם עליך להצהיר על שמך. ישנם מסמכים וחוזים משפטיים רבים שבהם נדרשת זהות משפטית. זה יכול לנוע בין פתיחת חשבון בנק, חתימה על חוזה שכירות, השגת דרכון, הצהרות מכס בעת יבוא פריטים או התמודדות אחרת עם הממשלה שלך. דברים אלה יובילו בדרך כלל לאישורים כגון כרטיסי אשראי, בדיקות דירוג אשראי, מספרי חשבונות ואולי כתובות פיזיות. + + אנחנו לא ממליצים להשתמש ב-VPN או ב-Tor עבור אף אחד מהדברים האלה, מכיוון שהזהות שלך כבר ידועה באמצעים אחרים. + + !!! tip "טיפ" + + בעת קניות באינטרנט, השימוש ב[ארונית חבילות](https://en.wikipedia.org/wiki/Parcel_locker) יכול לעזור לשמור על פרטיות הכתובת הפיזית שלך. + +2. **זהות לא ידועה** - זהות לא ידועה יכולה להיות שם בדוי יציב שאתה משתמש בו באופן קבוע. זה לא אנונימי כי זה לא משתנה. אם אתה חלק מקהילה מקוונת, ייתכן שתרצה לשמור על דמות שאחרים מכירים. שם בדוי זה אינו אנונימי מכיוון שאם מנוטרים מספיק זמן - פרטים על הבעלים יכולים לחשוף מידע נוסף, כגון האופן שבו הם כותבים, הידע הכללי שלהם לגבי נושאים מעניינים וכו'. + + ייתכן שתרצו להשתמש ב - VPN כדי להסתיר את כתובת ה - IP שלכם. קשה יותר להסוות עסקאות פיננסיות: תוכל לשקול להשתמש במטבעות קריפטוגרפיים אנונימיים, כגון [Monero](https://www.getmonero.org/). שימוש בהעברת אלטקוין עשוי גם לעזור להסוות את מקור המטבע שלך. בדרך כלל, ההחלפות דורשות את השלמת KYC (הכר את הלקוח שלך) לפני שהן יאפשרו לך להחליף מטבע פיאט לכל סוג של מטבע קריפטוגרפי. גם אפשרויות מפגש מקומיות עשויות להוות פתרון; עם זאת, אלה לעתים קרובות יותר יקרים ולפעמים גם דורשים KYC. + +3. **זהות אנונימית** - גם עם ניסיון, זהויות אנונימיות קשות לשמירה לאורך תקופות זמן ארוכות. הן צריכות להיות זהויות קצרות טווח וקצרות מועד המסובבות באופן קבוע. + + שימוש ב- Tor יכול לעזור בזה. ראוי גם לציין כי אנונימיות רבה יותר אפשרית באמצעות תקשורת אסינכרונית: תקשורת בזמן אמת חשופה לניתוח של דפוסי הקלדה (כלומר יותר מפסקת טקסט, מופצת בפורום, באמצעות דואר אלקטרוני וכו') + +--8<-- "includes/abbreviations.he.txt" + +[^1]: אחת הדוגמאות הבולטות לכך היא [תקרית 2021 שבה חוקרים מאוניברסיטת מינסוטה הציגו שלוש נקודות תורפה לפרויקט פיתוח ליבת לינוקס](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/he/basics/common-threats.md b/i18n/he/basics/common-threats.md new file mode 100644 index 00000000..d27576df --- /dev/null +++ b/i18n/he/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "איומים נפוצים" +icon: 'material/eye-outline' +--- + +באופן כללי, אנו מסווגים את ההמלצות שלנו ל[איומים](threat-modeling.md) או יעדים שחלים על רוב האנשים. ==ייתכן שאתה מודאג מאף אחת, אחת, כמה, או מכל האפשרויות האלה==, והכלים והשירותים שבהם אתה משתמש תלויים במטרותיך. ייתכן שיש לך איומים ספציפיים גם מחוץ לקטגוריות האלה, וזה בסדר גמור! החלק החשוב הוא פיתוח הבנה של היתרונות והחסרונות של הכלים שבהם אתה בוחר להשתמש, כי למעשה אף אחד מהם לא יגן עליך מכל איום. + +- :material-incognito: אנונימיות - הגנה על הפעילות המקוונת שלך מהזהות האמיתית שלך, הגנה עליך מפני אנשים שמנסים לחשוף את *שלך * זהות ספציפית. +- :material-target-account: התקפות ממוקדות - הגנה מפני האקרים או שחקנים זדוניים אחרים שמנסים לקבל גישה לנתונים או מכשירים ספציפיים *שלך*. +- :material-bug-outline: התקפות פסיביות - הגנה מפני דברים כמו תוכנות זדוניות, פרצות נתונים והתקפות אחרות שנעשות נגד אנשים רבים בו-זמנית. +- :material-server-network: ספקי שירותים - הגנה על הנתונים שלך מפני ספקי שירות (למשל באמצעות E2EE, מה שהופך את הנתונים שלך לבלתי קריאים לשרת). +- :material-eye-outline: מעקב המוני - הגנה מפני סוכנויות ממשלתיות, ארגונים, אתרים ושירותים הפועלים יחד כדי לעקוב אחר הפעילויות שלך. +- :material-account-cash: קפיטליזם מעקב - הגנה על עצמך מפני רשתות פרסום גדולות, כמו גוגל ופייסבוק, כמו גם ממספר עצום של אוספי נתונים אחרים של צד שלישי. +- :material-account-search: חשיפה ציבורית - הגבלת המידע אודותיך הנגיש באינטרנט - למנועי חיפוש או לציבור הרחב. +- :material-close-outline: צנזורה - הימנעות מגישה מצונזרת למידע או מצונזר בעצמך כשאתה מדבר באינטרנט. + +חלק מהאיומים הללו עשויים להיות חשובים לך יותר מאחרים, בהתאם לדאגות הספציפיות שלך. לדוגמה, מפתח תוכנה עם גישה לנתונים חשובים או קריטיים עשוי להיות מודאג בעיקר ב:material-target-account: מתקפות ממוקדות, אבל כנראה שהוא עדיין רוצה להגן על נתונים אישיים שנסחפו בתוכניות :material-eye-outline: מעקב המוני. באופן דומה, אנשים רבים עשויים להיות מודאגים בעיקר מ:material-account-search: חשיפה ציבורית של הנתונים האישיים שלהם, אך הם עדיין צריכים להיזהר מבעיות ממוקדות אבטחה, כגון :material-bug-outline: התקפות פסיביות—כמו תוכנות זדוניות המשפיעות על המכשירים שלהם. + +## אנונימיות מול פרטיות + +:material-incognito: אנונימיות + +אנונימיות מבולבלת לעתים קרובות עם פרטיות, אבל הם מושגים נפרדים. בעוד שפרטיות היא קבוצה של בחירות שאתה עושה לגבי אופן השימוש והשיתוף בנתונים שלך, אנונימיות היא ניתוק מוחלט של הפעילויות המקוונות שלך מזהותך האמיתית. + +לחושפי שחיתויות ועיתונאים, למשל, יכול להיות מודל איום הרבה יותר קיצוני הדורש אנונימיות מוחלטת. זה לא רק להסתיר את מה שהם עושים, אילו נתונים יש להם, ולא להיפרץ על ידי שחקנים זדוניים או ממשלות, אלא גם להסתיר את מי שהם לגמרי. לעתים קרובות הם יקריבו כל סוג של נוחות אם זה אומר להגן על האנונימיות, הפרטיות או האבטחה שלהם, מכיוון שחייהם עשויים להיות תלויים בכך. רוב האנשים לא צריכים ללכת כל כך רחוק. + +## אבטחה ופרטיות + +:material-bug-outline: התקפות פסיביות + +גם אבטחה ופרטיות מתבלבלים לעתים קרובות, מכיוון שאתה זקוק לאבטחה כדי להשיג כל מראית עין של פרטיות: השימוש בכלים - גם אם הם פרטיים בעיצובם - הוא חסר תועלת אם הם יכולים להיות מנוצלים בקלות על ידי תוקפים שישחררו מאוחר יותר את הנתונים שלך. עם זאת, ההיפך אינו בהכרח נכון: השירות המאובטח ביותר בעולם *אינו בהכרח* פרטי. הדוגמה הטובה ביותר לכך היא מתן אמון בנתונים לגוגל, שבהתחשב בהיקף שלהם, היו מעט תקריות אבטחה על ידי העסקת מומחי אבטחה מובילים בתעשייה כדי לאבטח את התשתית שלהם. למרות שגוגל מספקת שירותים מאובטחים מאוד, מעט מאוד אנשים יחשבו שהנתונים שלהם פרטיים במוצרי הצריכה החינמיים של גוגל (Gmail, יוטיוב וכו') + +כשזה מגיע לאבטחת יישומים, אנחנו בדרך כלל לא יודעים (ולפעמים גם לא יכולים) לדעת אם התוכנה שבה אנו משתמשים היא זדונית, או עלולה להפוך יום אחד לזדונית. אפילו עם המפתחים המהימנים ביותר, בדרך כלל אין ערובה לכך שלתוכנה שלהם אין פגיעות רצינית שניתן לנצל מאוחר יותר. + +כדי למזער את הנזק שתוכנה זדונית *עלולה* לגרום, עליך להפעיל אבטחה על ידי מידור. לדוגמה, זה יכול לבוא בצורה של שימוש במחשבים שונים לעבודות שונות, שימוש במכונות וירטואליות כדי להפריד בין קבוצות שונות של יישומים קשורים, או שימוש במערכת הפעלה מאובטחת עם התמקדות חזקה בארגז חול של יישומים ובקרת גישה חובה. + +!!! tip "טיפ" + + למערכות הפעלה מובייל יש בדרך כלל ארגז חול טוב יותר לאפליקציות מאשר למערכות הפעלה שולחניות: אפליקציות אינן יכולות לקבל גישת שורש, ודורשות הרשאה לגישה למשאבי המערכת. + + מערכות הפעלה שולחניות בדרך כלל מפגרות עם ארגז חול נכון. ל-ChromeOS יש יכולות ארגז חול דומות לאנדרואיד, ול-macOS יש בקרת הרשאות מערכת מלאה (ומפתחים יכולים להצטרף לארגזי חול עבור יישומים). עם זאת, מערכות הפעלה אלו אכן משדרות מידע מזהה ליצרני ה-OEM שלהם. לינוקס נוטה לא לשלוח מידע לספקי מערכות, אך יש לה הגנה גרועה מפני ניצול ואפליקציות זדוניות. ניתן למתן את זה במידת מה עם הפצות מיוחדות שעושות שימוש משמעותי במכונות וירטואליות או קונטיינרים, כגון [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: התקפות ממוקדות + +התקפות ממוקדות נגד אדם ספציפי הן בעייתיות יותר להתמודדות. התקפות נפוצות כוללות שליחת מסמכים זדוניים באמצעות מייל, ניצול פגיעויות (למשל בדפדפנים ובמערכות הפעלה) והתקפות פיזיות. אם זה מדאיג אותך, עליך להשתמש באסטרטגיות מתקדמות יותר להפחתת איומים. + +!!! tip "טיפ" + + לפי התכנון, **דפדפני אינטרנט**, **לקוחות אימייל** ו**יישומי משרד** מריצים בדרך כלל קוד לא מהימן, שנשלח אליך מצדדים שלישיים. הפעלת מספר מכונות וירטואליות - כדי להפריד יישומים כמו אלה מהמערכת המארחת שלך, כמו גם אחד מהשני - היא טכניקה אחת שבה תוכל להשתמש כדי להפחית את הסיכוי של ניצול ביישומים אלה שיפגע בשאר המערכת שלך. לדוגמה, טכנולוגיות כמו Qubes OS או Microsoft Defender Application Guard ב-Windows מספקות שיטות נוחות לעשות זאת. + +אם אתה מודאג מ**התקפות פיזיות**, עליך להשתמש במערכת הפעלה עם יישום אתחול מאומת מאובטח, כגון Android, iOS, macOS או [Windows (עם TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). עליך גם לוודא שהכונן שלך מוצפן ושמערכת ההפעלה משתמשת ב-TPM או ב-Secure [מובלע](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) או [אלמנט](https://developers.google.com/android/security/android-ready-se) כדי להגביל ניסיונות להזין את ביטוי הסיסמה להצפנה. עליך להימנע משיתוף המחשב שלך עם אנשים שאינך סומך עליהם, מכיוון שרוב מערכות ההפעלה שולחניות אינן מצפינות נתונים בנפרד לכל משתמש. + +## פרטיות מספקי שירות + +:material-server-network: ספקי שירות + +אנחנו חיים בעולם שבו כמעט הכל מחובר לאינטרנט. ההודעות ה"פרטיות" שלנו, המיילים והאינטראקציות החברתיות שלנו מאוחסנים בדרך כלל בשרת, איפשהו. בדרך כלל, כאשר אתה שולח למישהו הודעה היא מאוחסנת בשרת, וכאשר חבר שלך רוצה לקרוא את ההודעה השרת יראה לו אותה. + +הבעיה הברורה עם זה היא שספק השירות (או האקר שפגע בשרת) יכול לגשת לשיחות שלך מתי ואיך שהם רוצים, בלי שאתה אי פעם יודע. זה חל על שירותים נפוצים רבים, כמו הודעות SMS, טלגרם ודיסקורד. + +למרבה המזל, E2EE יכול להקל על בעיה זו על ידי הצפנת התקשורת בינך לבין הנמענים הרצויים שלך לפני שהם בכלל נשלחים לשרת. סודיות ההודעות שלך מובטחת, בהנחה שלספק השירות אין גישה למפתחות הפרטיים של אף אחד מהצדדים. + +!!! note "הערה על הצפנה מבוססת אינטרנט" + + בפועל, היעילות של יישומי E2EE שונים משתנה. אפליקציות, כגון [Signal](../real-time-communication.md#signal), פועלות באופן מקורי במכשיר שלך, וכל עותק של האפליקציה זהה בהתקנות שונות. אם ספק השירות היה מציג [דלת אחורית](https://en.wikipedia.org/wiki/Backdoor_(computing)) באפליקציה שלו - בניסיון לגנוב את המפתחות הפרטיים שלך - ניתן היה לזהות אותו מאוחר יותר באמצעות [הפוך הנדסה](https://en.wikipedia.org/wiki/Reverse_engineering). + + מצד שני, יישומי E2EE מבוססי אינטרנט, כמו דואר האינטרנט של Proton Mail או *כספת האינטרנט* של Bitwarden, מסתמכים על השרת שמגיש באופן דינמי קוד JavaScript לדפדפן כדי לטפל בהצפנה. שרת זדוני יכול למקד אותך ולשלוח לך קוד JavaScript זדוני כדי לגנוב את מפתח ההצפנה שלך (והיה קשה מאוד לשים לב אליו). מכיוון שהשרת יכול לבחור לשרת לקוחות אינטרנט שונים לאנשים שונים - גם אם שמתם לב להתקפה - יהיה קשה מאוד להוכיח את אשמתו של הספק. + + לכן, עליך להשתמש ביישומים מקוריים על פני לקוחות אינטרנט במידת האפשר. + +אפילו עם E2EE, ספקי שירות עדיין יכולים ליצור פרופיל שלך על סמך **מטא נתונים**, שבדרך כלל אינם מוגנים. למרות שספק השירות לא יכול לקרוא את ההודעות שלך, הוא עדיין יכול לראות דברים חשובים, כגון עם מי אתה מדבר, באיזו תדירות אתה שולח להם הודעות ומתי אתה פעיל בדרך כלל. הגנה על מטא נתונים היא נדירה למדי, ואם היא ב[מודל האיום](threat-modeling.md) שלך - עליך לשים לב היטב לתיעוד הטכני של התוכנה שבה אתה משתמש כדי לראות אם יש מזעור או הגנה של מטא נתונים בכלל. + +## תוכניות מעקב המוני + +:material-eye-outline: מעקב המוני + +מעקב המוני הוא המאמץ המורכב לנטר את "ההתנהגות, הפעילויות הרבות או המידע" של אוכלוסייה שלמה (או חלק ניכר מאוכלוסיה).[^1] לעתים קרובות זה מתייחס לתוכניות ממשלתיות, כגון אלו [נחשף על ידי אדוארד סנודן ב-2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). עם זאת, זה יכול להתבצע גם על ידי תאגידים, בין אם מטעם סוכנויות ממשלתיות או ביוזמתם. + +!!! abstract "אטלס מעקב" + + אם אתה רוצה ללמוד עוד על שיטות מעקב וכיצד הן מיושמות בעיר שלך, תוכל גם להסתכל על [אטלס המעקב](https://atlasofsurveillance.org/) של [Electronic Frontier Foundation](https://www.eff.org/). + + בצרפת אתה יכול להסתכל על [אתר Technolopolice](https://technopolice.fr/villes/) המתוחזק על ידי העמותה ללא מטרות רווח La Quadrature du Net. + +ממשלות לעתים קרובות מצדיקות תוכניות מעקב המוניות כאמצעים הכרחיים למאבק בטרור ולמניעת פשע. עם זאת, תוך הפרת זכויות אדם, הוא משמש לרוב כדי למקד באופן לא פרופורציונלי קבוצות מיעוט ומתנגדים פוליטיים, בין היתר. + +!!! quote "ACLU: [*שיעור הפרטיות של 9/11: מעקב המוני הוא לא הדרך קדימה*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + אל מול [חשיפותיו של אדוארד סנודן לגבי תוכניות ממשלתיות כגון [PRISM](https://en.wikipedia.org/wiki/PRISM) ו-[Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], פקידי מודיעין גם הודו כי ה-NSA במשך שנים אספה בחשאי תיעוד על כמעט כל שיחות טלפון של כל אמריקאי - מי מתקשר למי, מתי השיחות הללו מבוצעות וכמה זמן הן נמשכות. מידע מסוג זה, כאשר הוא נצבר על ידי ה-NSA יום אחר יום, יכול לחשוף פרטים רגישים להפליא על חייהם והאסוציאציות של אנשים, כגון האם הם התקשרו לכומר, מטפל בהפלות, ליועצת להתמכרות או למוקד התאבדות. + +למרות המעקב ההמוני הגובר בארצות הברית, הממשלה מצאה שלתוכניות מעקב המוני כמו סעיף 215 היה "ערך ייחודי מועט" ביחס לעצירת פשעים או מזימות טרור בפועל, כאשר מאמצים משכפלים במידה רבה את תוכניות המעקב הממוקדות של ה-FBI עצמו.[^2] + +באינטרנט, ניתן לעקוב אחריך במגוון שיטות: + +- כתובת ה-IP שלך +- עוגיות דפדפן +- הנתונים שאתה מוסר לאתרים +- טביעת האצבע של הדפדפן או המכשיר שלך +- מתאם שיטת תשלום + +\[רשימה זו אינה ממצה]. + +אם אתה מודאג לגבי תוכניות מעקב המוני, אתה יכול להשתמש באסטרטגיות כמו מידור של הזהויות המקוונות שלך, השתלבות עם משתמשים אחרים, או, במידת האפשר, פשוט הימנעות מסירת מידע מזהה. + +:material-account-cash: קפיטליזם מעקב + +> קפיטליזם מעקב הוא שיטה כלכלית המרוכזת סביב לכידה וסחורה של נתונים אישיים למטרת הליבה של עשיית רווחים.[^3] + +עבור אנשים רבים, מעקב ומעקב על ידי תאגידים פרטיים הם דאגה גוברת. רשתות מודעות נרחבות, כמו אלו המופעלות על ידי גוגל ופייסבוק, משתרעות על האינטרנט הרבה מעבר לאתרים שהם שולטים בהם, ועוקבות אחר הפעולות שלך לאורך הדרך. שימוש בכלים כמו חוסמי תוכן כדי להגביל את בקשות הרשת לשרתים שלהם, וקריאת מדיניות הפרטיות של השירותים שבהם אתה משתמש יכול לעזור לך למנוע יריבים בסיסיים רבים (אם כי זה לא יכול למנוע לחלוטין מעקב).[^4] + +בנוסף, אפילו חברות מחוץ ל*AdTech* או תעשיית המעקב יכולות לשתף את המידע שלך עם [מתווכי נתונים](https://en.wikipedia.org/wiki/Information_broker) (כגון Cambridge Analytica, Experian או Datalogix) או גורמים אחרים. אתה לא יכול להניח אוטומטית שהנתונים שלך בטוחים רק בגלל שהשירות שבו אתה משתמש אינו נופל במסגרת המודל העסקי הטיפוסי של AdTech או מעקב. ההגנה החזקה ביותר מפני איסוף נתונים תאגידי היא הצפנת או ערפול הנתונים שלך בכל עת אפשרי, מה שמקשה על ספקים שונים לתאם נתונים זה עם זה ולבנות עליך פרופיל. + +## הגבלת מידע ציבורי + +:material-account-search: חשיפה ציבורית + +הדרך הטובה ביותר לשמור על פרטיות הנתונים שלך היא פשוט לא להפוך אותם לציבוריים מלכתחילה. מחיקת מידע לא רצוי שמצאת על עצמך באינטרנט היא אחד הצעדים הראשונים הטובים ביותר שתוכל לנקוט כדי להחזיר את הפרטיות שלך. + +- [עיין במדריך שלנו על מחיקת חשבון :material-arrow-right-drop-circle:](account-deletion.md) + +באתרים שבהם אתה כן משתף מידע, חשוב מאוד לבדוק את הגדרות הפרטיות של חשבונך כדי להגביל את הפצת הנתונים הללו. לדוגמה, הפעל "מצב פרטי" בחשבונות שלך אם ניתנת לך האפשרות: זה מבטיח שהחשבון שלך לא מתווסף לאינדקס על ידי מנועי חיפוש, ושלא ניתן לצפות בו ללא רשותך. + +אם כבר שלחת את המידע האמיתי שלך לאתרים שלא אמורים להיות בהם, שקול להשתמש בטקטיקות של דיסאינפורמציה, כמו שליחת מידע פיקטיבי הקשור לזהות מקוונת זו. זה הופך את המידע האמיתי שלך לבלתי ניתן להבחין מהמידע השקרי. + +## הימנעות מצנזורה + +:material-close-outline: צנזורה + +צנזורה מקוונת יכולה להתבצע (בדרגות שונות) על ידי שחקנים כולל ממשלות טוטליטריות, מנהלי רשתות וספקי שירותים. מאמצים אלה לשלוט בתקשורת ולהגביל את הגישה למידע תמיד יהיו בלתי עולים בקנה אחד עם זכות האדם לחופש הביטוי.[^5] + +צנזורה על פלטפורמות ארגוניות נפוצה יותר ויותר, שכן פלטפורמות כמו טוויטר ופייסבוק נכנעות לדרישת הציבור, לחצי השוק וללחצים של סוכנויות ממשלתיות. לחצים ממשלתיים יכולים להיות בקשות סמויות לעסקים, כמו [הבית הלבן המבקש הסרה](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) של סרטון יוטיוב פרובוקטיבי, או גלויים, כמו למשל שממשלת סין דורשת מחברות לדבוק במשטר קפדני של צנזורה. + +אנשים המודאגים מהאיום של צנזורה יכולים להשתמש בטכנולוגיות כמו [Tor](../advanced/tor-overview.md) כדי לעקוף אותו, ולתמוך בפלטפורמות תקשורת עמידות לצנזורה כמו [Matrix](../real-time-communication.md#element), שאין לה סמכות חשבון מרכזית יכול לסגור חשבונות באופן שרירותי. + +!!! tip "טיפ" + + למרות שהתחמקות מצנזורה עצמה יכולה להיות קלה, הסתרת העובדה שאתה עושה זאת יכולה להיות מאוד בעייתית. + + עליך לשקול באילו היבטים של הרשת יריבך יכול לצפות, והאם יש לך הכחשה סבירה למעשיך. לדוגמה, שימוש ב-[DNS מוצפן](../advanced/dns-overview.md#what-is-encrypted-dns) יכול לעזור לך לעקוף מערכות צנזורה בסיסיות ומבוססות DNS, אבל זה לא באמת יכול להסתיר את מה שאתה ביקור מ-ISP שלך. VPN או Tor יכולים לעזור להסתיר את מה שאתה מבקר ממנהלי רשת, אבל לא יכולים להסתיר שאתה משתמש ברשתות האלה מלכתחילה. העברות ניתנות לחיבור (כגון Obfs4proxy, Meek או Shadowsocks) יכולים לעזור לך להתחמק מחומת אש שחוסמת פרוטוקולי VPN נפוצים או Tor, אך עדיין ניתן לזהות את ניסיונות העקיפה שלך בשיטות כמו בדיקה או [בדיקת מנות עמוקה](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +אתה חייב תמיד לשקול את הסיכונים בניסיון לעקוף את הצנזורה, את ההשלכות האפשריות ועד כמה מתוחכם עלול להיות היריב שלך. אתה צריך להיות זהיר בבחירת התוכנה שלך, ולהכין תוכנית גיבוי למקרה שתיתפס. + +--8<-- "includes/abbreviations.he.txt" + +[^1]: ויקיפדיה: [*מעקבים המונים*](https://en.wikipedia.org/wiki/Mass_surveillance) ו[*מעקבים*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: מועצת הפיקוח על הפרטיות וחירויות האזרח של ארצות הברית: [*דיווח על תוכנית רישומי הטלפון שנערכה לפי סעיף 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: ויקיפדיה: [*מעקב קפיטליזם*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[מונה רעות](https://www.ranum.com/security/computer_security/editorials/dumb/)" (או, "רשום את כל הדברים הרעים שאנו יודעים עליהם"), כפי שעושים חוסמי פרסומות ותוכניות אנטי-וירוס רבות, לא מצליח להגן עליך כראוי מפני איומים חדשים ולא ידועים מכיוון שהם עדיין לא עשו זאת. נוספו לרשימת המסננים. אתה צריך גם להשתמש בטכניקות הפחתה אחרות. +[^5]: האומות המאוחדות: [*הכרזה אוניברסלית על זכויות אדם*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/he/basics/email-security.md b/i18n/he/basics/email-security.md new file mode 100644 index 00000000..e1fafe69 --- /dev/null +++ b/i18n/he/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: אבטחת אימייל +icon: material/email +--- + +אימייל הוא צורת תקשורת לא מאובטחת כברירת מחדל. אתה יכול לשפר את אבטחת האימייל שלך עם כלים כגון OpenPGP, שמוסיפים הצפנה מקצה לקצה להודעות שלך, אך ל-OpenPGP עדיין יש מספר חסרונות בהשוואה להצפנה ביישומי הודעות אחרים, וחלק מנתוני הדוא"ל לעולם אינם יכולים להיות מוצפנים מטבעם. לאופן עיצוב האימייל. + +כתוצאה מכך, האימייל משמש בצורה הטובה ביותר לקבלת הודעות אימייל עסקאות (כמו התראות, אימייל אימות, איפוסי סיסמה וכו') מהשירותים שאליהם אתה נרשם באופן מקוון, לא לתקשורת עם אחרים. + +## סקירת הצפנת אימייל + +הדרך הסטנדרטית להוסיף E2EE למיילים בין ספקי אימייל שונים היא באמצעות OpenPGP. ישנם יישומים שונים של תקן OpenPGP, הנפוצים ביותר הם [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) ו- [OpenPGP.js](https://openpgpjs.org). + +קיים תקן נוסף שפופולרי בקרב עסקים בשם [S/MIME](https://en.wikipedia.org/wiki/S/MIME), עם זאת, הוא דורש אישור שהונפקו מ[>רשות האישורים](https://en.wikipedia.org/wiki/Certificate_authority) (לא כולן מנפיקות אישורי S/MIME). יש לו תמיכה ב [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) ו [Outlook for Web או Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +גם אם אתה משתמש ב - OpenPGP, הוא אינו תומך בסודיות [קדימה](https://en.wikipedia.org/wiki/Forward_secrecy), כלומר אם המפתח הפרטי שלך או של הנמען ייגנב אי פעם, כל ההודעות הקודמות שהוצפנו איתו ייחשפו. זו הסיבה שאנו ממליצים על [מסנג'רים מיידיים](../real-time-communication.md) אשר מיישמים סודיות קדימה על פני דואר אלקטרוני עבור הודעות פנים אל פנים במידת האפשר. + +### אילו לקוחות אימייל תומכים ב - E2EE? + +ספקי אימייל המאפשרים לך להשתמש בפרוטוקולי גישה סטנדרטיים כגון IMAP ו- SMTP יכולים לשמש עם כל אחד מ[קליינטי הדואר האלקטרוני שאנו ממליצים עליהם](../email-clients.md). בהתאם לשיטת האימות, הדבר עלול להוביל לירידה באבטחה אם הספק או לקוח האימייל אינם תומכים בשבועה או ביישום גשר מאחר שלא ניתן לבצע [אימות רב - גורמי](multi-factor-authentication.md) באמצעות אימות סיסמה רגיל. + +### כיצד אוכל להגן על המפתחות הפרטיים שלי? + +כרטיס חכם (כגון [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) עובד על ידי קבלת הודעת אימייל מוצפנת ממכשיר (טלפון, טאבלט, מחשב וכו') המריץ לקוח אימייל/מייל אינטרנט. לאחר מכן, ההודעה מפוענחת על ידי הכרטיס החכם והתוכן המפוענח נשלח חזרה למכשיר. + +כדאי שהפענוח יתרחש בכרטיס החכם כדי להימנע מחשיפת המפתח הפרטי שלך למכשיר פגום. + +## סקירה כללית של מטא נתונים בדוא"ל + +מטא נתונים של דואר אלקטרוני מאוחסנים בכותרת [של ההודעה](https://en.wikipedia.org/wiki/Email#Message_header) של הודעת הדואר האלקטרוני וכוללים כמה כותרות גלויות שייתכן שראית כגון: `עד`, `מ`, `Cc`, `תאריך`, `נושא`. יש גם מספר כותרות נסתרות שנכללות על ידי לקוחות דוא"ל וספקים רבים שיכולים לחשוף מידע על החשבון שלך. + +תוכנת הלקוח עשויה להשתמש במטא נתונים של דוא"ל כדי להראות מי ההודעה ומאיזו שעה היא התקבלה. השרתים רשאים להשתמש בו כדי לקבוע לאן תישלח הודעת דוא"ל, בין [מטרות אחרות](https://en.wikipedia.org/wiki/Email#Message_header) שאינן תמיד שקופות. + +### מי יכול לצפות במטא נתונים של דוא"ל? + +מטא נתונים של דוא"ל מוגנים מפני משקיפים חיצוניים עם [TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) אופורטוניסטיים המגנים עליהם מפני משקיפים חיצוניים, אך הם עדיין ניתנים לצפייה על ידי תוכנת לקוח הדוא"ל שלך (או דואר האינטרנט) וכל שרת שמעביר את ההודעה ממך לנמענים כלשהם, כולל ספק הדוא"ל שלך. לפעמים שרתי דוא"ל ישתמשו גם בשירותי צד שלישי כדי להגן מפני תגובות זבל, שבדרך כלל יש להם גם גישה להודעות שלך. + +### למה מטא נתונים לא יכולים להיות E2EE? + +מטא נתונים של דואר אלקטרוני חיוניים לפונקציונליות הבסיסית ביותר של דואר אלקטרוני (מהיכן הוא הגיע ולאן הוא צריך ללכת). E2EE לא היה מובנה בפרוטוקולי הדואר האלקטרוני במקור, ובמקום זאת נדרש לתוכנת הרחבה כמו OpenPGP. מכיוון שהודעות OpenPGP עדיין צריכות לעבוד עם ספקי דואר אלקטרוני מסורתיים, הן אינן יכולות להצפין מטה - נתונים של דואר אלקטרוני, אלא רק את גוף ההודעה עצמו. כלומר, גם כאשר משתמשים ב - OpenPGP, משקיפים חיצוניים יכולים לראות מידע רב על ההודעות שלך, כגון את מי אתה שולח בדוא"ל, את קווי הנושא, מתי אתה שולח דוא"ל וכו '. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/basics/multi-factor-authentication.md b/i18n/he/basics/multi-factor-authentication.md new file mode 100644 index 00000000..c1cff715 --- /dev/null +++ b/i18n/he/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "אימות מרובה גורמים" +icon: 'material/two-factor-authentication' +--- + +**אימות מרובה גורמים** (**MFA**) הוא מנגנון אבטחה הדורש שלבים נוספים מעבר להזנת שם המשתמש (או האימייל) והסיסמה שלך. השיטה הנפוצה ביותר היא קודים מוגבלים בזמן שאתה עשוי לקבל מ-SMS או מאפליקציה. + +בדרך כלל, אם האקר (או יריב) מסוגל להבין את הסיסמה שלך, הם יקבלו גישה לחשבון שאליו שייכת הסיסמה. חשבון עם MFA מאלץ את ההאקר להחזיק גם את הסיסמה (משהו שאתה *יודע*) וגם מכשיר שבבעלותך (משהו שיש *לך*), כמו הטלפון שלך. + +שיטות MFA משתנות באבטחה, אך מבוססות על ההנחה שככל שקשה יותר לתוקף לקבל גישה לשיטת ה-MFA שלך, כך ייטב. דוגמאות לשיטות MFA (מהחלש ביותר לחזק ביותר) כוללות SMS, קודי דואר אלקטרוני, הודעות דחיפה של אפליקציה, TOTP, Yubico OTP ו-FIDO. + +## השוואת שיטות MFA + +### SMS או אימייל MFA + +קבלת קודי OTP באמצעות SMS או דואר אלקטרוני הם אחת הדרכים החלשות לאבטח את החשבונות שלך עם MFA. השגת קוד באימייל או ב-SMS מונעת מהרעיון "משהו ש*יש לך*", מכיוון שיש מגוון דרכים שההאקר יכול[להשתלט על מספר הטלפון שלך](https://en.wikipedia.org/wiki/SIM_swap_scam) או קבלת גישה לאימייל שלך מבלי שתהיה לך גישה פיזית לאף אחד מהמכשירים שלך כלל. אם אדם לא מורשה קיבל גישה לדוא"ל שלך, הוא יוכל להשתמש בגישה זו כדי לאפס את הסיסמה שלך ולקבל את קוד האימות, ולהעניק לו גישה מלאה לחשבון שלך. + +### התראות דחיפה + +הודעת דחיפה MFA לובשת צורה של הודעה שנשלחת לאפליקציה בטלפון שלך המבקשת ממך לאשר כניסות לחשבון חדש. שיטה זו טובה בהרבה מ-SMS או דואר אלקטרוני, מכיוון שתוקף בדרך כלל לא יוכל לקבל את הודעות הדחיפה הללו מבלי שיהיה לו מכשיר מחובר כבר, מה שאומר שהוא יצטרכו להתפשר תחילה על אחד מהמכשירים האחרים שלך. + +כולנו עושים טעויות, וקיים סיכון שאתה עלול לקבל את ניסיון הכניסה בטעות. הרשאות התחברות להודעות דחיפה נשלחות בדרך כלל ל*כל* המכשירים שלך בבת אחת, מה שמרחיב את הזמינות של קוד ה-MFA אם יש לך מכשירים רבים. + +האבטחה של הודעת דחיפה MFA תלויה הן באיכות האפליקציה, ברכיב השרת והן באמון של המפתח שמייצר אותה. התקנת אפליקציה עשויה גם לדרוש ממך לקבל הרשאות פולשניות המעניקות גישה לנתונים אחרים במכשיר שלך. אפליקציה בודדת דורשת גם שתהיה לך אפליקציה ספציפית עבור כל שירות, אשר עשויה שלא לדרוש סיסמה לפתיחה, בשונה מיישום מחולל TOTP טוב. + +### סיסמה חד פעמית מבוססת זמן (TOTP) + +TOTP היא אחת הצורות הנפוצות ביותר של MFA. כאשר אתה מגדיר TOTP, אתה בדרך כלל נדרש לסרוק קוד QR [](https://en.wikipedia.org/wiki/QR_code) אשר קובע "[סוד משותף](https://en.wikipedia.org/wiki/Shared_secret)" עם השירות שבו אתה מתכוון להשתמש. הסוד המשותף מאובטח בתוך הנתונים של אפליקציית האימות, ולעתים מוגן על ידי סיסמה. + +לאחר מכן, הקוד המוגבל בזמן נגזר מהסוד המשותף ומהזמן הנוכחי. מאחר שהקוד תקף לזמן קצר בלבד, ללא גישה לסוד המשותף, היריב אינו יכול ליצור קודים חדשים. + +אם יש לך מפתח אבטחת חומרה עם תמיכה ב-TOTP (כגון YubiKey עם [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), אנו ממליצים לאחסן את "הסודות המשותפים" שלך בחומרה. חומרה כגון YubiKey פותחה מתוך כוונה להקשות על החילוץ וההעתקה של "הסוד המשותף". YubiKey גם לא מחובר לאינטרנט, בניגוד לטלפון עם אפליקציית TOTP. + +שלא כמו [WebAuthn](#fido-fast-identity-online), TOTP אינו מציע הגנה מפני [דיוג](https://en.wikipedia.org/wiki/Phishing) או שימוש חוזר בהתקפות. אם יריב משיג ממך קוד חוקי, הוא רשאי להשתמש בו כמה פעמים שירצה עד שתוקפו יפוג (בדרך כלל 60 שניות). + +יריב יכול להקים אתר כדי לחקות שירות רשמי בניסיון להערים עליך למסור את שם המשתמש, הסיסמה וקוד ה-TOTP הנוכחי שלך. אם היריב ישתמש באותם אישורים מוקלטים, ייתכן שהוא יוכל להיכנס לשירות האמיתי ולחטוף את החשבון. + +למרות שאינו מושלם, TOTP מאובטח מספיק עבור רוב האנשים, ומתי ש[מפתחות אבטחה חומרה](../multi-factor-authentication.md#hardware-security-keys) אינם נתמכים [אפליקציות אימות](../multi-factor-authentication.md#authenticator-apps) עדיין אפשרות טובה. + +### מפתחות אבטחת חומרה + +ה-YubiKey מאחסן נתונים על שבב מוצק עמיד בפני חבלה ש[אי אפשר לגשת](https://security.stackexchange.com/a/245772) ללא הרס ללא תהליך יקר ו מעבדה לזיהוי פלילי. + +מפתחות אלה הם בדרך כלל רב-פונקציונליים ומספקים מספר שיטות לאימות. להלן הנפוצים ביותר. + +#### Yubico OTP + +Yubico OTP הוא פרוטוקול אימות המיושם בדרך כלל במפתחות אבטחה של חומרה. כאשר תחליט להשתמש ב-Yubico OTP, המפתח יפיק מזהה ציבורי, מזהה פרטי ומפתח סודי אשר יועלה לאחר מכן לשרת Yubico OTP. + +בעת כניסה לאתר, כל מה שאתה צריך לעשות הוא לגעת פיזית במפתח האבטחה. מפתח האבטחה יחקה מקלדת וידפיס סיסמה חד פעמית בשדה הסיסמה. + +מפתח האבטחה יחקה מקלדת וידפיס סיסמה חד פעמית בשדה הסיסמה. מונה מוגדל הן במפתח והן בשרת האימות של Yubico. ניתן להשתמש ב-OTP רק פעם אחת, וכאשר מתרחש אימות מוצלח, המונה מוגדל אשר מונע שימוש חוזר ב-OTP. Yubico מספקת [מסמך מפורט](https://developers.yubico.com/OTP/OTPs_Explained.html) על התהליך. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +ישנם כמה יתרונות וחסרונות לשימוש ב-Yubico OTP בהשוואה ל-TOTP. + +שרת האימות של Yubico הוא שירות מבוסס ענן, ואתה סומך על Yubico שהם מאחסנים נתונים בצורה מאובטחת ולא עושים לך פרופיל. המזהה הציבורי המשויך ל-Yubico OTP נמצא בשימוש חוזר בכל אתר ויכול להיות דרך נוספת עבור צדדים שלישיים ליצור פרופיל שלך. כמו TOTP, Yubico OTP אינו מספק עמידות להתחזות. + +אם מודל האיום שלך דורש ממך זהויות שונות באתרי אינטרנט שונים, **אל** תשתמש ב-Yubico OTP עם אותו מפתח אבטחת חומרה בכל אתרים אלה, שכן מזהה ציבורי הוא ייחודי לכל אבטחה מַפְתֵחַ. + +#### FIDO (זיהוי מהיר באינטרנט) + +אם מודל האיומים שלך דורש ממך זהויות שונות באתרים שונים, חזק **אל תשתמש **ב- Yubico OTP עם אותו מפתח אבטחת חומרה באתרים אלה מכיוון שמזהה ציבורי הוא ייחודי לכל מפתח אבטחה. + +U2F ו - FIDO2 מתייחסים ל - [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), שהוא הפרוטוקול בין מפתח האבטחה למחשב, כגון מחשב נייד או טלפון. זה משלים את WebAuthn שהוא הרכיב המשמש לאימות עם האתר ("הצד המסתמך") שאליו אתה מנסה להיכנס. + +WebAuthn היא הצורה המאובטחת והפרטית ביותר של אימות גורם שני. בעוד שחווית האימות דומה ל-Yubico OTP, המפתח אינו מדפיס סיסמה חד פעמית ומאמת עם שרת של צד שלישי. במקום זאת, הוא משתמש ב[הצפנת מפתח ציבורי](https://en.wikipedia.org/wiki/Public-key_cryptography) לצורך אימות. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +כאשר אתה יוצר חשבון, המפתח הציבורי נשלח לשירות, לאחר מכן בעת הכניסה, השירות ידרוש ממך "לחתום" על נתונים מסוימים עם המפתח הפרטי שלך. היתרון של זה הוא ששום סיסמה לא מאוחסנת על ידי השירות, כך שאין ליריב שום דבר לגנוב. + +מצגת זו דנה בהיסטוריה של אימות סיסמאות, במלכודות (כגון שימוש חוזר בסיסמה) ודיון בתקני FIDO2 ו[WebAuthn](https://webauthn.guide). + +
+ +
+ +ל-FIDO2 ול-WebAuthn יש מאפייני אבטחה ופרטיות מעולים בהשוואה לכל שיטות MFA. + +בדרך כלל עבור שירותי אינטרנט הוא משמש עם WebAuthn שהוא חלק מ[המלצות W3C](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). הוא משתמש באימות מפתח ציבורי והוא מאובטח יותר מאשר סודות משותפים המשמשים בשיטות Yubico OTP ו-TOTP, מכיוון שהוא כולל את שם המקור (בדרך כלל, שם התחום) במהלך האימות. אישור מסופק כדי להגן עליך מפני התקפות דיוג, מכיוון שהוא עוזר לך לקבוע שאתה משתמש בשירות האותנטי ולא בעותק מזויף. + +שלא כמו Yubico OTP, WebAuthn אינו משתמש בשום מזהה ציבורי, כך שהמפתח **לא** ניתן לזיהוי באתרים שונים. הוא גם לא משתמש בשרת ענן של צד שלישי לאימות. כל התקשורת הושלמה בין המפתח לאתר שאליו אתה נכנס. FIDO משתמשת גם במונה שמוגדל עם השימוש על מנת למנוע שימוש חוזר בהפעלה ומפתחות משובטים. + +אם אתר אינטרנט או שירות תומכים ב-WebAuthn עבור האימות, מומלץ מאוד להשתמש בו על פני כל צורה אחרת של MFA. + +## המלצות כלליות + +יש לנו את ההמלצות הכלליות הבאות: + +### באיזו שיטה עלי להשתמש? + +בעת הגדרת שיטת ה - MFA שלך, זכור שהיא מאובטחת כמו שיטת האימות החלשה ביותר שבה אתה משתמש. לכן, חשוב להשתמש בשיטת ה - MFA הטובה ביותר. לדוגמה, אם אתה כבר משתמש ב - TOTP, עליך להשבית דואר אלקטרוני ו - SMS MFA. אם אתה כבר משתמש ב-FIDO2/WebAuthn, אתה לא אמור להשתמש ב-Yubico OTP או TOTP בחשבון שלך. + +### גיבויים + +תמיד אמורים להיות לך גיבויים לשיטת ה-MFA שלך. מפתחות אבטחה של חומרה יכולים ללכת לאיבוד, להיגנב או פשוט להפסיק לעבוד עם הזמן. מומלץ שיהיה לך זוג מפתחות אבטחה חומרה עם אותה גישה לחשבונות שלך במקום רק אחד. + +בעת שימוש ב-TOTP עם אפליקציית אימות, הקפד לגבות את מפתחות השחזור שלך או את האפליקציה עצמה, או העתק את "הסודות המשותפים" למופע אחר של האפליקציה בטלפון אחר או למיכל מוצפן (למשל,[VeraCrypt](../encryption.md#veracrypt)). + +### הגדרה ראשונית + +בעת רכישת מפתח אבטחה, חשוב שתשנה את אישורי ברירת המחדל, תגדיר הגנה באמצעות סיסמה עבור המפתח ותפעיל אישור מגע אם המפתח שלך תומך בכך. למוצרים כגון YubiKey יש ממשקים מרובים עם אישורים נפרדים לכל אחד מהם, כך שכדאי לעבור על כל ממשק ולהגדיר גם הגנה. + +### אימייל ו-SMS + +אם אתה צריך להשתמש באימייל עבור MFA, ודא שחשבון האימייל עצמו מאובטח בשיטת MFA נכונה. + +אם אתה משתמש ב-SMS MFA, השתמש בספק שלא יחליף את מספר הטלפון שלך לכרטיס SIM חדש ללא גישה לחשבון, או השתמש במספר VoIP ייעודי מספק עם אבטחה דומה כדי להימנע מ[התקפת חילופי SIM](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[כלי MFA שאנו ממליצים עליהם](../multi-factor-authentication.md ""){.md-button} + +## מקומות נוספים להגדרת MFA + +מעבר לאבטחת כניסות האתר שלך בלבד, ניתן להשתמש באימות רב-גורמי כדי לאבטח את כניסותיך המקומיות, מפתחות SSH או אפילו מסדי נתונים של סיסמאות. + +### Windows + +לYubico יש ספק [אישורים ייעודי](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) שמוסיף אימות Challenge-Response עבור זרימת הכניסה לשם משתמש + סיסמה עבור חשבונות Windows מקומיים. אם יש לך YubiKey עם תמיכה באימות Challenge-Response, עיין במדריך התצורה של [Yubico Login for Windows](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), שיאפשר לך להגדיר MFA במחשב Windows שלך. + +### macOS + +ל - macOS יש [תמיכה מקומית](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) לאימות עם כרטיסים חכמים (PIV). אם יש לך כרטיס חכם או מפתח אבטחה חומרה התומך בממשק PIV כגון YubiKey, אנו ממליצים לך לעקוב אחר התיעוד של ספק הכרטיס החכם/חומרה שלך ולהגדיר אימות גורם שני עבור מחשב macOS שלך. + +לYubico יש מדריך [שימוש ב-YubiKey שלך ככרטיס חכם ב-macOS](https://support.yubico.com/hc/en-us/articles/360016649059) שיכול לעזור לך להגדיר את YubiKey ב-macOS. + +לאחר הגדרת הכרטיס החכם/מפתח האבטחה שלך, אנו ממליצים להפעיל את הפקודה הזו בטרמינל: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +הפקודה תמנע מיריב לעקוף את MFA כאשר המחשב מאתחל. + +### לינוקס + +!!! warning "אזהרה" + + אם שם המארח של המערכת שלך משתנה (כגון עקב DHCP), לא תוכל להתחבר. חיוני להגדיר שם מארח מתאים למחשב שלך לפני ביצוע מדריך זה. + +מודול `pam_u2f` ב-Linux יכול לספק אימות דו-גורמי לכניסה לרוב ההפצות הפופולריות של לינוקס. אם יש לך מפתח אבטחת חומרה התומך ב-U2F, תוכל להגדיר אימות MFA עבור הכניסה שלך. ליוביקו יש מדריך [מדריך התחברות ל-Ubuntu Linux - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) שאמור לעבוד על כל הפצה. הפקודות של מנהל החבילות - כגון `apt-get` - ושמות החבילות עשויים להיות שונים. מדריך זה **אינו** חל על מערכת ההפעלה Qubes. + +### Qubes OS + +ל-Qubes OS יש תמיכה באימות Challenge-Response עם YubiKeys. אם יש לך YubiKey עם תמיכה באימות Challenge-Response, עיין ב[תיעוד של YubiKey](https://www.qubes-os.org/doc/yubikey/) של Qubes OS. רוצה להגדיר MFA ב-Qubes OS. + +### SSH + +#### מפתחות אבטחה של חומרה + +ניתן להגדיר SSH MFA באמצעות מספר שיטות אימות שונות הפופולריות במפתחות אבטחה של חומרה. אנו ממליצים לך לעיין ב[תיעוד](https://developers.yubico.com/SSH/) של Yubico כיצד להגדיר זאת. + +#### סיסמה חד פעמית מבוססת זמן (TOTP) + +ניתן גם להגדיר SSH MFA באמצעות TOTP. DigitalO Ocean סיפק מדריך [כיצד להגדיר אימות רב - גורמי עבור SSH ב - Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). רוב הדברים צריכים להיות זהים ללא קשר להפצה, אולם פקודות מנהל החבילות - כגון `apt-get` - ושמות החבילות עשויים להיות שונים. + +### KeePass (ו-KeePassXC) + +ניתן לאבטח מסדי נתונים של KeePass ו-KeePassXC באמצעות Challenge-Response או HOTP כאימות גורם שני. Yubico סיפקה מסמך עבור KeePass [שימוש ב-YubiKey עם KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) ויש גם אחד באתר [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa). + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/basics/passwords-overview.md b/i18n/he/basics/passwords-overview.md new file mode 100644 index 00000000..eb8f2962 --- /dev/null +++ b/i18n/he/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "מבוא לסיסמאות" +icon: 'material/form-textbox-password' +--- + +סיסמאות הן חלק חיוני מחיינו הדיגיטליים היומיומיים. אנו משתמשים בהם כדי להגן על החשבונות שלנו, המכשירים והסודות שלנו. למרות היותם לעתים קרובות הדבר היחיד בינינו לבין יריב שרודף אחרי המידע הפרטי שלנו, לא מושקעת בהם הרבה מחשבה, מה שמוביל לרוב לכך שאנשים משתמשים בסיסמאות שניתן לנחש בקלות או להכריח אותן. + +## שיטות עבודה מומלצות + +### השתמש בסיסמאות ייחודיות לכל שירות + +תדמיין את זה; אתה נרשם לחשבון עם אותו אימייל וסיסמא במספר שירותים מקוונים. אם אחד מספקי השירותים האלה הוא זדוני, או שהשירות שלהם חווה פרצת מידע שחושפת את הסיסמה שלך בפורמט לא מוצפן, כל מה ששחקן גרוע יצטרך לעשות הוא לנסות את שילוב האימייל והסיסמה במספר שירותים פופולריים עד שהם מקבלים מכה. זה לא משנה כמה חזקה אותה סיסמה אחת, כי כבר יש להם אותה. + +זה נקרא [מילוי אישורים](https://en.wikipedia.org/wiki/Credential_stuffing), וזו אחת הדרכים הנפוצות ביותר שבהן החשבונות שלך יכולים להיפגע על ידי שחקנים גרועים. כדי להימנע מכך, ודא שלעולם לא תעשה שימוש חוזר בסיסמאות שלך. + +### השתמש בסיסמאות שנוצרות באקראי + +==אתה **לעולם לא** צריך לסמוך על עצמך כדי למצוא סיסמה טובה.== אנו ממליצים להשתמש ב[סיסמאות שנוצרו באקראי](#passwords) או ב[ביטויי סיסמה של תוכנת קובייה](#diceware-passphrases) עם מספיק אנטרופיה כדי להגן על החשבונות והמכשירים שלך. + +כל [מנהלי הסיסמאות המומלצים](../passwords.md) שלנו כוללים מחולל סיסמאות מובנה שתוכל להשתמש בו. + +### סיסמאות מסתובבות + +עליך להימנע משינוי סיסמאות שאתה צריך לזכור (כגון סיסמת האב של מנהל הסיסמאות שלך) לעתים קרובות מדי, אלא אם יש לך סיבה להאמין שהיא נפגעה, שכן שינוי שלה לעתים קרובות מדי חושף אותך לסיכון של שכחתה. + +כשמדובר בסיסמאות שאינך חייב לזכור (כגון סיסמאות המאוחסנות בתוך מנהל הסיסמאות שלך), אם [מודל האיומים](threat-modeling.md) שלך דורש זאת, אנו ממליצים עוברים על חשבונות חשובים (במיוחד חשבונות שאינם משתמשים באימות רב-גורמי) ומשנים את הסיסמה שלהם כל חודשיים, למקרה שהם נפגעו בפרצת מידע שעדיין לא הפכה לציבורית. רוב מנהלי הסיסמאות מאפשרים לך להגדיר תאריך תפוגה לסיסמה שלך כדי להקל על הניהול שלה. + +!!! tip "בודקים פרצות נתונים" + + אם מנהל הסיסמאות שלך מאפשר לך לחפש סיסמאות שנפגעו, הקפד לעשות זאת ולשנות מיד כל סיסמה שאולי נחשפה בפרצת נתונים. לחלופין, תוכל לעקוב אחר [עדכון ההפרות האחרונות של have i been pwned'](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) בעזרת [מצבר חדשות](../news-aggregators.md). + +## יצירת סיסמאות חזקות + +### סיסמאות + +שירותים רבים מטילים קריטריונים מסוימים בכל הנוגע לסיסמאות, כולל אורך מינימום או מקסימום, וכן באילו תווים מיוחדים, אם בכלל, ניתן להשתמש. עליך להשתמש במחולל הסיסמאות המובנה של מנהל הסיסמאות שלך כדי ליצור סיסמאות ארוכות ומורכבות ככל שהשירות יאפשר על ידי הכללת אותיות רישיות וקטנות, מספרים ותווים מיוחדים. + +אם אתה צריך סיסמא שאתה יכול לשנן, אנו ממליצים על [משפט סיסמא לכלי הקוביות](#diceware-passphrases). + +### ביטויי סיסמא של כלי קוביות + +כלי קוביות היא שיטה ליצירת ביטויי סיסמה שקל לזכור, אבל קשה לנחש. + +ביטויי סיסמה של כלי קוביות הם אפשרות מצוינת כאשר אתה צריך לשנן או להזין באופן ידני את האישורים שלך, כגון עבור סיסמת האב של מנהל הסיסמאות שלך או סיסמת ההצפנה של המכשיר שלך. + +דוגמה לביטוי סיסמא של תוכנת קוביות היא `מהירות ניתנת לצפייה סרבן עיפרון מרוטש שבע עשרה מוצג`. + +כדי ליצור ביטוי סיסמא של כלי קוביות באמצעות קוביות אמיתיות, בצע את השלבים הבאים: + +!!! note "הערה" + + הוראות אלה מניחות שאתה משתמש ב[רשימת המילים הגדולה של EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) כדי ליצור את ביטוי הסיסמה, שדורש חמש הטלות קוביות לכל מילה. רשימות מילים אחרות עשויות לדרוש יותר או פחות גלגולים למילה, ועשויות לדרוש כמות שונה של מילים כדי להשיג את אותה אנטרופיה. + +1. לזרוק קובייה בעלת שש צדדים חמש פעמים, לרשום את המספר לאחר כל גלגול. + +2. כדוגמה, נניח שזרקת `2-5-2-6-6`. חפש ב [רשימת המילים הגדולה של ה-EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) את המילה המתאימה ל-`25266`. + +3. אתה תמצא את המילה `להצפין`. כתוב את המילה הזו. + +4. חזור על תהליך זה עד לביטוי הסיסמה שלך יש כמה מילים שאתה צריך, שאותן עליך להפריד ברווח. + +!!! warning "חשוב" + + כדאי **לא** לגלגל מחדש מילים עד שתקבל שילוב של מילים שמושכות אותך. התהליך צריך להיות אקראי לחלוטין. + +אם אין לך גישה או תעדיף לא להשתמש בקוביות אמיתיות, תוכל להשתמש במחולל הסיסמאות המובנה של מנהל הסיסמאות שלך, שכן לרובם יש אפשרות ליצור ביטויי סיסמה של תוכנת קוביות בנוסף לסיסמאות הרגילות. + +אנו ממליצים להשתמש ב[רשימת המילים הגדולה של EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) כדי ליצור את ביטויי הסיסמה של תוכנת הקוביות שלך, מכיוון שהיא מציעה את אותה אבטחה בדיוק כמו הרשימה המקורית, תוך שהיא מכילה מילים שקל יותר לשנן. יש גם [רשימות מילים אחרות בשפות שונות](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), אם אינך רוצה שביטוי הסיסמה שלך יהיה באנגלית. + +??? note "הסבר על אנטרופיה וחוזק של ביטויי סיסמה של כלי קוביות" + + כדי להדגים עד כמה חזקות ביטויי הסיסמא של תוכנת קוביות, נשתמש בביטוי הסיסמא של שבע המילים שהוזכר לעיל (`מהירות ניתנת לצפייה סרבן עיפרון מרוטש שבע עשרה מוצג`) וב[רשימת המילים הגדולה של EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) כדוגמה. + + מדד אחד לקביעת עוצמתו של משפט סיסמא של קוביות הוא כמה אנטרופיה יש לו. האנטרופיה למילה בביטוי סיסמה של תוכנת קוביות מחושבת כnd the overall entropy of the passphrase is calculated as -$\text{log}_2(\text{WordsInList})$והאנטרופיה הכוללת של ביטוי הסיסמה מחושבת כ - $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + לכן, כל מילה ברשימה הנ"ל מביאה ל-~12.9 סיביות של אנטרופיה ($\text{log}_2(7776)$), ולביטוי סיסמה של שבע מילים שנגזר ממנו יש ~90.47 סיביות של אנטרופיה($\text{log}_2(7776^7)$). + + [רשימת המילים הגדולה של EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) מכילה 7776 מילים ייחודיות. כדי לחשב את כמות ביטויי הסיסמה האפשריים, כל שעלינו לעשות הוא $\text{WordsInList}^\text{WordsInPhrase}$, או במקרה שלנו, $ 7776^7 $. + + בואו נשים את כל זה בפרספקטיבה: ביטוי סיסמה של שבע מילים באמצעות [רשימת המילים הגדולה של EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) הוא אחד מ-~1,719,070,799,748,422,500,000,phrass אפשריות. + + בממוצע, צריך לנסות 50% מכל השילובים האפשריים כדי לנחש את הביטוי שלך. עם זאת בחשבון, גם אם היריב שלך מסוגל ל-1,000,000,000,000 ניחושים בשנייה, עדיין ייקח לו ~27,255,689 שנים לנחש את משפט הסיסמה שלך. זה המצב גם אם הדברים הבאים נכונים: + + - היריב שלך יודע שהשתמשת בשיטת קוביות. + - היריב שלך יודע את רשימת המילים הספציפית שבה השתמשת. + - היריב שלך יודע כמה מילים מכיל ביטוי הסיסמה שלך. + +לסיכום, ביטויי סיסמה של תוכנת קוביות הם האפשרות הטובה ביותר שלך כאשר אתה צריך משהו שקל לזכור גם *ו* חזק במיוחד. + +## אחסון סיסמאות + +### מנהלי סיסמאות + +הדרך הטובה ביותר לאחסן את הסיסמאות שלך היא באמצעות מנהל סיסמאות. הם מאפשרים לך לאחסן את הסיסמאות שלך בקובץ או בענן ולהגן עליהן באמצעות סיסמת אב אחת. בדרך זו, תצטרך לזכור רק סיסמה אחת חזקה, המאפשרת לך לגשת לשאר שלהן. + +יש הרבה אפשרויות טובות לבחירה, הן מבוססות ענן והן מקומיות. בחר אחד ממנהלי הסיסמאות המומלצים שלנו והשתמש בו כדי ליצור סיסמאות חזקות בכל החשבונות שלך. אנו ממליצים לאבטח את מנהל הסיסמאות שלך באמצעות משפט סיסמה [של סכו"ם](#diceware-passphrases) המורכב משבע מילים לפחות. + +[רשימת מנהלי סיסמאות מומלצים](../passwords.md ""){.md-button} + +!!! warning אזהרה "אל תציב את הסיסמאות ואסימוני ה-TOTP שלך באותו מנהל סיסמאות" + + בעת שימוש בקודי TOTP כ[אימות רב-גורמי](../multi-factor-authentication.md), שיטת האבטחה הטובה ביותר היא לשמור את קודי ה-TOTP שלך ב[אפליקציה נפרדת](../multi-factor-authentication.md#authenticator-apps). + + אחסון אסימוני ה-TOTP שלך באותו מקום כמו הסיסמאות שלך, למרות שהוא נוח, מצמצם את החשבונות לגורם יחיד במקרה שיריב יקבל גישה למנהל הסיסמאות שלך. + + יתר על כן, איננו ממליצים לאחסן קודי שחזור חד-פעמיים במנהל הסיסמאות שלך. יש לאחסן אותם בנפרד, כגון במיכל מוצפן בהתקן אחסון לא מקוון. + +### גיבויים + +עליך לאחסן גיבוי [מוצפן](../encryption.md) של הסיסמאות שלך במספר התקני אחסון או בספק אחסון בענן. זה יכול לעזור לך לגשת לסיסמאות שלך אם משהו קורה למכשיר הראשי שלך או לשירות שבו אתה משתמש. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/basics/threat-modeling.md b/i18n/he/basics/threat-modeling.md new file mode 100644 index 00000000..28e76b0a --- /dev/null +++ b/i18n/he/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "מודל איומים" +icon: 'material/target-account' +--- + +איזון בין אבטחה, פרטיות ושימושיות היא אחת המשימות הראשונות והקשות שתתמודדו איתם במסע הפרטיות שלכם. הכל הוא פשרה: ככל שמשהו בטוח יותר, כך הוא בדרך כלל מגביל או לא נוח יותר, וכו'. לעתים קרובות, אנשים מגלים שהבעיה בכלים שהם רואים מומלצים היא שפשוט קשה מדי להתחיל להשתמש בהם! + +אם תרצה להשתמש ב**רוב** הכלים המאובטחים הזמינים, תצטרך להקריב *הרבה* שימושיות. וגם אז, ==אין דבר שמאובטח תמיד לחלוטין.== יש אבטחה **גבוהה**, אך לעולם לא אבטחה **מלאה**. לכן מודלים של איומים חשובים. + +**אז, מה הם מודל האיומים האלה, בכלל?** + +==מודל איום הוא רשימה של האיומים הסבירים ביותר על מאמצי האבטחה והפרטיות שלך.== מכיוון שאי אפשר להגן על עצמך מפני **כל** תקיפה/תוקף, אתה צריך להתמקד באיומים ה**הסבירים ביותר**. באבטחת מחשבים, איום הוא אירוע שעלול לערער את המאמצים שלך להישאר פרטיים ומאובטחים. + +התמקדות באיומים החשובים לך מצמצמת את החשיבה שלך לגבי ההגנה הדרושה לך, כך שתוכל לבחור את הכלים המתאימים לתפקיד. + +## יצירת מודל האיום שלך + +כדי לזהות מה יכול לקרות לדברים שאתה מעריך ולקבוע ממי אתה צריך להגן עליהם, עליך לענות על חמש השאלות הבאות: + +1. על מה אני רוצה להגן? +2. ממי אני רוצה להגן עליו? +3. עד כמה סביר שאצטרך להגן עליו? +4. כמה נוראות יהיו ההשלכות אם אכשל? +5. כמה צרות אני מוכן לעבור כדי לנסות למנוע השלכות פוטנציאליות? + +### על מה אני רוצה להגן? + +"נכס" הוא משהו שאתה מעריך ורוצה להגן עליו. בהקשר של אבטחה דיגיטלית, נכס הוא בדרך כלל סוג של מידע. לדוגמה, הודעות דוא"ל, רשימות אנשי קשר, הודעות מיידיות, מיקום וקבצים הם כל הנכסים האפשריים. ייתכן שהמכשירים שלך עצמם הם גם נכסים. + +*צור רשימה של הנכסים שלך: נתונים שאתה שומר, היכן הם מוחזקים, למי יש גישה אליהם ומה מונע מאחרים לגשת אליהם.* + +### ממי אני רוצה להגן עליו? + +כדי לענות על שאלה זו, חשוב לזהות מי ירצה למקד אותך או את המידע שלך. =אדם או ישות המהווים איום על הנכסים שלך הוא "יריב ". דוגמאות ליריבים פוטנציאליים הם הבוס שלך, השותף שלך לשעבר, התחרות העסקית שלך, הממשלה שלך, או האקר ברשת ציבורית. + +*ערוך רשימה של היריבים שלך או של אלה שאולי ירצו להשיג את הנכסים שלך. הרשימה עשויה לכלול אנשים פרטיים, סוכנות ממשלתית או תאגידים.* + +תלוי מי הם היריבים שלך, בנסיבות מסוימות, רשימה זו עשויה להיות משהו שאתה רוצה להרוס אחרי שתסיים את התכנון ביטחוני. + +### עד כמה סביר שאצטרך להגן עליו? + +הסיכון הוא הסבירות שאיום מסוים על נכס מסוים יתרחש בפועל. זה הולך יד ביד עם יכולת. בעוד שלספק הטלפון הנייד שלך יש את היכולת לגשת לכל הנתונים שלך, הסיכון שהוא יפרסם את הנתונים הפרטיים שלך באינטרנט כדי לפגוע במוניטין שלך נמוך. + +חשוב להבחין בין מה שעלול לקרות לבין ההסתברות שזה יקרה. לדוגמה, קיים איום שהבניין שלך עלול לקרוס, אבל הסיכון שזה יקרה גדול יותר בסן פרנסיסקו (שבה רעידות אדמה נפוצות) מאשר בשטוקהולם (שבהן לא). + +הערכת סיכונים היא תהליך אישי וסובייקטיבי כאחד. אנשים רבים מוצאים איומים מסוימים בלתי מתקבלים על הדעת, לא משנה את הסבירות שהם יתרחשו, כי עצם הנוכחות של האיום לא שווה את המחיר. במקרים אחרים, אנשים מתעלמים מסיכונים גבוהים כי הם לא רואים את האיום כבעיה. + +*רשום אילו איומים אתה הולך לקחת ברצינות, ואשר עשוי להיות נדיר מדי או מזיק מדי (או קשה מדי להילחם) לדאוג.* + +### כמה נוראות יהיו ההשלכות אם אכשל? + +ישנן דרכים רבות כי יריב יכול לקבל גישה לנתונים שלך. לדוגמה, יריב יכול לקרוא את התקשורת הפרטית שלך כשהוא עובר דרך הרשת, או שהוא יכול למחוק או להשחית את הנתונים שלך. + +המניעים של היריבים שונים מאוד, וכך גם הטקטיקות שלהם. ממשלה המנסה למנוע הפצה של סרטון המציג אלימות משטרתית עשויה להיות מוכנה פשוט למחוק או להפחית את הזמינות של סרטון זה. לעומת זאת, יריב פוליטי עשוי לרצות לקבל גישה לתוכן סודי ולפרסם תוכן זה מבלי שתדע. + +תכנון אבטחה כרוך בהבנה של ההשלכות הרעות שיכולות להיות אם יריב מצליח להשיג גישה לאחד הנכסים שלך. כדי לקבוע את זה, אתה צריך לשקול את היכולת של היריב שלך. לדוגמה, לספק הטלפון הנייד שלך יש גישה לכל רשומות הטלפון שלך. האקר ברשת האלחוטית (Wi - Fi) פתוחה יכול לגשת לתקשורת הלא מוצפנת שלך. לממשלה שלך אולי יש יכולות חזקות יותר. + +*כתוב מה היריב שלך ירצה לעשות עם המידע הפרטי שלך.* + +### כמה צרות אני מוכן לעבור כדי לנסות למנוע השלכות פוטנציאליות? + +אין פתרון מושלם לאבטחה. לא לכולם יש את אותם סדרי עדיפויות, דאגות או גישה למשאבים. הערכת הסיכונים שלך תאפשר לך לתכנן את האסטרטגיה הנכונה עבורך, לאזן בין נוחות, עלות ופרטיות. + +לדוגמה, עורך דין המייצג לקוח במקרה של ביטחון לאומי עשוי להיות מוכן להשקיע מאמצים גדולים יותר כדי להגן על תקשורת לגבי מקרה זה, כגון באמצעות דואר אלקטרוני מוצפן, מאשר אמא ששולחת באופן קבוע מייל לבתה עם סרטוני חתולים מצחיקים. + +*כתוב אילו אפשרויות עומדות לרשותך כדי להקל על האיומים הייחודיים שלך. שימו לב אם יש לכם אילוצים כלכליים, אילוצים טכניים או אילוצים חברתיים.* + +### נסו בעצמכם: הגנה על השייכות שלכם + +שאלות אלה יכולות לחול על מגוון רחב של מצבים, מקוונים ולא מקוונים. כהדגמה כללית של האופן שבו שאלות אלה פועלות, בואו לבנות תוכנית כדי לשמור על הבית שלך ואת הרכוש בטוח. + +**על מה אתה רוצה להגן? (או, *מה יש לך ששווה הגנה?*)** +: + +הנכסים שלכם עשויים לכלול תכשיטים, מוצרי אלקטרוניקה, מסמכים חשובים או תמונות. + +**ממי אתה רוצה להגן עליו?** +: + +היריבים שלכם עשויים לכלול פורצים, שותפים לדירה או אורחים. + +**עד כמה סביר שתצטרך להגן עליו?** +: + +האם יש בשכונה שלך היסטוריה של פריצות? עד כמה השותפים והאורחים שלכם אמינים? מה היכולות של היריבים שלך? מהם הסיכונים שעליכם לקחת בחשבון? + +**כמה נוראות יהיו ההשלכות אם אכשל?** +: + +האם יש לך משהו בבית שלך שאתה לא יכול להחליף? האם יש לך את הזמן או הכסף כדי להחליף את הדברים האלה? יש לכם ביטוח שמכסה סחורה שנגנבה מהבית? + +**כמה צרות אתה מוכן לעבור כדי למנוע את התוצאות האלה?** +: + +אתה מוכן לקנות כספת למסמכים רגישים? אתה יכול להרשות לעצמך לקנות מנעול באיכות גבוהה? האם יש לך זמן לפתוח כספת בבנק המקומי שלך ולשמור את חפצי הערך שלך שם? + +רק לאחר שתשאלו את עצמכם את השאלות האלה תוכלו להעריך באילו אמצעים לנקוט. אם הרכוש שלך בעל ערך, אבל ההסתברות לפריצה נמוכה, אז אולי לא תרצה להשקיע יותר מדי כסף במנעול. אבל, אם ההסתברות לפריצה היא גבוהה, אתה רוצה לקבל את הנעילה הטובה ביותר בשוק ולשקול הוספת מערכת אבטחה. + +הנכסים שלכם עשויים לכלול תכשיטים, מוצרי אלקטרוניקה, מסמכים חשובים או תמונות. + +## קריאה נוספת + +**ממי אתה רוצה להגן עליו?** : + +- [מטרות ואיומים נפוצים :material-arrow-right-drop-circle:](common-threats.md) + +## מקורות + +- [הגנה עצמית במעקב EFF: תוכנית האבטחה שלך](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/basics/vpn-overview.md b/i18n/he/basics/vpn-overview.md new file mode 100644 index 00000000..f05b5921 --- /dev/null +++ b/i18n/he/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: סקירה כללית של VPN +icon: material/vpn +--- + +רשתות וירטואליות פרטיות הן דרך להרחיב את הקצה של הרשת שלך ליציאה למקום אחר בעולם. ספק שירותי אינטרנט יכול לראות את זרימת תעבורת האינטרנט הנכנסת ויוצאת ממכשיר סיום הרשת שלך (כלומר מודם). + +פרוטוקולי הצפנה כגון HTTPS נמצאים בשימוש נפוץ באינטרנט, כך שהם אולי לא יוכלו לראות בדיוק את מה שאתה מפרסם או קורא אבל הם יכולים לקבל מושג על [דומיינים שאתה מבקש](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +VPN יכול לעזור מכיוון שהוא יכול להעביר אמון לשרת במקום אחר בעולם. כתוצאה מכך, ספק שירותי האינטרנט רואה רק שאתה מחובר ל-VPN ושום דבר לגבי הפעילות שאתה מעביר אליו. + +## האם כדאי להשתמש ב - VPN? + +**כן**, אלא אם אתה כבר משתמש ב-Tor. VPN עושה שני דברים: מעביר את הסיכונים מספק שירותי האינטרנט שלך לעצמו והסתרת ה-IP שלך משירות של צד שלישי. + +VPNs אינם יכולים להצפין נתונים מחוץ לחיבור בין המכשיר שלך לשרת VPN. ספקי VPN יכולים לראות ולשנות את התעבורה שלך באותו אופן שבו ספק שירותי האינטרנט שלך יכול לראות. ואין דרך לאמת את מדיניות "ללא רישום" של ספק VPN בשום אופן. + +עם זאת, הם מסתירים את ה-IP האמיתי שלך משירות של צד שלישי, בתנאי שאין דליפות IP. הם עוזרים לך להשתלב עם אחרים ולהפחית מעקב מבוסס IP. + +## מתי לא כדאי להשתמש ב - VPN? + +השימוש ב-VPN במקרים שבהם אתה משתמש ב[זהות הידועה](common-threats.md#common-misconceptions) שלך לא סביר להיות שימושי. + +פעולה זו עלולה להפעיל מערכות זיהוי דואר זבל והונאות, כגון אם היית נכנס לאתר האינטרנט של הבנק שלך. + +## מה לגבי הצפנה? + +ההצפנה המוצעת על ידי ספקי VPN נמצאת בין המכשירים שלך לשרתים שלהם. זה מבטיח שהקישור הספציפי הזה מאובטח. זהו שלב עלייה משימוש בפרוקסי לא מוצפנים שבהם יריב ברשת יכול ליירט את התקשורת בין המכשירים שלך לפרוקסי האמורים ולשנות אותם. עם זאת, הצפנה בין האפליקציות או הדפדפנים שלך עם ספקי השירות אינה מטופלת על ידי הצפנה זו. + +על מנת לשמור על פרטיות ומאובטחת מה שאתה עושה באתרים שבהם אתה מבקר, עליך להשתמש ב-HTTPS. זה ישמור על הסיסמאות, אסימוני הפגישה והשאילתות שלך בטוחים מספק ה-VPN. שקול להפעיל "HTTPS בכל מקום" בדפדפן שלך כדי למתן התקפות שדרוג לאחור כמו [רצועת SSL](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## האם עלי להשתמש ב-DNS מוצפן עם VPN? + +אלא אם כן ספק ה-VPN שלך מארח את שרתי ה-DNS המוצפנים, **לא**. שימוש ב-DOH/DOT (או כל צורה אחרת של DNS מוצפן) עם שרתי צד שלישי פשוט יוסיף עוד ישויות למתן אמון ו**לא עושה כלום** לשיפור הפרטיות/אבטחתך. ספק ה-VPN שלך עדיין יכול לראות באילו אתרים אתה מבקר בהתבסס על כתובות ה-IP ושיטות אחרות. במקום לסמוך רק על ספק ה-VPN שלך, אתה בוטח כעת גם בספק ה-VPN וגם בספק ה-DNS. + +סיבה נפוצה להמליץ על DNS מוצפן היא שהוא עוזר נגד זיוף DNS. עם זאת, הדפדפן שלך כבר אמור לבדוק [אישורי TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) עם **HTTPS** ולהזהיר אותך לגבי זה. אם אינך משתמש ב**HTTPS**, יריב עדיין יכול פשוט לשנות כל דבר מלבד שאילתות ה-DNS שלך והתוצאה הסופית תהיה מעט שונה. + +מיותר לציין ש**לא כדאי להשתמש ב-DNS מוצפן עם Tor**. זה יפנה את כל בקשות ה-DNS שלך דרך מעגל יחיד ויאפשר לספק ה-DNS המוצפן לעשות לך דה-אנוניזציה. + +## האם עלי להשתמש ב- Tor *וגם*-VPN? + +על ידי שימוש ב-VPN עם Tor, אתה יוצר בעצם צומת כניסה קבוע, לעתים קרובות עם שביל כסף מחובר. זה מספק אפס יתרונות נוספים לך, תוך הגדלת משטח ההתקפה של החיבור שלך באופן דרמטי. אם אתה רוצה להסתיר את השימוש שלך ב-Tor מ-ISP שלך או מהממשלה שלך, ל-Tor יש פתרון מובנה לכך: גשרי Tor. [קרא עוד על גשרי Tor ומדוע אין צורך להשתמש ב-VPN](../advanced/tor-overview.md). + +## מה אם אני צריך אנונימיות? + +רשתות VPN לא יכולות לספק אנונימיות. ספק ה-VPN שלך עדיין יראה את כתובת ה-IP האמיתית שלך, ולעתים קרובות יש לו שובל כסף שניתן לקשר ישירות אליך. אינך יכול להסתמך על מדיניות "ללא רישום" כדי להגן על הנתונים שלך. השתמש [ב Tor](https://www.torproject.org/) במקום. + +## מה לגבי ספקי VPN המספקים צמתי Tor? + +אל תשתמש בתכונה זו. הנקודה בשימוש ב-Tor היא שאינך סומך על ספק ה-VPN שלך. נכון לעכשיו Tor תומך רק בפרוטוקול [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol). [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (בשימוש [WebRTC](https://en.wikipedia.org/wiki/WebRTC) לשיתוף קול ווידאו, פרוטוקול [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) החדש וכו'), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) ומנות אחרות יוסרו. כדי לפצות על כך, ספקי VPN בדרך כלל ינתבו את כל החבילות שאינן TCP דרך שרת ה-VPN שלהם (הקפיצה הראשונה שלך). זה המקרה עם [ProtonVPN](https://protonvpn.com/support/tor-vpn/). בנוסף, בעת שימוש בהגדרת Tor over VPN זו, אין לך שליטה על תכונות Tor חשובות אחרות כגון [כתובת יעד מבודדת](https://www.whonix.org/wiki/Stream_Isolation) (באמצעות מעגל Tor שונה עבור כל דומיין שאתה מבקר בו). + +יש לראות את התכונה כדרך נוחה לגשת לרשת Tor, לא להישאר אנונימית. לאנונימיות נאותה, השתמש בדפדפן Tor, TorSocks או שער Tor. + +## מתי רשתות VPN שימושיות? + +VPN עדיין עשוי להיות שימושי עבורך במגוון תרחישים, כגון: + +1. הסתרת התנועה שלך מ**רק** מספק האינטרנט שלך. +1. הסתרת ההורדות שלך (כגון טורנטים) מ-ISP וארגונים נגד פיראטיות. +1. הסתרת ה-IP שלך מאתרי אינטרנט ושירותים של צד שלישי, מניעת מעקב מבוסס IP. + +במצבים כאלה, או אם יש לך סיבה משכנעת אחרת, ספקי רשתות ה-VPN שציינו לעיל הם אלו שאנו חושבים שהם הכי אמינים. עם זאת, שימוש בספק VPN עדיין אומר שאתה *סומך* על הספק. כמעט בכל תרחיש אחר אתה אמור להשתמש בכלי מאובטח**שמעוצב** כגון Tor. + +## מקורות וקריאה נוספת + +1. [VPN - נרטיב מאוד מעורער](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) מאת דניס שוברט +1. [סקירה כללית של רשת Tor](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["האם אני צריך VPN?"](https://www.doineedavpn.com), כלי שפותח על ידי IVPN כדי לאתגר שיווק VPN אגרסיבי על ידי סיוע לאנשים להחליט אם VPN מתאים להם. + +## מידע שקשור ל VPN + +- [הבעיה עם אתרי סקירת VPN ואתרי פרטיות](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [חקירת אפליקציית VPN בחינם](https://www.top10vpn.com/free-vpn-app-investigation/) +- [בעלי VPN מוסתרים חשפו: 101 מוצרי VPN המנוהלים על ידי 23 חברות בלבד](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [החברה הסינית הזו עומדת בסתר מאחורי 24 אפליקציות פופולריות שמחפשות הרשאות מסוכנות](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/calendar.md b/i18n/he/calendar.md new file mode 100644 index 00000000..c15c423e --- /dev/null +++ b/i18n/he/calendar.md @@ -0,0 +1,71 @@ +--- +title: "סנכרון לוח שנה" +icon: material/calendar +--- + +לוחות שנה מכילים חלק מהנתונים הרגישים ביותר שלך; השתמש במוצרים המיישמים E2EE ב - מנוחה כדי למנוע מספק לקרוא אותם. + +## Tutanota + +!!! recommendation + + ![Tutanota לוגו](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota לוגו](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** מציעה לוח שנה בחינם ומוצפן על פני הפלטפורמות הנתמכות שלהם. התכונות כוללות: E2EE אוטומטי של כל הנתונים, תכונות שיתוף, פונקציונליות ייבוא/ייצוא, אימות רב-גורמי ו-[עוד](https://tutanota.com/calendar-app-comparison/). + + מספר לוחות שנה ופונקציונליות שיתוף מורחבת מוגבלים למנויים בתשלום. + + [:octicons-home-16: דף הבית](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** הוא שירות לוח שנה מוצפן הזמין לחברי Proton דרך לקוחות אינטרנט או ניידים. התכונות כוללות: E2EE אוטומטי של כל הנתונים, תכונות שיתוף, פונקציונליות ייבוא/ייצוא [ועוד](https://proton.me/support/proton-calendar-guide). אלה בשכבה החינמית מקבלים גישה ללוח שנה בודד, בעוד שמנויים בתשלום יכולים ליצור עד 20 לוחות שנה. פונקציונליות השיתוף המורחבת מוגבלת גם למנויים בתשלום. + + [:octicons-home-16: דף הבית](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### כישורים מינימליים + +- עליך לסנכרן ולאחסן מידע עם E2EE כדי לוודא שהנתונים אינם גלויים לספק השירות. + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- צריך להשתלב עם לוח השנה של מערכת ההפעלה המקומית ואפליקציות ניהול אנשי קשר, אם רלוונטי. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/cloud.md b/i18n/he/cloud.md new file mode 100644 index 00000000..8ca94e80 --- /dev/null +++ b/i18n/he/cloud.md @@ -0,0 +1,62 @@ +--- +title: "אחסון בענן" +icon: material/file-cloud +--- + +ספקי אחסון ענן רבים דורשים את האמון המלא שלך בכך שהם לא יסתכלו על הקבצים שלך. החלופות המפורטות להלן מבטלות את הצורך באמון על ידי מתן שליטה על הנתונים שלך או על ידי יישום E2EE. + +אם חלופות אלה אינן מתאימות לצרכים שלך, אנו מציעים לך לבדוק את [תוכנת ההצפנה](encryption.md). + +??? השאלה "מחפשים את NextCloud?" + + NextCloud הוא [עדיין כלי מומלץ](productivity.md) לאחסון עצמי של חבילת ניהול קבצים, אך איננו ממליצים כרגע על ספקי אחסון צד שלישי של Nextcloud, מכיוון שאיננו ממליצים על הפונקציונליות המובנית של Nextcloud ב - E2EE עבור משתמשים ביתיים. + +## Proton Drive + +!!! recommendation + + ![Proton Drive לוגו](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** הוא שירות אחסון קבצים כללי E2EE של ספק הדוא"ל המוצפן הפופולרי [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: דף הבית](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +הלקוחות הניידים של Proton Drive שוחררו בדצמבר 2022 ועדיין אינם קוד פתוח. Proton עיכבה באופן היסטורי את שחרורי קוד המקור שלהם עד לאחר שחרור המוצר הראשוני, [ומתכננת](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) לשחרר את קוד המקור עד סוף 2023. לקוחות שולחן העבודה של Proton Drive עדיין בפיתוח. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### דרישות מינימליות + +- חייב לאכוף הצפנה מקצה לקצה. +- יש להציע תוכנית חינם או תקופת ניסיון לבדיקה. +- צריך לתמוך בתמיכה באימות רב-גורמי TOTP או FIDO2, או כניסות מפתח סיסמה. +- חייב להציע ממשק אינטרנט התומך בפונקציונליות ניהול קבצים בסיסית. +- חייב לאפשר ייצוא קל של כל הקבצים/המסמכים. +- חייב להשתמש בהצפנה סטנדרטית ומבוקרת. + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- הלקוחות צריכים להיות בקוד פתוח. +- לקוחות צריכים להיות מבוקרים במלואם על ידי צד שלישי עצמאי. +- צריך להציע ללקוחות מקומיים עבור לינוקס, אנדרואיד, Windows, macOS ו - iOS. + - לקוחות אלה צריכים להשתלב עם כלי מערכת הפעלה מקוריים עבור ספקי אחסון בענן, כגון שילוב אפליקציות קבצים ב- iOS, או פונקציונליות DocumentsProvider באנדרואיד. +- צריך לתמוך בשיתוף קבצים קל עם משתמשים אחרים. +- אמור להציע לפחות תצוגה מקדימה בסיסית של קובץ ופונקציונליות עריכה בממשק האינטרנט. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/data-redaction.md b/i18n/he/data-redaction.md new file mode 100644 index 00000000..898f59af --- /dev/null +++ b/i18n/he/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "הפחתת נתונים ומטא נתונים" +icon: material/tag-remove +--- + +בעת שיתוף קבצים, הקפד להסיר מטא נתונים משויכים. קבצי תמונה כוללים בדרך כלל [נתוני Exif](https://en.wikipedia.org/wiki/Exif). תמונות לפעמים אפילו כוללות קואורדינטות GPS במטא-נתונים של הקובץ. + +## מחשב שולחני + +### MAT2 + +!!! recommendation + + ![MAT2 לוגו](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** היא תוכנה חופשית, המאפשרת להסיר את המטא נתונים מסוגים של תמונות, אודיו, טורנטים ומסמכים. הוא מספק גם כלי שורת פקודה וגם ממשק משתמש גרפי באמצעות [הרחבה עבור Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), מנהל הקבצים המוגדר כברירת מחדל של [GNOME](https://www.gnome.org), ו-[Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), מנהל הקבצים המוגדר כברירת מחדל של [KDE](https://kde.org). + + בלינקוס, קיים כלי גרפי של צד שלישי [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) המופעל על ידי MAT2 והוא [זמין ב-Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: מאגר](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=תיעוד} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## נייד + +### ExifEraser (אנדרואיד) + +!!! recommendation + + ![לוגו של ExifEraser](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** הוא יישום מודרני למחיקת מטא נתונים של תמונות ללא הרשאה עבור אנדרואיד. + + בשלב זה הוא תומך בקבצי JPEG, PNG ו - WebP. + + [:octicons-repo-16: מאגר](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +המטא נתונים שנמחקים תלויים בסוג הקובץ של התמונה: + +* **JPEG**: פרופיל ICC, Exif, משאבי תמונה בפוטושופ ומטא-נתונים של XMP/ExtendedXMP יימחקו אם הם קיימים. +* **PNG**: פרופיל ICC, מטא נתונים של Exif ו - XMP יימחקו אם הם קיימים. +* **WebP**: פרופיל ICC, מטא נתונים של Exif ו - XMP יימחקו אם הם קיימים. + +לאחר עיבוד התמונות, ExifEraser מספק לך דוח מלא על מה בדיוק הוסר מכל תמונה. + +האפליקציה מציעה מספר דרכים למחיקת מטא - נתונים מתמונות. כלומר: + +* באפשרותך לשתף תמונה מיישום אחר עם ExifEraser. +* דרך האפליקציה עצמה, אתה יכול לבחור תמונה אחת, תמונות מרובות בבת אחת, או אפילו ספריה שלמה. +* הוא כולל אפשרות "מצלמה ", המשתמשת באפליקציית המצלמה של מערכת ההפעלה כדי לצלם תמונה, ולאחר מכן מסירה ממנה את המטא נתונים. +* זה מאפשר לך לגרור תמונות מיישום אחר לתוך ExifEraser כאשר שניהם פתוחים במצב מסך מפוצל. +* לבסוף, הוא מאפשר לך להדביק תמונה מהלוח שלך. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho לוגו](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** הוא צופה פשוט ונקי עבור מטא נתונים של תמונות כגון תאריך, שם קובץ, גודל, מודל מצלמה, מהירות צמצם ומיקום. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads "הורדות" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + ** PrivacyBlur** היא אפליקציה חינמית שיכולה לטשטש חלקים רגישים של תמונות לפני שהיא משתפת אותם באינטרנט. + + [:octicons-home-16: דף הבית](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning "אזהרה" + + כדאי **לעולם** לא להשתמש בטשטוש כדי לעצב [טקסט בתמונות](https://bishopfox.com/blog/unredacter-tool-never-pixelation). אם ברצונך לשנות טקסט בתמונה, צייר תיבה מעל הטקסט. לשם כך, אנו מציעים אפליקציות כמו [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## שורת הפקודה + +### ExifTool + +!!! recommendation + + ![ExifTool לוגו](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** הוא ספריית ה-perl המקורית ויישום שורת הפקודה לקריאה, כתיבה ועריכה של מטא מידע (Exif, IPTC, XMP ועוד) במגוון רחב של פורמטים של קבצים (JPEG, TIFF, PNG, PDF, RAW ועוד). + + לעתים קרובות זה מרכיב של יישומי הסרת Exif אחרים ונמצא ברוב מאגרי ההפצה של לינוקס. + + [:octicons-home-16: דף הבית](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "מחיקת נתונים מספריית קבצים" + + ```bash + exiftool -all= *.סיומת קובץ + ``` + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- יישומים שפותחו עבור מערכות הפעלה בקוד פתוח חייבים להיות קוד פתוח. +- יישומים חייבים להיות חינמיים ולא לכלול מודעות או מגבלות אחרות. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/desktop-browsers.md b/i18n/he/desktop-browsers.md new file mode 100644 index 00000000..8780f32c --- /dev/null +++ b/i18n/he/desktop-browsers.md @@ -0,0 +1,262 @@ +--- +title: "דפדפנים שולחניים" +icon: material/laptop +--- + +אלה הדפדפנים והתצורות המומלצים כרגע לגלישה רגילה/לא אנונימית. אם אתה צריך לגלוש באינטרנט באופן אנונימי, אתה צריך להשתמש [Tor](tor.md) במקום. באופן כללי, אנו ממליצים לשמור על הרחבות הדפדפן שלך למינימום; יש להם גישה מורשית בתוך הדפדפן שלך, דורשים ממך לסמוך על המפתח, יכולים לגרום לך [להתבלט](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), ו[להחליש](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) את בידוד האתר. + +## Firefox + +!!! recommendation + + ![לוגו Firefox](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** מספק הגדרות פרטיות חזקות כגון [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), שיכול לעזור לחסום שונים [סוגי מעקב](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-protection-blocks). + + [:octicons-home-16: דף הבית](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=תיעוד} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning "אזהרה" + Firefox כולל [אסימון הורדה](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) ייחודי בהורדות מאתר האינטרנט של מוזילה ומשתמש בטלמטריה ב-Firefox כדי לשלוח את האסימון. האסימון **לא** כלול במהדורות מ-[Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### תצורה מומלצת + +דפדפן Tor הוא הדרך היחידה לגלוש באמת באינטרנט באופן אנונימי. כאשר אתה משתמש ב-Firefox, אנו ממליצים לשנות את ההגדרות הבאות כדי להגן על פרטיותך מפני גורמים מסוימים, אך כל הדפדפנים מלבד [דפדפן Tor](tor.md#tor-browser) יהיו ניתנים למעקב על ידי *מישהו* בהקשר זה או אחר. + +ניתן למצוא אפשרויות אלה ב - :material-menu: ← **הגדרות** ← **פרטיות & אבטחה**. + +##### הגנה מוגברת מפני מעקב + +- [x] בחר ** מחמיר** הגנת מעקב מתקדמת + +זה מגן עליך על ידי חסימת מעקבי מדיה חברתית, סקריפטים של טביעת אצבע (שים לב שזה לא מגן עליך מפני *כל* טביעות האצבע), קריפטומינרים, עוגיות מעקב חוצות- אתרים ותוכן מעקב אחר. ETP מגן מפני איומים נפוצים רבים, אך הוא אינו חוסם את כל אפיקי המעקב מכיוון שהוא נועד להשפיע באופן מינימלי עד ללא השפעה על השימושיות באתר. + +##### חיטוי בעת סגירה + +אם אתה רוצה להישאר מחובר לאתרים מסוימים, אתה יכול לאפשר חריגים ב**עוגיות ונתוני אתר** ← **נהל חריגים... ** + +- [x] סמן **מחיקת עוגיות ונתוני אתרים עם סגירת Firefox** + +זה מגן עליך מפני עוגיות מתמשכות, אך אינו מגן עליך מפני עוגיות שנרכשו במהלך כל הפעלת גלישה אחת. כאשר זה מופעל, אפשר לנקות בקלות את קובצי העוגיות של הדפדפן שלך פשוט על ידי הפעלה מחדש של Firefox. אתה יכול להגדיר חריגים על בסיס אתר, אם אתה רוצה להישאר מחובר לאתר מסוים שאתה מבקר בו לעתים קרובות. + +##### הצעות חיפוש + +- [ ] בטל את הסימון **הצגת המלצות חיפוש** + +ייתכן שתכונות הצעות חיפוש לא יהיו זמינות באזור שלך. + +הצעות חיפוש שולחות את כל מה שאתה מקליד בסרגל הכתובות למנוע החיפוש המוגדר כברירת מחדל, ללא קשר אם אתה שולח חיפוש בפועל. השבתת הצעות חיפוש מאפשרת לך לשלוט בצורה מדויקת יותר באילו נתונים אתה שולח לספק מנועי החיפוש שלך. + +##### טלמטריה + +- [ ] בטל את הסימון **לאפשר ל-Firefox לשלוח אל Mozilla מידע טכני ופעולות שבוצעו בדפדפן** +- [ ] בטל את הסימון **לאפשר ל-Firefox להתקין ולהריץ מחקרים** +- [ ] בטל את הסימון **לאפשר ל-Firefox דיווחי קריסות שנשמרו בשמך** + +> Firefox שולח נתונים על הגרסה והשפה של Firefox שלך; תצורת מערכת ההפעלה והחומרה של המכשיר; זיכרון, מידע בסיסי על קריסות ושגיאות; תוצאה של תהליכים אוטומטיים כמו עדכונים, גלישה בטוחה והפעלה אלינו. כאשר Firefox שולח לנו נתונים, כתובת ה-IP שלך נאספת זמנית כחלק מיומני השרת שלנו. + +בנוסף, שירות חשבונות Firefox אוסף [כמה נתונים טכניים](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). אם אתה משתמש בחשבון Firefox אתה יכול לבטל את הסכמתך: + +1. פתח את [הגדרות הפרופיל שלך ב ](https://accounts.firefox.com/settings#data-collection)accounts.firefox.com +2. ביטול סימון **איסוף נתונים ושימוש** > **עזרה בשיפור חשבונות Firefox** + +##### מצב HTTPS בלבד + +- [x] בחר **הפעלת מצב HTTPS בלבד בכל החלונות** + +זה מונע ממך להתחבר ללא כוונה לאתר אינטרנט ב-HTTP בטקסט רגיל. אתרים ללא HTTPS אינם נפוצים כיום, לכן לא אמורה להיות לכך השפעה רבה על הגלישה היומיומית שלך. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) מאפשר לנתוני הגלישה שלך (היסטוריה, סימניות וכו') להיות נגישים בכל המכשירים שלך ומגן עליהם באמצעות E2EE. + +### Arkenfox (מתקדם) + +פרויקט [Arkenfox](https://github.com/arkenfox/user.js) מספק קבוצה של אפשרויות שנשקלו בקפידה עבור Firefox. אם אתה [מחליט](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) להשתמש ב-Arkenfox, [כמה אפשרויות](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) הן קפדניות סובייקטיבית ו/או עלולות לגרום לאתרים מסוימים לא לעבוד כראוי [שאותן תוכל לשנות בקלות](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) כדי להתאים לצרכים שלך. אנו **ממליצים בחום** לקרוא את [הויקי](https://github.com/arkenfox/user.js/wiki) המלא שלהם. Arkenfox גם מאפשר תמיכה ב[מכולות](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users). + +## Brave + +!!! recommendation + + ![Brave לוגו](assets/img/browsers/brave.svg){ align=right } + + **דפדפן Brave** כולל חוסם תוכן מובנה ו [תכונות פרטיות ]( https://brave.com/privacy-features/), רבים מהם מופעלים כברירת מחדל. + + Brave בנוי על פרויקט דפדפן Chromium, כך שהוא אמור להרגיש מוכר ושיהיו לו בעיות תאימות מינימליות לאתר. + + [:octicons-home-16: דף הבית](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="שירות בצל" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="קוד פתוח" } + + ??? downloads annotate "הורדות" + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. אנו ממליצים לא להשתמש בגרסת Flatpak של Brave, מכיוון שהיא מחליפה את ארגז החול של Chromium ב-Flatpak, שהוא פחות יעיל. בנוסף, החבילה אינה מתוחזקת על ידי Brave Software, Inc. + +### תצורה מומלצת + +דפדפן Tor הוא הדרך היחידה לגלוש באמת באינטרנט באופן אנונימי. כאשר אתה משתמש ב-Brave, אנו ממליצים לשנות את ההגדרות הבאות כדי להגן על פרטיותך מפני גורמים מסוימים, אך כל הדפדפנים מלבד [Tor דפדפן](tor.md#tor-browser) יהיו ניתנים למעקב על ידי *מישהו* בהקשר זה או אחר. + +ניתן למצוא אפשרויות אלה ב - :material-menu: ← **הגדרות**. + +##### Shields + +Brave כולל כמה אמצעים נגד טביעת אצבע בתכונת [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) שלו. אנו מציעים להגדיר את האפשרויות האלה [גלובלי](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) בכל הדפים שבהם אתה מבקר. + +ניתן לשדרג לאחור את האפשרויות של Shields על בסיס אתר לפי הצורך, אך כברירת מחדל אנו ממליצים להגדיר את האפשרויות הבאות: + +
+ +- [x] בחר **מנע מאתרים לקחת ממני טביעות אצבע בהתבסס על העדפות השפה שלי** +- [x] בחר **אגרסיבי** תחת חסימת עוקבים ומודעות + + ??? warning "השתמש ברשימות סינון ברירת מחדל" + Brave מאפשר לך לבחור מסנני תוכן נוספים בדף הפנימי `brave://adblock`. אנו ממליצים לא להשתמש בתכונה זו; במקום זאת, שמור על רשימות הסינון המוגדרות כברירת מחדל. שימוש ברשימות נוספות יגרום לך להתבלט ממשתמשי Brave אחרים ועלול גם להגדיל את שטח ההתקפה אם יש ניצול ב-Brave וכלל זדוני יתווסף לאחת הרשימות שבהן אתה משתמש. + +- [x] (אופציונלי) בחר **בלוק סקריפטים** (1) +- [x] בחר **מחמיר, עלול לשבור אתרים** תחת בלוק טביעת אצבע + +
+ +1. אפשרות זו מספקת פונקציונליות דומה למצבי החסימה [המתקדמים של uBlock Origin](https://github.com/gorhill/uBlock/wiki/Blocking-mode) או להרחבה [NoScript](https://noscript.net/). + +##### חסימת מדיה חברתית + +- [ ] בטל את הסימון של כל רכיבי המדיה החברתית + +##### פרטיות ואבטחה + +
+ +- [x] בחר **Disable Non-Proxied UDP** מתחת [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] בטל **שימוש בשירותי Google להעברת הודעות בדחיפה** +- [ ] בטל **אפשר ניתוח מוצרים ששומר על הפרטיות (P3A)** +- [ ] בטל **שליחה אוטומטית של פינג שימוש יומי ל-Brave** +- [x] בחר **השתמש תמיד בחיבורים מאובטחים** בתוך **אבטחה** תפריט +- [ ] בטל **חלון פרטי עם טור** (1) + + !!! חשוב"חיטוי בסגירה" + - [x] בחר**נקה קבצי עוגיות ונתוני אתר בעת סגירת כל החלונות**בתפריט *עוגיות ונתוני אתר אחרים* + + אם ברצונך להישאר מחובר לאתר מסוים שבו אתה מבקר לעתים קרובות, באפשרותך להגדיר חריגים על בסיס לכל אתר תחת *התנהגויות מותאמות אישית* section. + +
+ +1. Brave הוא **לא** עמיד בפני טביעת אצבע כמו דפדפן Tor והרבה פחות אנשים משתמשים אמיץ עם Tor, כך תוכל להתבלט. כאשר [נדרשת אנונימיות חזקה](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) השתמש בדפדפן [Tor](tor.md#tor-browser). + +##### הרחבות + +השבת הרחבות מובנות שאינך משתמש בהן ב**הרחבות** + +- [ ] בטל את הסימון **Hangouts** +- [ ] בטל את הסימון **WebTorrent** + +##### IPFS + +מערכת קבצים בין - כוכבית (באנגלית: InterPlanetary File System, בראשי תיבות: IPF) היא רשת מבוזרת המשמשת לאחסון ושיתוף נתונים במערכת קבצים מבוזרת. אלא אם כן אתה משתמש בתכונה, להשבית אותו. + +- [x] בחר **נכים** בשיטה לפתרון משאבי IPFs + +##### הגדרות נוספות + +מתחת לתפריט *מערכת* + +
+ +- [] בטל את הסימון **המשך להפעיל אפליקציות כאשר Brave סגור** כדי להשבית אפליקציות רקע (1) + +
+ +1. אפשרות זו אינה קיימת בכל הפלטפורמות. + +### סנכרון Brave + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) מאפשר לנתוני הגלישה שלך (היסטוריה, סימניות וכו ') להיות נגישים בכל המכשירים שלך ללא צורך בחשבון ומגן עליהם באמצעות E2EE. + +## מקורות נוספים + +בדרך כלל איננו ממליצים להתקין תוספים כלשהם מכיוון שהם מגדילים את שטח ההתקפה שלך. עם זאת, uBlock Origin עשוי להיות שימושי אם אתה מעריך פונקציונליות חסימת תוכן. + +### uBlock Origin + +!!! recommendation + + ![הלוגו של uBlock Origin](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** הוא חוסם תוכן פופולרי שיכול לעזור לך לחסום מודעות, עוקבים וסקריפטים של טביעות אצבע. + + [:octicons-repo-16: מאגר](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="קוד מקור" } + + ??? הורדות + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +אנו ממליצים לעקוב אחר התיעוד של [היזם](https://github.com/gorhill/uBlock/wiki/Blocking-mode) ולבחור אחד מה"מצבים ". רשימות מסננים נוספות [עלולות להשפיע על הביצועים ולהגדיל את שטח התקיפה](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### רשימות אחרות + +אלה עוד כמה [רשימות מסנן](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) ייתכן שתרצה לשקול הוספה: + +- [x] בדוק **פרטיות** > **הגנה על מעקב אחר כתובות אתרים של AdGuard** +- להוסיף [למעשה כלי URL מקוצר לגיטימי ](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### דרישות מינימליות + +- חייבת להיות תוכנת קוד פתוח. +- תומך בעדכונים אוטומטיים. +- מקבל עדכוני מנוע בתוך 0 -1 ימים משחרורו במעלה הזרם. +- זמין ב-Linux, macOS ו-Windows. +- כל שינוי שיידרש כדי להפוך את הדפדפן ליותר מכבד פרטיות לא צריך להשפיע לרעה על חוויית המשתמש. +- חוסם קובצי עוגיות של צד שלישי כברירת מחדל. +- תומך [במחיצת מצב](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) כדי להקטין את המעקב בין אתרים.[^1] + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- כולל פונקציונליות מובנית לחסימת תוכן. +- תומך מידור עוגיות ([מכולות מרובות חשבון](https://support.mozilla.org/en-US/kb/containers)). +- תומך באפליקציות אינטרנט פרוגרסיביות. + PWAs מאפשרים לך להתקין אתרים מסוימים כאילו היו אפליקציות מקוריות במחשב שלך. זה יכול להיות בעל יתרונות על פני התקנת אפליקציות מבוססות-אלקטרון, מכיוון שאתה נהנה מעדכוני האבטחה הרגילים של הדפדפן שלך. +- לא כולל פונקציונליות הרחבה (bloatware) שאינה משפיעה על פרטיות המשתמש. +- אינו אוסף טלמטריה כברירת מחדל. +- מספק יישום שרת סינכרון בקוד פתוח. +- ברירת המחדל היא [מנוע חיפוש פרטי](search-engines.md). + +### קריטריונים להרחבה + +- אסור לשכפל דפדפן מובנה או פונקציונליות מערכת הפעלה. +- חייב להשפיע ישירות על פרטיות המשתמש, כלומר לא חייב פשוט לספק מידע. + +--8<-- "includes/abbreviations.he.txt" + +[^1]: היישום של Brave מפורט ב [עדכוני פרטיות Brave: חלוקת מצב רשת לפרטיות](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/he/desktop.md b/i18n/he/desktop.md new file mode 100644 index 00000000..23db6cc1 --- /dev/null +++ b/i18n/he/desktop.md @@ -0,0 +1,184 @@ +--- +title: "שולחן עבודה/מחשב אישי" +icon: simple/linux +--- + +הפצות לינוקס מומלצות בדרך כלל להגנה על פרטיות וחופש תוכנה. אם אינך משתמש עדיין בלינוקס, להלן כמה הפצות שאנו מציעים לנסות, כמו גם כמה טיפים כלליים לשיפור פרטיות ואבטחה החלים על הפצות לינוקס רבות. + +- [סקירה כללית של לינוקס :material-arrow-right-drop-circle:](os/linux-overview.md) + +## הפצות מסורתיות + +### Fedora Workstation + +!!! recommendation + + ![Fedora לוגו](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **תחנת העבודה של פדורה** היא ההפצה המומלצת שלנו לאנשים חדשים ללינוקס. Fedora בדרך כלל מאמצת טכנולוגיות חדשות יותר לפני הפצות אחרות, למשל [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), ובקרוב [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). טכנולוגיות חדשות אלה מגיעות לעתים קרובות עם שיפורים באבטחה, בפרטיות ובשימושיות באופן כללי. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +לFedora יש מהדורת שחרור מתגלגל-למחצה. בעוד כמה חבילות כמו [GNOME](https://www.gnome.org) מוקפאות עד לשחרור הבא של פדורה, רוב החבילות (כולל הקרנל) מתעדכנות לעתים קרובות לאורך תוחלת החיים של השחרור. כל גרסה של פדורה נתמכת למשך שנה אחת, עם גרסה חדשה ששוחררה כל שישה חודשים. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed לוגו](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** היא הפצת שחרור מתגלגלת יציבה. + + ל-openSUSE Tumblewee יש a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) יש מערכת המשתמשת [Btrfs](https://en.wikipedia.org/wiki/Btrfs) ו [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) כדי להבטיח שניתן יהיה להחזיר תמונות אם תהיה בעיה. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed עוקב אחר מודל מהדורה מתגלגל שבו כל עדכון משוחרר כתמונת מצב של ההפצה. בעת שדרוג המערכת, מתבצעת הורדה של תמונת מצב חדשה. כל תמונת מצב מנוהלת באמצעות סדרה של בדיקות אוטומטיות על ידי [openQA](https://openqa.opensuse.org) כדי להבטיח את איכותה. + +### Arch Linux + +!!! recommendation + + ![Arch לוגו](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** הוא הפצה קלה של עשה זאת בעצמך (DIY) שמשמעותה שאתה מקבל רק את מה שאתה מתקין. לקבלת מידע נוסף, עיין ב[FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +ל - Arch Linux יש מחזור שחרור מתגלגל. אין לוח זמנים שחרור קבוע וחבילות מתעדכנות לעתים קרובות מאוד. + +להיות התפלגות DIY, אתה [צפוי להגדיר ולתחזק](os/linux-overview.md#arch-based-distributions) המערכת שלך בעצמך. יש Arch [מתקין רשמי](https://wiki.archlinux.org/title/Archinstall) כדי להפוך את תהליך ההתקנה קצת יותר קל. + +חלק גדול מהחבילות של [ארץ' לינוקס](https://reproducible.archlinux.org) הן [לשחזור](https://reproducible-builds.org). + +## הפצות בלתי ניתנות לשינוי + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue לוגו](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue *** ו -** Fedora Kinoite ** הם גרסאות בלתי ניתנות לשינוי של Fedora עם מיקוד חזק בזרימות עבודה של קונטיינרים. Silverblue מגיע עם [GNOME](https://www.gnome.org/) desktop environment while Kinoite [KDE](https://kde.org/). Silverblue ו - Kinoite מצייתות לאותו לוח זמנים של הפצה כמו Fedora Workstation, ומרוויחות מאותם עדכונים מהירים ונשארות קרובות מאוד לזרם. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (ו Kinoite) שונים מ Fedora Workstation כפי שהם מחליפים את [מנהל חבילת DNF](https://fedoraproject.org/wiki/DNF) עם אלטרנטיבה מתקדמת הרבה יותר בשם [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). מנהל החבילות `rpm - ostree` עובד על ידי הורדת תמונת בסיס עבור המערכת, ולאחר מכן שכבת חבילות מעליה ב [git](https://en.wikipedia.org/wiki/Git)- כמו להתחייב עץ. כאשר המערכת מתעדכנת, מורידים תמונת בסיס חדשה ושכבות העל יוחלו על תמונה חדשה זו. + +לאחר השלמת העדכון, תאתחל מחדש את המערכת לפריסה החדשה. `rpm - ostree` שומר שתי פריסות של המערכת, כך שתוכל בקלות לחזור לאחור אם משהו נשבר בפריסה החדשה. יש גם אפשרות להצמיד יותר פריסות לפי הצורך. + +[Flatpak](https://www.flatpak.org) היא שיטת התקנת החבילה העיקרית בהפצות אלה, מכיוון ש-`rpm-ostree` נועדה רק לכיסוי חבילות שאינן יכולות להישאר בתוך מיכל על גבי תמונת הבסיס. + +כחלופה Flatpaks, יש את האפשרות של[Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) כדי ליצור [Podman](https://podman.io) עם ספריית בית משותפת עם מערכת ההפעלה המארח לחקות סביבת פדורה מסורתית, המהווה [תכונה שימושית](https://containertoolbx.org) עבור מפתח הבחנה. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS היא הפצה עצמאית המבוססת על מנהל החבילות של Nix ומתמקדת בשחזור ואמינות. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +מנהל החבילות של NixOS שומר כל גרסה של כל חבילה בתיקיה אחרת בחנות **Nix store**. בשל כך אתה יכול לקבל גירסאות שונות של אותה חבילה מותקנת על המערכת שלך. לאחר שתוכן החבילה נכתב לתיקייה, התיקייה נעשית לקריאה בלבד. + +NixOS מספקת גם עדכונים אטומיים; תחילה היא מורידה (או בונה) את החבילות והקבצים עבור דור המערכת החדש ולאחר מכן עוברת אליו. ישנן דרכים שונות לעבור לדור חדש; באפשרותך להורות ל - NixOS להפעיל אותו לאחר אתחול מחדש או לעבור אליו בזמן ריצה. אתה יכול גם *לבדוק* הדור החדש על ידי מעבר אליו בזמן ריצה, אבל לא הגדרת אותו כמו הדור הנוכחי של המערכת. אם משהו בתהליך העדכון נשבר, אתה יכול פשוט לאתחל באופן אוטומטי ולחזור לגירסה עובדת של המערכת שלך. + +Nix מנהל החבילות משתמש בשפה פונקציונלית טהורה - הנקראת גם Nix - כדי להגדיר חבילות. + +[Nixpkgs](https://github.com/nixos/nixpkgs)(המקור העיקרי של חבילות) נמצאים במאגר אחד של GitHub. אתה יכול גם להגדיר חבילות משלך באותה שפה ולאחר מכן בקלות לכלול אותם בתצורה שלך. + +Nix הוא מנהל חבילות מבוסס מקור; אם אין מוכן מראש זמין במטמון הבינארי, ניקס פשוט יבנה את החבילה מהמקור באמצעות ההגדרה שלו. הוא בונה כל חבילה בסביבה *טהורה* בארגז חול, שאינה תלויה ככל האפשר במערכת המארחת, ובכך הופכת את הקבצים הבינאריים לניתנים לשחזור. + +## הפצות ממוקדות אנונימיות + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** מבוסס על [Kicksecure](https://www.whonix.org/wiki/Kicksecure), מזלג ממוקד אבטחה של דביאן. מטרתו לספק פרטיות, אבטחה ואנונימיות באינטרנט. כדאי להשתמש ב - Whonix בשילוב עם [Qubes OS](# qubes- os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix אמור לפעול כמו שתי מכונות וירטואליות: "תחנת עבודה" ו "שער" Tor כל התקשורת מתחנת העבודה חייבת לעבור דרך שער טור. משמעות הדבר היא כי גם אם תחנת העבודה נפגעת על ידי תוכנות זדוניות מסוג כלשהו, כתובת ה - IP האמיתית נשארת מוסתרת. + +חלק מהתכונות כוללות בידוד Tor Stream, אנונימיזציה של [הקשות](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [החלפה מוצפנת](https://github.com/Whonix/swap-file-creator), והקצאת זיכרון מוקשה. + +גירסאות עתידיות של Whonix יכללו ככל הנראה [מדיניות AppArmor מערכת מלאה](https://github.com/Whonix/apparmor-profile-everything) ו [משגר יישום ארגז חול](https://www.whonix.org/wiki/Sandbox-app-launcher) כדי להגביל באופן מלא את כל התהליכים במערכת. + +Whonix הוא הטוב ביותר בשימוש [בשילוב עם Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes - Whonix יש [חסרונות שונים](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) בהשוואה hypervisors אחרים. + +### Tails + +!!! recommendation + + ![Tails לוגו](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** היא מערכת הפעלה חיה המבוססת על דביאן המנתבת את כל התקשורת דרך Tor, שיכולה לאתחל כמעט כל מחשב מ - DVD, מקל USB או התקנת כרטיס SD. הוא משתמש ב - [Tor](tor.md) כדי לשמור על פרטיות ואנונימיות תוך עקיפת הצנזורה, והוא אינו מותיר עקבות של עצמו במחשב שבו הוא נמצא בשימוש לאחר שהוא כבוי. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails הוא נהדר עבור זיהוי פלילי נגדי עקב אמנזיה (כלומר שום דבר לא נכתב לדיסק); עם זאת, זו אינה התפלגות קשוחה כמו ווניקס. היא חסרה תכונות אנונימיות ואבטחה רבות שיש ל - Whonix ומתעדכנת בתדירות נמוכה בהרבה (רק אחת לשישה שבועות). מערכת Tails כי הוא נפגע על ידי תוכנות זדוניות עשוי לעקוף את פרוקסי שקוף המאפשר למשתמש להיות deanonymized. + +Tailsכולל[uBlock Origin](desktop-browsers.md#ublock-origin) בדפדפן Tor כברירת מחדל, מה שעשוי להקל על יריבים למשתמשים בזנבות טביעות אצבע. [Whonix](desktop.md#whonix) מכונות וירטואליות עשויות להיות יותר חסינות מפני דליפות, אך הן אינן אמנזיה, כלומר ניתן לשחזר נתונים ממכשיר האחסון שלך. + +על ידי עיצוב, Tails נועד לאפס את עצמו לחלוטין לאחר כל אתחול מחדש. ניתן להגדיר [אחסון קבוע](https://tails.boum.org/doc/first_steps/persistence/index.en.html) מוצפן כדי לאחסן נתונים מסוימים בין אתחולים מחדש. + +## הפצות ממוקדות אבטחה + +### Qubes OS + +!!! recommendation + + ![לוגו של מערכת ההפעלה Qubes ]( assets/img/qubes/qubes_os.svg){ align=right } + + **מערכת ההפעלה Qubes** היא מערכת הפעלה בקוד פתוח שנועדה לספק אבטחה חזקה למחשוב שולחני. Qubes מבוססת על Xen, מערכת החלונות X ולינוקס, ויכולה להריץ את רוב יישומי לינוקס ולהשתמש ברוב מנהלי ההתקן של לינוקס. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=תיעוד } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=לתרומה } + +Qubes OS היא מערכת הפעלה מבוססת Xen שנועדה לספק אבטחה חזקה למחשוב שולחני באמצעות מכונות וירטואליות מאובטחות (VMs), הידוע גם בשם *Qubes*. + +מערכת ההפעלה Qubes מאבטחת את המחשב על ידי בידוד תת - מערכות (למשל, רשת, USB וכו ') ויישומים ב - VMs נפרדים. אם חלק אחד של המערכת נפגע, הבידוד הנוסף עשוי להגן על שאר המערכת. לפרטים נוספים ראו Qubes [FAQ](https://www.qubes-os.org/faq/). + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +מערכות ההפעלה המומלצות שלנו: + +- זה חייב להיות קוד פתוח. +- חייבים לקבל עדכוני תוכנה וליבת לינוקס באופן קבוע. +- הפצות לינוקס חייבות לתמוך ב[Wayland](os/linux-overview.md#Wayland). +- חייב לתמוך בהצפנה בדיסק מלא במהלך ההתקנה. +- אין להקפיא מהדורות רגילות במשך יותר משנה. [איננו ממליצים](os/linux-overview.md#release-cycle) על מהדורות distro "תמיכה לטווח ארוך" או "יציבה" לשימוש בשולחן העבודה. +- חייב לתמוך במגוון רחב של חומרה. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/dns.md b/i18n/he/dns.md new file mode 100644 index 00000000..355763f5 --- /dev/null +++ b/i18n/he/dns.md @@ -0,0 +1,142 @@ +--- +title: "פותרי DNS" +icon: material/dns +--- + +!!! question "האם להשתמש ב - DNS מוצפן?" + + יש להשתמש ב-DNS מוצפן עם שרתי צד שלישי רק כדי לעקוף [חסימת DNS](https://en.wikipedia.org/wiki/DNS_blocking) בסיסית כאשר אתה יכול להיות בטוח שלא יהיו לכך השלכות. DNS מוצפן לא יעזור לך להסתיר את פעילות הגלישה שלך. + + [למידע נוסף על DNS](advanced/dns-overview.md){ .md-button } + +## ספקים מומלצים + +| ספקי DNS | מדיניות פרטיות | פרוטוקולים | תיעוד לוגים | ECS | סינון | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | -------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH
DoT
DNSCrypt | חלק[^1] | לא | מבוסס על בחירת שרת. רשימת סינון בשימוש ניתן למצוא כאן. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH
DoT | חלק[^2] | לא | מבוסס על בחירת שרת. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH
DoT
DNSCrypt
DoQ
DoH3 | אופציונאלי[^3] | לא | מבוסס על בחירת שרת. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | לא[^4] | לא | מבוסס על בחירת שרת. רשימת סינון בשימוש ניתן למצוא כאן. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH
DoT | אופציונאלי[^5] | אופציונאלי | מבוסס על בחירת שרת. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | חלק[^6] | אופציונאלי | בהתבסס על בחירת השרת, תוכנות זדוניות חוסמות כברירת מחדל. | + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייב לתמוך ב [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [מזעור QNAME](advanced/dns-overview.md#what-is-qname-minimization). +- אפשר ל - [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) להיות מנוטרל +- עדיף [Anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) תמיכה או תמיכה היגוי גיאוגרפי + +## תמיכת מערכת הפעלה מקורית + +### אנדרואיד + +אנדרואיד 9 ומעלה תומכת ב-DNS דרך TLS. ניתן למצוא את ההגדרות ב: **הגדרות** → **רשת & אינטרנט** → **פרטי DNS**. + +### מוצרי Apple + +הגרסאות האחרונות של iOS, iPadOS, tvOS ו-macOS, תומכות הן ב-DoT והן ב-DoH. שני הפרוטוקולים נתמכים באופן מקורי באמצעות [פרופילי תצורה](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) או דרך [ממשק API להגדרות DNS](https://developer.apple.com/documentation/networkextension/dns_settings). + +לאחר התקנה של פרופיל תצורה או אפליקציה המשתמשת ב-API של הגדרות DNS, ניתן לבחור את תצורת ה-DNS. אם VPN פעיל, הרזולוציה בתוך מנהרת ה-VPN תשתמש בהגדרות ה-DNS של ה-VPN ולא בהגדרות כלל המערכת שלך. + +#### פרופילים חתומים + +Apple אינה מספקת ממשק מקורי ליצירת פרופילי DNS מוצפנים. [יוצר פרופיל DNS מאובטח](https://dns.notjakob.com/tool.html) הוא כלי לא רשמי ליצירת פרופילי DNS מוצפנים משלך, אולם הם לא ייחתמו. פרופילים חתומים מועדפים; החתימה מאמתת את מקור הפרופיל ומסייעת להבטיח את שלמות הפרופילים. תווית "מאומת" ירוקה ניתנת לפרופילי תצורה חתומים. לקבלת מידע נוסף על חתימת קוד, ראה [אודות חתימת קוד](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **פרופילים חתומים** מוצעים על ידי [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), ו [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info "מידע" + + `systemd-resolved`, שהפצות לינוקס רבות משתמשות בו כדי לבצע את חיפושי ה-DNS שלהם, עדיין לא [תומך ב-DoH](https://github.com/systemd/systemd/issues/8639). אם אתה רוצה להשתמש ב-DoH, תצטרך להתקין פרוקסי כמו [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) ו[להגדיר אותו](https://wiki.archlinux.org/title/Dnscrypt-proxy) כדי לקחת את כל שאילתות ה-DNS מפותר המערכת ולהעביר אותן באמצעות HTTPS. + +## פרוקסי DNS מוצפנים + +תוכנת פרוקסי DNS מוצפנת מספקת פרוקסי מקומי שאליו ניתן להעביר את פותר [ה-DNS הלא מוצפן](advanced/dns-overview.md#unencrypted-dns). בדרך כלל הוא משמש בפלטפורמות שאינן תומכות באופן מקורי [ב-DNS מוצפן](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS לוגו](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS לוגו](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** הוא לקוח אנדרואיד בקוד פתוח התומך ב [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) ו-DNS Proxy יחד עם שמירה במטמון של תגובות DNS, רישום מקומי של שאילתות DNS וניתן להשתמש בהם גם בתור חומת אש. + + [:octicons-home-16: דף הבית](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy לוגו](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** הוא פרוקסי DNS עם תמיכה ב-[DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https -doh), ו-[DNS אנונימי](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "תכונת ה-DNS האנונימית עושה [**לא**](advanced/dns-overview.md#why-shouldn't-i-use-encrypted-dns) אנונימית לתעבורת רשת אחרת." + + [:octicons-repo-16: מאגר](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## פתרונות אירוח עצמי + +פתרון DNS שמתארח בעצמו שימושי לאספקת סינון בפלטפורמות מבוקרות, כגון טלוויזיות חכמות והתקני IoT אחרים, מכיוון שאין צורך בתוכנה בצד הלקוח. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home לוגו](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** הוא קוד פתוח [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) שמשתמש ב[סינון DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) כדי לחסום תוכן אינטרנט לא רצוי, כגון פרסומות. + + AdGuard Home כולל ממשק אינטרנט משופשף כדי להציג תובנות ולנהל תוכן חסום. + + [:octicons-home-16: דף הבית](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="קוד מקור" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole לוגו](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** הוא קוד פתוח [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) שמשתמש ב[סינון DNS](https://www.cloudflare.com/learning/access -management/what-is-dns-filtering/) כדי לחסום תוכן אינטרנט לא רצוי, כגון פרסומות. + + Pi-hole מיועד להתארח ב-Raspberry Pi, אך הוא אינו מוגבל לחומרה כזו. התוכנה כוללת ממשק אינטרנט ידידותי כדי להציג תובנות ולנהל תוכן חסום. + + [:octicons-home-16: דף הבית](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=לתרומה } + +--8<-- "includes/abbreviations.he.txt" + +[^1]: AdGuard מאחסן מדדי ביצועים מצטברים של שרתי ה-DNS שלהם, כלומר מספר הבקשות המלאות לשרת מסוים, מספר הבקשות החסומות ומהירות עיבוד הבקשות. הם גם שומרים ומאחסנים את מסד הנתונים של הדומיינים שהתבקשו ב-24 השעות האחרונות. "אנחנו צריכים את המידע הזה כדי לזהות ולחסום עוקבים ואיומים חדשים." "אנחנו גם מתעדים כמה פעמים גשש זה או אחר נחסם. אנחנו צריכים את המידע הזה כדי להסיר את הכללים המיושנים מהמסננים שלנו." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare אוספת ומאחסנת רק את נתוני שאילתת ה-DNS המוגבלים שנשלחים לפותר 1.1.1.1. שירות הפותר 1.1.1.1 אינו רושם נתונים אישיים, וחלק הארי של נתוני השאילתות המוגבלים שאינם ניתנים לזיהוי אישי מאוחסן למשך 25 שעות בלבד. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D רק מתעדים עבור פותרי Premium עם פרופילי DNS מותאמים אישית. פותרים חינמיים אינם רושמים נתונים. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: שירות ה-DNS של Mullvad זמין הן למנויים והן ללא מנויים של Mullvad VPN. מדיניות הפרטיות שלהם טוענת במפורש שהם לא רושמים בקשות DNS בשום צורה. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS יכול לספק תובנות ותכונות רישום על בסיס הסכמה. אתה יכול לבחור זמני שמירה ומיקומי אחסון ביומן עבור כל יומן שתבחר לשמור. אם זה לא מתבקש במיוחד, לא נרשמים נתונים. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 אוספת חלק מהנתונים למטרות ניטור ותגובה של איומים. לאחר מכן ניתן לערבב מחדש את הנתונים הללו ולשתף אותם, למשל לצורך מחקר אבטחה. Quad9 אינה אוספת או מתעדת כתובות IP או נתונים אחרים שלדעתם ניתנים לזיהוי אישי. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/he/email-clients.md b/i18n/he/email-clients.md new file mode 100644 index 00000000..5a63a34d --- /dev/null +++ b/i18n/he/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "לקוחות אימייל" +icon: material/email-open +--- + +רשימת ההמלצות שלנו מכילה לקוחות אימייל התומכים הן ב[OpenPGP](encryption.md#openpgp) והן באימות חזק כגון [הרשאת פתוחה ](https://en.wikipedia.org/wiki/OAuth)(OAuth). OAuth מאפשר לך להשתמש ב - [אימות רב - גורמי](basics/multi-factor-authentication.md) ולמנוע גניבת חשבון. + +??? warning "אימייל אינו מספק סודיות העברה" + + בעת שימוש בטכנולוגיית הצפנה מקצה לקצה (E2EE) כמו OpenPGP, לאימייל עדיין יהיו [כמה מטא נתונים](email.md#email-metadata-overview) שאינם מוצפנים בכותרת האימייל. + + OpenPGP גם לא תומך ב[סודיות העברה](https://en.wikipedia.org/wiki/Forward_secrecy), כלומר אם המפתח הפרטי שלך או של הנמען ייגנב אי פעם, כל ההודעות הקודמות שהוצפנו איתו ייחשפו: [ כיצד אוכל להגן על המפתחות הפרטיים שלי?](basics/email-security.md) שקול להשתמש באמצעי המספק סודיות קדימה: + + [תקשורת בזמן אמת](real-time-communication.md){ .md-button } + +## חוצה פלטפורמות + +### Thunderbird + +!!! recommendation + + ![Thunderbird לוגו](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** הוא לקוח חינמי, קוד פתוח, חוצה פלטפורמות אימייל, קבוצת דיון, עדכון חדשות וצ'אט (XMPP, IRC, Twitter) שפותח על ידי קהילת Thunderbird, ולפני כן על ידי קרן Mozilla. + + [:octicons-home-16: דף הבית](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="מדינות פרטיות" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=תיעוד} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-windows11: ווינדוס](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: לינקוס](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### תצורה מומלצת + +מומלץ לשנות חלק מהגדרות אלה כדי להפוך את Thunderbird לפרטי יותר. + +ניתן למצוא אפשרויות אלה ב - :material-menu: ← **הגדרות** ← **פרטיות & אבטחה**. + +##### תוכן אינטרנט + +- [ ] בטל את הסימון **זכור אתרים וקישורים שביקרתי** +- [ ] בטל את הסימון של **קבל קובצי Cookie מאתרים** + +##### טלמטריה + +- [ ] בטל את הסימון **אפשר ל - Thunderbird לשלוח נתונים טכניים ונתוני אינטראקציה ל - Mozilla** + +#### Thunderbird-user.js (מתקדם) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), היא קבוצה של אפשרויות תצורה שמטרתה להשבית כמה שיותר מתכונות הגלישה באינטרנט בתוך Thunderbird על מנת להקטין את שטח הפנים ולשמור על פרטיות. חלק מהשינויים הם backported מפרויקט [Arkenfox](https://github.com/arkenfox/user.js). + +## ספציפית לפלטפורמה + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail לוגו](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** כלול ב-macOS וניתן להרחיב אותו כך שתהיה לו תמיכה ב-OpenPGP עם [GPG Suite](encryption.md#gpg-suite), אשר מוסיפה את היכולת לשלוח מייל מוצפן PGP. + + [:octicons-home-16: דף הבית](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=תיעוד} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail לוגו](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** הוא לקוח אימייל בתשלום שנועד להפוך את ההצפנה מקצה לקצה לחלקה עם תכונות אבטחה כגון נעילת אפליקציה ביומטרית. + + [:octicons-home-16: דף הבית](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=תיעוד} + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning "אזהרה" + + Canary Mail הוציאה רק לאחרונה לקוח של Windows ואנדרואיד, אם כי אנחנו לא מאמינים שהם יציבים כמו עמיתיהם של iOS ו-Mac. + +Canary Mail הוא קוד סגור. אנו ממליצים על זה בגלל האפשרויות המעטות שיש עבור לקוחות אימייל ב-iOS התומכים ב-PGP E2EE. + +### FairEmail (אנדרואיד) + +!!! recommendation + + ![FairEmail לוגו](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** היא אפליקציית אימייל מינימלית בקוד פתוח, המשתמשת בסטנדרטים פתוחים (IMAP, SMTP, OpenPGP) עם צריכת נתונים וסוללה נמוכה. + + [:octicons-home-16: דף הבית](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution לוגו](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** הוא יישום לניהול מידע אישי המספק פונקציונליות משולבת של דואר, לוחות שנה ופנקס כתובות. ל-Evolution יש [תיעוד](https://help.gnome.org/users/evolution/stable/) נרחב שיעזור לך להתחיל. + + [:octicons-home-16: דף הבית](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=תיעוד} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K -9 Mail (אנדרואיד) + +!!! recommendation + + ![K-9 Mail לוגו](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** היא אפליקציית מייל עצמאית התומכת גם בתיבות דואר POP3 וגם IMAP, אך תומכת רק בדואר דואר עבור IMAP. + + בעתיד, K-9 Mail יהיה [המותג הרשמי](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) לקוח Thunderbird עבור אנדרואיד. + + [:octicons-home-16: דף הבית](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning "אזהרה" + + כשמשיבים למישהו ברשימת תפוצה, אפשרות ה"תשובה" עשויה לכלול גם את רשימת התפוצה. למידע נוסף ראה [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact לוגו](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** הוא יישום מנהל מידע אישי (PIM) מפרויקט [KDE](https://kde.org). הוא מספק לקוח מייל, פנקס כתובות, מארגן ולקוח RSS. + + [:octicons-home-16: דף הבית](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=תיעוד} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (דפדפן) + +!!! recommendation + + ![Mailvelope לוגו](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** היא תוסף דפדפן המאפשר החלפת מיילים מוצפנים בהתאם לתקן ההצפנה OpenPGP. + + [:octicons-home-16: דף הבית](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt לוגו](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** הוא קורא דואר שורת פקודה בקוד פתוח (או MUA) עבור לינוקס ו-BSD. זה מזלג של [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) עם תכונות נוספות. + + NeoMutt הוא לקוח מבוסס טקסט שיש לו עקומת למידה תלולה. עם זאת, זה מאוד להתאמה אישית. + + [:octicons-home-16: דף הבית](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### כישורים מינימליים + +- יישומים שפותחו עבור מערכות הפעלה בקוד פתוח חייבים להיות קוד פתוח. +- לא יכול לאסוף טלמטריה, או שיש דרך קלה להפוך את כל הטלמטריה ללא זמינה. +- חייב לתמוך בהצפנת הודעות OpenPGP. + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- זה צריך להיות קוד פתוח. +- צריך להיות חוצה פלטפורמות. +- אינו אוסף טלמטריה כברירת מחדל. +- צריך לתמוך ב - OpenPGP באופן מקורי, כלומר ללא הרחבות. +- יש לתמוך באחסון הודעות דואר אלקטרוני מוצפנות של OpenPGP באופן מקומי. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/email.md b/i18n/he/email.md new file mode 100644 index 00000000..e88b2683 --- /dev/null +++ b/i18n/he/email.md @@ -0,0 +1,485 @@ +--- +title: "שירותי אימייל" +icon: material/email +--- + +אימייל הוא למעשה הכרח לשימוש בכל שירות מקוון, אולם איננו ממליצים עליו לשיחות מאדם לאדם. דואר אלקטרוני הוא למעשה הכרח שימוש בכל שירות מקוון, אולם איננו ממליצים עליו לשיחות מאדם לאדם. + +[מסנג'רים (הודעות מיידיות) מומלצות](real-time-communication.md ""){.md-button} + +לכל השאר, אנו ממליצים על מגוון ספקי דוא"ל המבוססים על מודלים עסקיים ברי קיימא ותכונות אבטחה ופרטיות מובנות. + +## ספקי דוא"ל מומלצים + +ספקים אלה תומכים באופן מקורי בהצפנה/פענוח של OpenPGP, ומאפשרים הודעות דוא"ל E2EE שאינן תלויות בספק. לדוגמה, משתמש Proton Mail יכול לשלוח הודעת E2EE למשתמש Mailbox.org, או שאתה יכול לקבל התראות מוצפנות OpenPGP משירותי אינטרנט התומכים בכך. + +!!! warning "אזהרה" + + בעת שימוש בטכנולוגיית E2EE כמו OpenPGP, לדוא"ל עדיין יהיו כמה מטא נתונים שאינם מוצפנים בכותרת האימייל. קרא עוד על [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP גם אינו תומך בסודיות קדימה, מה שאומר שאם המפתח הפרטי שלך או של הנמען ייגנב אי פעם, כל ההודעות הקודמות שהוצפנו באמצעותו ייחשפו. [איך אני מגן על המפתחות הפרטיים שלי?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail לוגו](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** הוא שירות דואר אלקטרוני עם התמקדות בפרטיות, הצפנה, אבטחה וקלות שימוש. הם פועלים מאז **2013**. Proton AG מבוססת בז'נב, שוויץ. חשבונות מתחילים עם 500 MB אחסון עם התוכנית החינמית שלהם. + + [:octicons-home-16: דף הבית](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +לחשבונות חינמיים יש מגבלות מסוימות, כגון חוסר היכולת לחפש גוף טקסט ואי גישה ל[Proton Mail Bridge](https://proton.me/mail/bridge), אשר נדרש כדי השתמש ב[לקוח אימייל שולחן העבודה המומלץ](email-clients.md) (למשל Thunderbird). חשבונות בתשלום כוללים תכונות כגון Proton Mail Bridge, אחסון נוסף ותמיכה בתחומים מותאמים אישית. [מכתב אישור](https://proton.me/blog/security-audit-all-proton-apps) סופק עבור האפליקציות של Proton Mail ב-9 בנובמבר 2021 על ידי [Securitum](https://research.securitum.com). + +אם יש לך תוכנית Proton Unlimited, Business או Visionary, אתה גם מקבל [SimpleLogin](#simplelogin) פרימיום בחינם. + +ל-Proton Mail יש דוחות קריסה פנימיים שהם **לא** חולקים עם צדדים שלישיים. ניתן להשבית אפשרות זו ב: **הגדרות** > **עבור אל הגדרות** > **חשבון** > **אבטחה ופרטיות** > **שלח דוחות קריסה**. + +??? success "דומיינים וכינויים מותאמים אישית" + + מנויי Proton Mail בתשלום יכולים להשתמש בדומיין משלהם עם השירות או בכתובת [catch-all](https://proton.me/support/catch-all). Proton Mail תומך גם ב[כתובת משנה](https://proton.me/support/creating-aliases), וזה שימושי לאנשים שלא רוצים לרכוש דומיין. + +??? success "שיטות תשלום פרטיות" + + Proton Mail [accepts](https://proton.me/support/payment-options) ביטקוין ומזומן בדואר בנוסף לכרטיסי אשראי/חיוב רגילים ותשלומי PayPal. + +??? success "אבטחת חשבון" + + ProtonMail תומך ב - TOTP [אימות דו - שלבי]( https://proton.me/support/two-factor- authentication-2fa) בלבד. השימוש במפתח אבטחה U2F עדיין אינו נתמך. ProtonMail מתכננת ליישם את U2F עם השלמת הקוד [Single Sign On (SSO)]( https://reddit.com/comments/cheoy6/comment/feh2lw0/) שלהם. + +??? success "אבטחת מידע" + + ל - Proton Mail יש [הצפנת אפס גישה](https://proton.me/blog/zero-access-encryption) ב - מנוחה עבור המיילים שלך ו - [calendars](https://proton.me/news/protoncalendar-security-model). נתונים המאובטחים באמצעות הצפנת אפס גישה נגישים רק לך. + + מידע מסוים המאוחסן ב-[Proton Contacts](https://proton.me/support/proton-contacts), כגון שמות תצוגה וכתובות דוא"ל, אינו מאובטח באמצעות הצפנת אפס גישה. שדות אנשי קשר התומכים בהצפנת אפס גישה, כגון מספרי טלפון, מסומנים בסמל מנעול. + +??? success "הצפנת אימייל" + + ל-Proton Mail יש [הצפנת OpenPGP משולבת](https://proton.me/support/how-to-use-pgp) בדואר האינטרנט שלהם. אימיילים לחשבונות Proton Mail אחרים מוצפנים באופן אוטומטי, וניתן להפעיל הצפנה לכתובות שאינן פרוטון מייל עם מפתח OpenPGP בקלות בהגדרות החשבון שלך. הם גם מאפשרים לך [להצפין הודעות לכתובות שאינן פרוטון מייל](https://proton.me/support/password-protected-emails) ללא צורך בהרשמה לחשבון Proton Mail או להשתמש בתוכנה כמו OpenPGP. + + Proton Mail תומך גם בגילוי מפתחות ציבוריים באמצעות HTTP מ-[מדריך מפתחות אינטרנט (WKD)](https://wiki.gnupg.org/WKD) שלהם. זה מאפשר לאנשים שאינם משתמשים ב-Proton Mail למצוא בקלות את מפתחות OpenPGP של חשבונות Proton Mail, עבור E2EE חוצה ספקים. + +??? warning "מורשת דיגיטלית" + + Proton Mail אינו מציע תכונה מורשת דיגיטלית. + +??? info "סיום חשבון" + + אם יש לך חשבון בתשלום ו[החשבון לא שולם](https://proton.me/support/delinquency) לאחר 14 יום, לא תוכל לגשת לנתונים שלך. לאחר 30 יום, החשבון שלך יהפוך לבלתי פעיל ולא יקבל דואר נכנס. אתה תמשיך להיות מחויב במהלך תקופה זו. + +??? info "פונקציונליות נוספת" + + Proton Mail מציע חשבון "ללא הגבלה" במחיר של €9.99/חודש, המאפשר גם גישה ל-Proton VPN בנוסף לאספקת מספר חשבונות, דומיינים, כינויים ושטח אחסון של 500GB. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org לוגו](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** הוא שירות דוא"ל עם התמקדות בלהיות מאובטח, ללא פרסומות ומופעל באופן פרטי על ידי 100% אנרגיה ידידותית לסביבה. הם פועלים מאז 2014. Mailbox.org ממוקם בברלין, גרמניה. חשבונות מתחילים בנפח אחסון של 2 ג'יגה-בייט, שניתן לשדרג לפי הצורך. + + [:octicons-home-16: דף הבית](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=תיעוד} + + ??? downloads "הורדות" + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "דומיינים וכינויים מותאמים אישית" + + Mailbox.org מאפשר לך להשתמש בתחום משלך, והם תומכים בכתובות [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain). Mailbox.org תומך גם ב-[subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), וזה שימושי אם אינך רוצה לרכוש דומיין. + +??? info "שיטות תשלום פרטיות" + + Mailbox.org אינה מקבלת ביטקוין או כל מטבע קריפטוגרפי אחר כתוצאה מכך שמעבד התשלומים שלהם BitPay משעה את פעילותו בגרמניה. עם זאת, הם מקבלים מזומן בדואר, תשלום במזומן לחשבון בנק, העברה בנקאית, כרטיס אשראי, PayPal וכמה מעבדים ספציפיים לגרמנית: paydirekt ו- Sofortüberweisung. + +??? success "אבטחת חשבון" + + Mailbox.org תומך ב-[אימות דו-שלבי](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) עבור דואר האינטרנט שלהם בלבד. אתה יכול להשתמש ב-TOTP או ב [Yubikey](https://en.wikipedia.org/wiki/YubiKey) דרך [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). תקני אינטרנט כגון [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) עדיין אינם נתמכים. + +??? info "אבטחת מידע" + + Mailbox.org מאפשר הצפנה של דואר נכנס באמצעות [תיבת הדואר המוצפנת](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox) שלהם. הודעות חדשות שתקבל יוצפנו באופן מיידי באמצעות המפתח הציבורי שלך. + + עם זאת, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), פלטפורמת התוכנה המשמשת Mailbox.org, [אינה תומכת](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) בהצפנה של פנקס הכתובות ולוח השנה שלך. [אפשרות עצמאית](calendar.md) עשויה להתאים יותר למידע זה. + +??? success "הצפנת אימייל" + + יש Mailbox.org [הצפנה משולבת](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard)בדואר האינטרנט שלהם, מה שמפשט את שליחת ההודעות לאנשים עם מפתחות OpenPGP ציבוריים. הם גם מאפשרים [לנמענים מרוחקים לפענח דוא"ל](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) בשרתים של Mailbox.org. תכונה זו שימושית כאשר לנמען המרוחק אין OpenPGP ואין באפשרותו לפענח עותק של הדואר האלקטרוני בתיבת הדואר שלו. + + Mailbox.org תומך גם בגילוי מפתחות ציבוריים באמצעות HTTP מספריית [מפתח האינטרנט (WKD)](https://wiki.gnupg.org/WKD). זה מאפשר לאנשים מחוץ Mailbox.org למצוא את מפתחות OpenPGP של חשבונות Mailbox.org בקלות, עבור E2EE חוצה ספקים. + +??? success "מורשת דיגיטלית" + + Mailbox.org כולל תכונת מורשת דיגיטלית לכל התוכניות. אתה יכול לבחור אם אתה רוצה שכל הנתונים שלך יועברו ליורשים בתנאי שהם חלים ומספקים את הצוואה שלך. לחלופין, ניתן למנות אדם לפי שם וכתובת. + +??? info "סיום חשבון" + + החשבון שלך יוגדר לחשבון משתמש מוגבל כאשר החוזה שלך יסתיים, לאחר [30 יום הוא יימחק באופן בלתי הפיך](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "פונקציונליות נוספת" + + אתה יכול לגשת לחשבון Mailbox.org שלך באמצעות IMAP / SMTP באמצעות[.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). עם זאת, לא ניתן לגשת לממשק דואר האינטרנט שלהם באמצעות שירות.onion שלהם ואתה עלול להיתקל בשגיאות אישור TLS. + + כל החשבונות מגיעים עם שטח אחסון מוגבל בענן ש[ניתן להצפין](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org מציע גם את הכינוי [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), אשר אוכף את הצפנת TLS על החיבור בין שרתי דואר, אחרת ההודעה לא תישלח כלל. Mailbox.org תומך גם ב-[Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) בנוסף לפרוטוקולי גישה סטנדרטיים כגון IMAP ו-POP3. + +### StartMail + +!!! recommendation + + ![StartMail לוגו](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail לוגו](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + ** StartMail ** הוא שירות דואר אלקטרוני עם דגש על אבטחה ופרטיות באמצעות הצפנת OpenPGP סטנדרטית. StartMail פועלת מאז 2014 וממוקמת בBoulevard 11, Zeist הולנד. החשבון מתחיל עם 10GB. הם מציעים תקופת ניסיון של 30 יום. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=תיעוד} + + ??? downloads "הורדות" + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "דומיינים וכינויים מותאמים אישית" + + חשבונות אישיים יכולים להשתמש בכינויים [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases). [דומיינים מותאמים אישית](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) זמינים גם כן. + +??? warning "שיטות תשלום פרטיות" + + StartMail מקבלת ויזה, מאסטרקארד, אמריקן אקספרס ו - Paypal. ל - StartMail יש גם [אפשרויות תשלום] אחרות (https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) כגון Bitcoin (כרגע רק עבור חשבונות אישיים) ו - SEPA Direct Debit עבור חשבונות ישנים יותר משנה. + +??? success "אבטחת חשבון" + + StartMail תומך באימות דו-גורמי TOTP [עבור דואר אינטרנט בלבד](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). הם אינם מאפשרים אימות מפתח אבטחה U2F. + +??? info "אבטחת מידע" + + ל - StartMail יש [הצפנת אפס גישה במנוחה](https://www.startmail.com/en/whitepaper/#_Toc458527835), באמצעות מערכת "כספת המשתמש" שלהם. כאשר אתה נכנס, הכספת נפתחת, ולאחר מכן הדואר האלקטרוני מועבר לכספת מחוץ לתור, שם הוא מפוענח על-ידי המפתח הפרטי המתאים. + + StartMail תומך בייבוא [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) עם זאת, הם נגישים רק בדואר האינטרנט ולא באמצעות פרוטוקולים כגון [CalDAV](https://en.wikipedia.org/wiki/CalDAV). אנשי קשר גם אינם מאוחסנים באמצעות הצפנת אפס ידע, כך ש[אפשרות עצמאית](calendar.md) עשויה להיות מתאימה יותר. + +??? success "הצפנת אימייל" + + ל-StartMail יש [הצפנה משולבת](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) בדואר האינטרנט שלהם, מה שמפשט את שליחת הודעות מוצפנות עם מפתחות OpenPGP ציבוריים. + +??? warning "מורשת דיגיטלית" + + StartMail אינו מציע תכונה דיגיטלית מדור קודם. + +??? info "סיום חשבון" + + עם פקיעת תוקף החשבון, StartMail ימחק את חשבונך לצמיתות לאחר [6 חודשים בשלושה שלבים](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "פונקציונליות נוספת" + + StartMail מאפשר פרוקסי של תמונות בתוך הודעות דוא"ל. אם תאפשרו את טעינת התמונה המרוחקת, השולח לא יידע מהי כתובת ה-IP שלכם. + +## עוד ספקים + +ספקים אלה מאחסנים את המיילים שלך עם הצפנת אפס ידע, מה שהופך אותם לאפשרויות נהדרות לשמירה על אבטחת המיילים המאוחסנים שלך. עם זאת, הם אינם תומכים בתקני הצפנה הניתנים להפעלה הדדית עבור תקשורת E2EE בין ספקים. + +### Tutanota + +!!! recommendation + + ![Tutanota לוגו](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** הוא שירות דוא"ל עם דגש על אבטחה ופרטיות באמצעות הצפנה. Tutanota פועלת מאז **2011** ובסיסה בהנובר, גרמניה. חשבונות מתחילים עם שטח אחסון של 1GB עם התוכנית החינמית שלהם. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota אינה משתמשת בפרוטוקול [IMAP](https://tutanota.com/faq/#imap) או בשימוש של [לקוחות דואר אלקטרוני של צד שלישי](email-clients.md), וגם לא תוכל להוסיף [חשבונות דואר אלקטרוני חיצוניים](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) לאפליקציית Tutanota. לא [ייבוא דוא"ל](https://github.com/tutao/tutanota/issues/630) או [תיקיות משנה](https://github.com/tutao/tutanota/issues/927) נתמכים כעת, אם כי זה [בשל להיות שונה](https://tutanota.com/blog/posts/kickoff-import). הודעות דוא"ל ניתן לייצא [בנפרד או על ידי בחירה בכמות גדולה](https://tutanota.com/howto#generalMail) לכל תיקייה, דבר שעלול להיות לא נוח אם יש לך תיקיות רבות. + +??? success "דומיינים וכינויים מותאמים אישית" + + חשבונות Tutanota בתשלום יכולים להשתמש עד 5 [aliases](https://tutanota.com/faq#alias) ו [דומיינים מותאמים אישית](https://tutanota.com/faq#custom-domain). Tutanota אינה מאפשרת [כתובות משנה (בתוספת כתובות)](https://tutanota.com/faq#plus), אך באפשרותך להשתמש ב-[catch-all](https://tutanota.com/howto#settings-global) עם דומיין מותאם אישית. + +??? warning "שיטות תשלום פרטיות" + + Tutanota מקבלת רק כרטיסי אשראי PayPal ישירות, אולם ניתן להשתמש בביטקוין ובמונרו לרכישת כרטיסי מתנה באמצעות [partnership](https://tutanota.com/faq/#cryptocurrency) שלהם עם Proxystore. + +??? success "אבטחת חשבון" + + Tutanota תומך ב[אימות דו-גורמי](https://tutanota.com/faq#2fa) עם TOTP או U2F. + +??? success "אבטחת מידע" + + ל-Tutanota יש [הצפנת אפס גישה במנוחה](https://tutanota.com/faq#what-encrypted) עבור הודעות הדוא"ל שלך, [אנשי קשר מפנקס הכתובות](https://tutanota.com/faq#encrypted-address-book), ו [calendars](https://tutanota.com/faq#calendar). משמעות הדבר היא שההודעות ונתונים אחרים המאוחסנים בחשבונך ניתנים לקריאה רק על ידך. + +??? warning "הצפנת אימייל" + + Tutanota [אינו משתמש ב- OpenPGP](https://www.tutanota.com/faq/#pgp). חשבונות Tutanota יכולים לקבל הודעות דוא"ל מוצפנות מחשבונות דוא"ל שאינם Tutanota רק כאשר הם נשלחים באמצעות [תיבת דואר זמנית של Tutanota](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "מורשת דיגיטלית" + + Tutanota לא מציעה פיצ'ר מורשת דיגיטלית. + +??? info "סיום חשבון" + + Tutanota [מחק חשבונות לא פעילים בחינם](https://tutanota.com/faq#inactive-accounts) לאחר שישה חודשים. אם ברצונך לשלם, באפשרותך להשתמש שוב בחשבון חינמי שהושבת. + +??? info "פונקציונליות נוספת" + + Tutanota מציעה את הגרסה העסקית של [Tutanota לארגונים ללא כוונת רווח](https://tutanota.com/blog/posts/secure-email-for-non-profit) בחינם או בהנחה כבדה. + + ל-Tutanota יש גם פיצ'ר עסקי שנקרא [חיבור מאובטח](https://tutanota.com/secure-connect/). זה מבטיח שיצירת קשר עם הלקוח לעסק משתמשת ב- E2EE. התכונה עולה 240 אירו לשנה. + +## שירותי כינוי דוא"ל + +שירות כינוי דוא"ל מאפשר לך ליצור בקלות כתובת דוא"ל חדשה עבור כל אתר שאתה נרשם אליו. כינויי הדואר האלקטרוני שאתה יוצר מועברים לאחר מכן לכתובת דוא"ל שתבחר, תוך הסתרת כתובת הדוא"ל "הראשית" שלך וגם זהות ספק הדוא"ל שלך. כינוי דוא"ל אמיתי טוב יותר מאשר כתובת פלוס הנפוצה בשימוש ונתמך על ידי ספקים רבים, מה שמאפשר לך ליצור כינויים כמו yourname+[anythinghere]@example.com, מכיוון שאתרים, מפרסמים ורשתות מעקב יכולים להסיר כל דבר לאחר סימן + כדי לדעת את כתובת הדוא"ל האמיתית שלך. + +כינוי דוא"ל יכול לשמש כהגנה למקרה שספק הדוא"ל שלך יפסיק לפעול. בתרחיש זה, באפשרותך לנתב מחדש בקלות את הכינויים שלך לכתובת דואר אלקטרוני חדשה. עם זאת, אתה נותן אמון בשירות הכינוי כדי להמשיך לתפקד. + +שימוש בשירות ייעודי של כינוי דואר אלקטרוני יש גם מספר יתרונות על פני כינוי 'לתפוס-הכל' על תחום מותאם אישית: + +- ניתן להפעיל ולכבות כינויים באופן אישי בעת הצורך, וכך למנוע מאתרי אינטרנט לשלוח לך דוא"ל באופן אקראי. +- התגובות נשלחות מכתובת הכינוי, ומגינות על כתובת הדוא"ל האמיתית שלך. + +תכונות חינמיות בולטות: + +- כינויים הם קבועים וניתן להפעיל אותם שוב אם אתה צריך לקבל משהו כמו איפוס סיסמה. +- הודעות דוא"ל נשלחות לתיבת הדואר המהימנה שלך ולא מאוחסנות על ידי ספק הכינויים. +- שירותי דואר אלקטרוני זמניים בדרך כלל יש תיבות דואר ציבוריות אשר ניתן לגשת על ידי כל מי שמכיר את הכתובת, כינויים פרטיים שלך. + +ההמלצות שלנו לכינוי דוא"ל הן ספקים המאפשרים לך ליצור כינויים בדומיינים שהם שולטים בהם, כמו גם דומיינ(ים) מותאמים אישית משלך תמורת תשלום שנתי צנוע. ניתן גם לארח אותם בעצמך אם אתה רוצה שליטה מקסימלית. עם זאת, שימוש בדומיין מותאם אישית יכול להיות בעל חסרונות הקשורים לפרטיות: אם אתה האדם היחיד המשתמש בדומיין המותאם אישית שלך, ניתן לעקוב בקלות אחר הפעולות שלך באתרי אינטרנט פשוט על ידי הסתכלות על שם הדומיין בכתובת הדוא"ל והתעלמות מכל מה שלפני ה-(@) סימן. + +שימוש בשירות כינויים מחייב לתת אמון הן בספק הדואר האלקטרוני שלך והן בספק הכתובות שלך בהודעות הלא מוצפנות שלך. חלק מהספקים מפחיתים זאת מעט עם הצפנת PGP אוטומטית, שמפחיתה את מספר הצדדים שאתה צריך לסמוך עליהם משניים לאחד על ידי הצפנת הודעות דוא"ל נכנסות לפני שהן נמסרות לספק תיבת הדואר הסופי שלך. + +### AnonAddy + +!!! recommendation + + ![AnonAddy לוגו](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy לוגו](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** מאפשרת לך ליצור 20 כינויים של דומיין בדומיין משותף בחינם, או כינויים "סטנדרטיים" ללא הגבלה שהם פחות אנונימיים. + + [:octicons-home-16: דף הבית](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +מספר הכינויים המשותפים (שמסתיימים בדומיין משותף כמו @anonaddy.me) שתוכלו ליצור מוגבל ל-20 בתוכנית החינמית של AnonAddy ול-50 בחבילה החינמית שלהם ב-12 דולר לשנה. אתה יכול ליצור כינויים סטנדרטיים בלתי מוגבלים (שמסתיימים בדומיין כמו @[username].anonaddy.com או דומיין מותאם אישית בתוכניות בתשלום), עם זאת, כאמור, זה יכול להזיק לפרטיות מכיוון שאנשים יכולים לקשור באופן טריוויאלי את הכינויים הסטנדרטיים שלך יחד על סמך שם הדומיין בלבד. כינויים משותפים ללא הגבלה זמינים תמורת $36 לשנה. + +תכונות חינמיות בולטות: + +- [x] 20 כינויים משותפים +- [x] כינויים סטנדרטיים ללא הגבלה +- [ ] אין תגובות יוצאות +- [x] 2 תיבות דואר של נמען +- [x] הצפנת PGP אוטומטית + +### SimpleLogin + +!!! recommendation + + ![Simplelogin לוגו](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** הוא שירות חינמי המספק כינויי דוא"ל על מגוון שמות דומיין משותפים, ובאופן אופציונלי מספק תכונות בתשלום כמו כינויים בלתי מוגבלים ודומיינים מותאמים אישית. + + [:octicons-home-16: דף הבית](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin [נרכשה על ידי Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) נכון ל-8 באפריל 2022. אם אתה משתמש ב-Proton Mail עבור תיבת הדואר הראשית שלך, SimpleLogin היא בחירה מצוינת. מכיוון ששני המוצרים נמצאים כעת בבעלות אותה חברה, כעת עליך לסמוך רק על ישות אחת. אנו גם מצפים ש-SimpleLogin תשתלב בצורה הדוקה יותר עם ההיצע של Proton בעתיד. SimpleLogin ממשיכה לתמוך בהעברה לכל ספק דוא"ל שתבחרו. Securitum [ביקרה את SimpleLogin](https://simplelogin.io/blog/security-audit/) בתחילת 2022 וכל הבעיות [טופלו](https://simplelogin.io/audit2022/web.pdf). + +תוכל לקשר את חשבון SimpleLogin שלך בהגדרות עם חשבון Proton שלך. אם יש לך את הפרוטון ללא הגבלה, עסקים, או תוכנית חזון, יהיה לך SimpleLogin פרימיום בחינם. + +תכונות חינמיות בולטות: + +- [x] 10 כינויים משותפים +- [x] תשובות ללא הגבלה +- [x] 1 תיבת דואר נמען + +## אימייל לאירוח עצמי + +מנהלי מערכת מתקדמים עשויים לשקול הגדרת שרת דואר אלקטרוני משלהם. שרתי דואר דורשים תשומת לב ותחזוקה שוטפת על מנת לשמור על דברים מאובטחים ועל משלוח דואר אמין. + +### פתרונות תוכנה משולבים + +!!! recommendation + + ![Mailcow לוגו](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** הוא שרת דואר מתקדם יותר המושלם עבור אלה עם קצת יותר ניסיון בלינוקס. יש לו את כל מה שאתה צריך במיכל Docker: שרת דואר עם תמיכה ב- DKIM, ניטור אנטי וירוס וספאם, דואר אינטרנט ו- ActiveSync עם SOGo, וניהול מבוסס אינטרנט עם תמיכה ב- 2FA. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=לתרומה } + +!!! recommendation + + ![Mail-in-a-Box לוגו](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** הוא סקריפט התקנה אוטומטי לפריסת שרת דואר באובונטו. מטרתו היא להקל על אנשים להגדיר שרת דואר משלהם. + + [:octicons-home-16: דף הבית](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="קוד מקור" } + +לגישה ידנית יותר בחרנו את שני המאמרים הבאים: + +- [הגדרת שרת דואר עם OpenSMTPD, Dovecot ו - Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [כיצד להפעיל שרת דואר משלך](https://www.c0ffee.net/blog/mail-server-guide/) (אוגוסט 2017) + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף [לקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה לפני שתבחר ספק דוא"ל, ולערוך מחקר משלך כדי להבטיח שספק הדוא"ל שבחרת הוא הבחירה הנכונה עבורך. + +### טכנולוגיה + +אנו רואים בתכונות אלה חשיבות על מנת לספק שירות בטוח ומיטבי. אתה צריך לשקול אם לספק יש לו את התכונות שאתה צריך. + +**מינימום כדי לעמוד בדרישות:** + +- מצפין נתוני חשבון אימייל במצב מנוחה עם הצפנה ללא גישה. +- יכולת ייצוא כ [Mbox](https://en.wikipedia.org/wiki/Mbox) או .eml בודד עם תקן [RFC5322](https://datatracker.ietf.org/doc/rfc5322/). +- מאפשר למשתמשים להשתמש ב[שם דומיין](https://en.wikipedia.org/wiki/Domain_name) משלהם. שמות דומיין מותאמים אישית חשובים למשתמשים מכיוון שהם מאפשרים להם לתחזק את הסוכנות שלהם מהשירות, אם היא תהפוך לגרועה או תירכש על ידי חברה אחרת שאינה מתעדפת פרטיות. +- פועל על תשתית בבעלות, כלומר לא בנוי על ספקי שירותי דואר אלקטרוני של צד שלישי. + +**המקרה הטוב ביותר:** + +- מצפין את כל נתוני החשבון (אנשי קשר, יומנים וכו') במצב מנוחה עם הצפנה ללא גישה. +- הצפנת דואר אינטרנט משולבת E2EE/PGP מסופקת לנוחיותך. +- תמיכה עבור [WKD](https://wiki.gnupg.org/WKD) כדי לאפשר גילוי משופר של מפתחות OpenPGP ציבוריים באמצעות HTTP. משתמשי GnuPG יכולים לקבל מפתח על ידי הקלדה `gpg --locate-key example_user@example.com` +- תמיכה בתיבת דואר זמנית למשתמשים חיצוניים. פעולה זו שימושית כאשר ברצונך לשלוח דוא"ל מוצפן, מבלי לשלוח עותק בפועל לנמען שלך. למיילים אלה יש בדרך כלל תוחלת חיים מוגבלת ולאחר מכן נמחקות אוטומטית. הם גם לא דורשים מהנמען להגדיר שום קריפטוגרפיה כמו OpenPGP. +- זמינות שירותי ספק הדואר האלקטרוני באמצעות [שירות onion](https://en.wikipedia.org/wiki/.onion). +- [תמיכה בתת - כתובת](https://en.wikipedia.org/wiki/Email_address#Subaddressing). +- פונקציונליות של תפוס - הכל או כינוי עבור בעלי דומיינים משלהם. +- שימוש בפרוטוקולי גישה סטנדרטיים למייל כגון IMAP, SMTP או [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). פרוטוקולי גישה סטנדרטיים מבטיחים שלקוחות יכולים להוריד בקלות את כל האימייל שלהם, אם הם רוצים לעבור לספק אחר. + +### פרטיות + +אנו מעדיפים שהספקים המומלצים שלנו יאספו כמה שפחות נתונים. + +**מינימום כדי לעמוד בדרישות:** + +- להגן על כתובת ה - IP של השולח. מסנן אותו כך שלא יוצג בשדה `השולח` header. +- אין צורך במידע המאפשר זיהוי אישי (PII) מלבד שם משתמש וסיסמה. +- מדיניות פרטיות העומדת בדרישות ה - GDPR +- לא מאוחסן בארה"ב עקב [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) שעדיין [ לא עברה רפורמה](https://epic.org/ecpa/). + +**המקרה הטוב ביותר:** + +- מקבל ביטקוין, מזומן וצורות אחרות של מטבעות קריפטוגרפיים ו/או אפשרויות תשלום אנונימיות (כרטיסי מתנה וכו') + +### אבטחה + +שרתי דואר אלקטרוני עוסקים בהרבה מאוד נתונים רגישים. אנו מצפים שהספקים יאמצו שיטות עבודה מומלצות בתעשייה כדי להגן על חבריהם. + +**מינימום כדי לעמוד בדרישות:** + +- הגנה על דואר אינטרנט עם 2FA, כגון TOTP. +- הצפנת אפס גישה, מתבססת על הצפנה במנוחה. לספק אין את מפתחות הפענוח של הנתונים שברשותו. פעולה זו מונעת מעובד שסרח להדליף נתונים שיש לו גישה אליהם או מיריב מרחוק לשחרר נתונים שגנב על ידי השגת גישה בלתי מורשית לשרת. +- תמיכה ב [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). +- אין שגיאות TLS או פגיעות בעת פרופיל על ידי כלים כגון [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), או [Qualys SSL Labs](https://www.ssllabs.com/ssltest); זה כולל שגיאות הקשורות לאישור ופרמטרים חלשים של DH, כגון אלה שהובילו ל - [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- העדפת חבילת שרתים (אופציונלית ב-TLSv1.3) עבור חבילות צופן חזקות התומכות בסודיות קדימה ובהצפנה מאומתת. +- [MTA-STS](https://tools.ietf.org/html/rfc8461) בתוקף וגם מדיניות [TLS-RPT](https://tools.ietf.org/html/rfc8460). +- בתוקף [רשומות DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities). +- בתוקף [רשומות SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) ו - [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail). +- שיהיה לך מתאים [DMARC](https://en.wikipedia.org/wiki/DMARC) עבר ומדיניות או שימוש ב [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) לאימות. אם נעשה שימוש באימות DMARC, יש להגדיר את המדיניות ל- `דוחה` או `הסגר`. +- העדפת חבילת שרתים של TLS 1.2 ואילך ותוכנית עבור [הוצאה משימוש של TLSv1.0 ו- TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [שליחת SMTPS](https://en.wikipedia.org/wiki/SMTPS), בהנחה שנעשה שימוש ב - SMTP. +- תקני אבטחת אתר אינטרנט כגון: + - [אבטחת תעבורה קפדנית של HTTP](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - שלמות [תת - מקור](https://en.wikipedia.org/wiki/Subresource_Integrity) אם מעמיסים דברים מדומיינים חיצוניים. +- חייב לתמוך בהצגה של [כותרות הודעות](https://en.wikipedia.org/wiki/Email#Message_header), מכיוון שזוהי תכונה משפטית חיונית כדי לקבוע אם הודעת דואר אלקטרוני היא ניסיון דיוג. + +**המקרה הטוב ביותר:** + +- תמיכה באימות חומרה, כלומר. U2F ו - [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F ו - WebAuthn מאובטחים יותר כאשר הם משתמשים במפתח פרטי המאוחסן בהתקן חומרה בצד הלקוח כדי לאמת אנשים, בניגוד לסוד משותף המאוחסן בשרת האינטרנט ובצד הלקוח בעת שימוש ב - TOTP. יתר על כן, U2F ו- WebAuthn עמידים יותר בפני דיוג מכיוון שתגובת האימות שלהם מבוססת על האימות [שם הדומיין](https://en.wikipedia.org/wiki/Domain_name). +- [אישור רשות ההסמכה של DNS (CAA) רשומת משאבים](https://tools.ietf.org/html/rfc6844) בנוסף לתמיכת DANE. +- יישום של [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), זה שימושי עבור אנשים שמפרסמים לרשימות דיוור [RFC8617](https://tools.ietf.org/html/rfc8617). +- תוכניות לחיפוש באגים ו/או תהליך גילוי - פגיעות מתואם. +- תקני אבטחת אתר אינטרנט כגון: + - [מדיניות אבטחת תוכן (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [‎ Expect - CT ‎](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### אמון + +לא הייתם סומכים על הכספים שלכם למישהו שיש זהות מזויפת, אז למה לסמוך עליו עם הדוא"ל שלכם? אנו דורשים מהספקים המומלצים שלנו להיות פומביים לגבי הבעלות או המנהיגות שלהם. כמו כן, היינו רוצים לראות דיווחי שקיפות תכופים, במיוחד בכל הנוגע לאופן הטיפול בבקשות ממשלתיות. + +**מינימום כדי לעמוד בדרישות:** + +- מנהיגות ציבורית או בעלות. + +**המקרה הטוב ביותר:** + +- מנהיגות מול הציבור. +- דוחות שקיפות תכופים. + +### שיווק + +עם ספקי הדוא"ל אנו ממליצים לראות שיווק אחראי. + +**מינימום כדי לעמוד בדרישות:** + +- יש לבצע ניתוח של אחסון עצמי (ללא Google Analytics, Adobe Analytics וכו '). האתר של הספק חייב גם לציית ל [DNT (לא לעקוב)](https://en.wikipedia.org/wiki/Do_Not_Track) למי שרוצה לבטל את הסכמתו. + +אסור שיהיה שיווק שהוא חסר אחריות: + +- טענות של "הצפנה בלתי שבירה " יש להשתמש בהצפנה מתוך כוונה שהיא לא תהיה סודית בעתיד כאשר הטכנולוגיה קיימת כדי לפצח אותה. +- ביצוע ערבויות של הגנה על 100% אנונימיות. כשמישהו טוען שמשהו הוא 100% זה אומר שאין ודאות לכישלון. אנחנו יודעים שאנשים יכולים בקלות להפוך את עצמם לאיאנונימיים במספר דרכים, למשל.: + +- שימוש חוזר במידע אישי, למשל (חשבונות דוא"ל, שמות בדויים ייחודיים וכו ') שאליו ניגשו ללא תוכנה אנונימיות (Tor, VPN וכו ') +- [טביעת אצבע של דפדפן](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**המקרה הטוב ביותר:** + +- ברור וקל לקריאה. זה כולל דברים כמו, הגדרת 2FA, קליינט דוא"ל, OpenPGP וכו '. + +### פונקציונליות נוספת + +אמנם לא דרישות קפדניות, יש כמה גורמי נוחות או פרטיות אחרים שבדקנו בעת קביעת אילו ספקים להמליץ. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/encryption.md b/i18n/he/encryption.md new file mode 100644 index 00000000..a015024c --- /dev/null +++ b/i18n/he/encryption.md @@ -0,0 +1,358 @@ +--- +title: "תוכנת הצפנה" +icon: material/file-lock +--- + +הצפנה של נתונים היא הדרך היחידה לשלוט מי יכול לגשת אליו. אם אינך משתמש כעת בתוכנת הצפנה עבור הדיסק הקשיח, הודעות הדוא"ל או הקבצים שלך, עליך לבחור אפשרות כאן. + +## מרובה-פלטפורמות + +האפשרויות המפורטות כאן הן מרובות פלטפורמות ונהדרות ליצירת גיבויים מוצפנים של הנתונים שלך. + +### Cryptomator (ענן) + +!!! recommendation + + ![Cryptomator לוגו](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** הוא פתרון הצפנה המיועד לשמירה פרטית של קבצים לכל ספק ענן. הוא מאפשר לך ליצור כספות המאוחסנות בכונן וירטואלי, שתוכנן מוצפן ומסונכרן עם ספק אחסון הענן שלך. + + [:octicons-home-16: דף הבית](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator משתמש בהצפנת AES-256 כדי להצפין קבצים ושמות קבצים. Cryptomator אינו יכול להצפין מטא-נתונים כגון חותמות זמן של גישה, שינוי ויצירה, וגם לא את המספר והגודל של קבצים ותיקיות. + +מספר ספריות קריפטוגרפיות של Cryptomator [עברו ביקורת](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) על ידי Cure53. היקף הספריות המבוקרים כולל: [cryptolib](https://github.com/cryptomator/cryptolib), [ cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) ו-[cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). הביקורת לא התרחבה ל[cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), שהיא ספרייה המשמשת את Cryptomator עבור iOS. + +התיעוד של Cryptomator מפרט את [יעד האבטחה](https://docs.cryptomator.org/en/latest/security/security-target/) המיועד, [ארכיטקטורת האבטחה](https://docs.cryptomator.org/en/latest/security/architecture/) ו[שיטות העבודה המומלצות](https://docs.cryptomator.org/en/latest/security/best-practices/) לשימוש ביתר פירוט. + +### Picocrypt (קובץ) + +!!! recommendation + + ![Picocrypt לוגו](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** הוא כלי הצפנה קטן ופשוט המספק הצפנה מודרנית. Picocrypt משתמש בצופן המאובטח XChaCha20 ובפונקציית גזירת מפתח Argon2id כדי לספק רמת אבטחה גבוהה. הוא משתמש במודולי x/crypto הסטנדרטיים של Go עבור תכונות ההצפנה שלו. + + [:octicons-repo-16: מאגר](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (דיסק) + +!!! recommendation + + ![VeraCrypt לוגו](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt לוגו](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** הוא כלי תוכנה חופשית קוד פתוח המשמש להצפנה תוך כדי תנועה. זה יכול ליצור דיסק מוצפן וירטואלי בתוך קובץ, להצפין מחיצה או להצפין את כל התקן האחסון עם אימות לפני אתחול. + + [:octicons-home-16: דף הבית](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt הוא מזלג של פרויקט TrueCrypt שהופסק. על פי המפתחים שלה, שיפורים באבטחה יושמו וטופלו בעיות שעלו בביקורת הקוד הראשונית של TrueCrypt. + +בעת הצפנה עם VeraCrypt, יש לך אפשרות לבחור מבין [hash פונקציות](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme) שונות. אנו מציעים לך **לבחור** רק [SHA-512](https://en.wikipedia.org/wiki/SHA-512) ולהיצמד ל [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) צופן בלוק. + +Truecrypt [נבדק מספר פעמים](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), וגם VeraCrypt [נבדק בנפרד](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## הצפנת דיסק מלא של מערכת ההפעלה + +מערכות הפעלה מודרניות כוללות [FDE](https://en.wikipedia.org/wiki/Disk_encryption) ויהיה להן [מעבד קריפטו מאובטח](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker לוגו](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** הוא פתרון ההצפנה המלא המצורף ל-Microsoft Windows. הסיבה העיקרית שאנו ממליצים עליה היא בגלל [השימוש ב-TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), היא חברה לזיהוי פלילי, כתבה על כך ב- [הבנת BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=תיעוד} + +BitLocker [ נתמך רק](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) במהדורות Pro, Enterprise ו- Education של Windows. ניתן להפעיל אותו במהדורות ביתיות בתנאי שהן עומדות בדרישות המוקדמות. + +??? example "הפעלת BitLocker ב-Windows Home"" + + כדי להפעיל את BitLocker במהדורות "בית" של Windows, חייבות להיות לך מחיצות מעוצבות עם [טבלת מחיצות GUID](https://en.wikipedia.org/wiki/GUID_Partition_Table) ובעלות TPM ייעודי (v1.2, 2.0+) מודול. + + 1. פתח שורת פקודה ובדוק את תבנית טבלת המחיצות של הכונן באמצעות הפקודה הבאה. אתה אמור לראות את "**GPT**" ברשימה תחת "סגנון מחיצה": + + ``` + powershell Get-Disk + ``` + + 2. הפעל פקודה זו (בשורת פקודה של אדמין) כדי לבדוק את גרסת ה-TPM שלך. אתה אמור לראות את `2.0` או `1.2` לצד `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. גישה ל[אפשרויות הפעלה מתקדמות](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). עליך לאתחל מחדש תוך כדי לחיצה על מקש F8 לפני הפעלת Windows ולהיכנס ל *שורת הפקודה* ב **פתרון בעיות** → **אפשרויות מתקדמות** → **שורת הפקודהPrompt**. + + 4. התחבר עם חשבון הניהול שלך והקלד זאת בשורת הפקודה כדי להתחיל בהצפנה: + + ``` + manage-bde -on c: -used + ``` + + 5. סגור את שורת הפקודה והמשך אתחול ל-Windows רגיל. + + 6. פתח שורת פקודה של מנהל מערכת והפעל את הפקודות הבאות: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip "טיפ" + + גיבוי 'BitLocker-Recovery-Key.txt' בשולחן העבודה שלך להתקן אחסון נפרד. אובדן קוד שחזור זה עלול לגרום לאובדן נתונים. + +### FileVault + +!!! recommendation + + ![FileVault לוגו](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** הוא פתרון הצפנת נפח תוך כדי תנועה המובנה ב-macOS. FileVault מומלץ כי זה [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) יכולות אבטחת חומרה הקיימות בשבב אפל סיליקון SoC או T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=תיעוד} + +אנו ממליצים לאחסן מפתח שחזור מקומי במקום מאובטח, בניגוד לשימוש בחשבון iCloud שלך לשחזור. + +### הגדרת מפתח מאוחדת של לינוקס + +!!! recommendation + + ![LUKS לוגו](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** היא שיטת ברירת המחדל של FDE עבור לינוקס. ניתן להשתמש בו כדי להצפין אמצעי אחסון מלאים, מחיצות או ליצור מיכלים מוצפנים. + + [:octicons-home-16: דף הבית](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=תיעוד} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="קוד מקור" } + +??? example "יצירה ופתיחה של גורמים מכילים מוצפנים" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### פתיחת קונטיינרים מוצפנים + אנו ממליצים לפתוח מיכלים ואמצעי אחסון עם `udisksctl` כפי שהוא משתמש ב [Polkit](https://en.wikipedia.org/wiki/Polkit). רוב מנהלי הקבצים, כמו אלה הכלולים בסביבות שולחן עבודה פופולריות, יכולים לפתוח קבצים מוצפנים. כלים כמו [udiskie](https://github.com/coldfix/udiskie) יכול לפעול במגש המערכת ולספק ממשק משתמש מועיל. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "זכור לגבות את כותרות עוצמת הקול" + + אנו ממליצים לך תמיד [לגבות את כותרות ה-LUKS שלך](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) במקרה של כשל חלקי בכונן. ניתן לעשות זאת עם: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/קובץ.img + ``` + +## מבוסס-דפדפן + +הצפנה מבוססת דפדפן יכולה להיות שימושית כאשר אתה צריך להצפין קובץ אבל לא יכול להתקין תוכנות או אפליקציות במכשיר שלך. + +### hat.sh + +!!! recommendation + + ![hat.sh לוגו](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh לוגו](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** הוא יישום אינטרנט המספק הצפנת קבצים מאובטחת בצד הלקוח בדפדפן שלך. הוא גם יכול להיות באחסון עצמי והוא שימושי אם אתה צריך להצפין קובץ אבל לא יכול להתקין שום תוכנה במכשיר שלך בגלל מדיניות ארגונית. + + [:octicons-globe-16: אתר](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="קוד מקור" } + :octicons-heart-16:{ .card-link title="ניתן למצוא את שיטות התרומות בתחתית האתר" } + +## שורת הפקודה + +כלים עם ממשקי שורת פקודה שימושיים לשילוב [סקריפטים של מעטפת](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor לוגו](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** הוא כלי הצפנת וחתימה של קבצים חינמי ופתוח העושה שימוש באלגוריתמים קריפטוגרפיים מודרניים ומאובטחים. המטרה היא להיות גרסה טובה יותר של [age](https://github.com/FiloSottile/age) ו [Minisign](https://jedisct1.github.io/minisign/) כדי לספק חלופה פשוטה וקלה יותר ל GPG. + + [:octicons-home-16: דף הבית](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb לוגו](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** הוא מעטפת מעטפת שורת פקודה עבור LUKS. הוא תומך בסטגנוגרפיה באמצעות [כלים של צד שלישי](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: דף הבית](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=לתרומה } + +## OpenPGP + +לעתים יש צורך ב-OpenPGP עבור משימות ספציפיות כמו חתימה דיגיטלית והצפנת דואר אלקטרוני. ל-PGP תכונות רבות והוא [מורכב](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) כפי שהוא קיים זמן רב. עבור משימות כגון חתימה או הצפנה של קבצים, אנו מציעים את האפשרויות לעיל. + +בעת הצפנה באמצעות PGP, יש לך אפשרות להגדיר אפשרויות שונות בקובץ `gpg.conf` שלך. אנו ממליצים להישאר עם האפשרויות הסטנדרטיות המפורטות ב[שאלות הנפוצות של משתמשי GnuPG ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "השתמש בברירות מחדל עתידיות בעת יצירת מפתח" + + כאשר [יוצרים מפתחות](https://www.gnupg.org/gph/en/manual/c14.html) אנו מציעים להשתמש בפקודה `future-default` מכיוון שזו תנחה את GnuPG להשתמש בקריפטוגרפיה מודרנית כגון [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) ו [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard לוגו](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** היא חלופה ברישיון GPL לחבילת PGP של תוכנות הצפנה. GnuPG תואם ל-[RFC 4880](https://tools.ietf.org/html/rfc4880), שהוא מפרט ה-IETF הנוכחי של OpenPGP. פרויקט GnuPG עבד על [טיוטה מעודכנת](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) בניסיון לחדש את OpenPGP. GnuPG הוא חלק מפרויקט התוכנה GNU של קרן התוכנה החופשית וקיבל [מימון] גדול (https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) מממשלת גרמניה. + + [:octicons-home-16: דף הבית](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win לוגו](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** היא חבילה עבור Windows מ-[Intevation ו-g10 Code](https://gpg4win.org/impressum.html). הוא כולל [כלים שונים](https://gpg4win.org/about.html) שיכולים לסייע לך בשימוש ב-GPG ב-Microsoft Windows. הפרויקט יזם ובמקור [מומן על ידי](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) המשרד הפדרלי של גרמניה למידע אבטחה (BSI) בשנת 2005. + + [:octicons-home-16: דף הבית](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note "הערה" + + אנו מציעים [Canary Mail](email-clients.md#canary-mail) לשימוש ב-PGP עם אימייל במכשירי iOS. + +!!! recommendation + + ![GPG Suite לוגו](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** מספקת תמיכה ב-OpenPGP עבור [Apple Mail](email-clients.md#apple-mail) ו-macOS. + + אנו ממליצים להסתכל על [השלבים הראשונים](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup- gpgtools-create-a-new-key-your-first-encrypted-email) ו-[בסיס ידע](https://gpgtools.tenderapp.com/kb) לתמיכה. + + [:octicons-home-16: דף הבית](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain לוגו](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** הוא יישום אנדרואיד של GnuPG. זה נדרש בדרך כלל על ידי לקוחות דואר כגון [K-9 Mail](email-clients.md#k-9-mail) ו- [FairEmail](email-clients.md#fairemail) ואפליקציות Android אחרות כדי לספק תמיכה בהצפנה. Cure53 השלימה [ביקורת אבטחה](https://www.openkeychain.org/openkeychain-3-6) של OpenKeychain 3.6 באוקטובר 2015. פרטים טכניים על הביקורת והפתרונות של OpenKeychain ניתן למצוא [כאן](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: דף הבית](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="קוד מקור" } + :octicons-heart-16:{ .card-link title="ניתן לתרום באפליקציה" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### כישורים מינימליים + +- אפליקציות הצפנה חוצות פלטפורמות חייבות להיות בקוד פתוח. +- אפליקציות להצפנת קבצים חייבות לתמוך בפענוח ב-Linux, macOS ו-Windows. +- אפליקציות להצפנת דיסק חיצוני חייבות לתמוך בפענוח ב-Linux, macOS ו-Windows. +- אפליקציות להצפנת דיסק פנימי (OS) חייבות להיות חוצות פלטפורמות או מובנות במערכת ההפעלה באופן מקורי. + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- אפליקציות הצפנה של מערכת הפעלה (FDE) צריכות להשתמש באבטחת חומרה כגון TPM או Secure Enclave. +- אפליקציות להצפנת קבצים צריכות לקבל תמיכה של צד ראשון או שלישי עבור פלטפורמות ניידות. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/file-sharing.md b/i18n/he/file-sharing.md new file mode 100644 index 00000000..52961865 --- /dev/null +++ b/i18n/he/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "שיתוף וסנכרון קבצים" +icon: material/share-variant +--- + +גלה כיצד לשתף את הקבצים שלך באופן פרטי בין המכשירים שלך, עם החברים והמשפחה שלך, או באופן אנונימי באינטרנט. + +## שיתוף קבצים + +### Send + +!!! recommendation + + ![Send לוגו](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** היא נגזרת של שירות Firefox Send של Mozilla שהופסקה המאפשר לך לשלוח קבצים לאחרים עם קישור. קבצים מוצפנים במכשיר שלך כך שלא ניתן לקרוא אותם על ידי השרת, והם יכולים להיות מוגנים באמצעות סיסמה. המתחזק של שלח Send מארח [מופע ציבורי](https://send.vis.ee/). אפשר להשתמש במועדים ציבוריים אחרים, או לארח לשלוח את עצמכם. + + [:octicons-home-16: דף הבית](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=לתרומה } + +ניתן להשתמש ב- Send דרך ממשק האינטרנט שלו או דרך [ffsend](https://github.com/timvisee/ffsend) CLI. אם אתה מכיר את שורת הפקודה ושולח קבצים לעתים קרובות, אנו ממליצים להשתמש בלקוח ה-CLI כדי להימנע מהצפנה מבוססת JavaScript. אתה יכול לציין את הדגל `--host` כדי להשתמש בשרת ספציפי: + +```bash +ffsend upload -- host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare לוגו](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** הוא כלי קוד פתוח המאפשר לך לשתף בצורה מאובטחת ואנונימית קובץ בכל גודל. זה עובד על ידי הפעלת שרת אינטרנט נגיש כשירות Tor onion, עם כתובת URL בלתי ניתנת לניחוש שתוכל לשתף עם הנמענים כדי להוריד או לשלוח קבצים. + + [:octicons-home-16: דף הבית](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="שירות בצל" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- אסור לאחסן נתונים מפוענחים בשרת מרוחק. +- חייבת להיות תוכנת קוד פתוח. +- חייב להיות לקוחות עבור Linux, macOS ו-Windows; או בעלי ממשק אינטרנט. + +## FreedomBox + +!!! recommendation + + ![FreedomBox לוגו](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** היא מערכת הפעלה המיועדת להפעלה על [מחשב עם לוח יחיד (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). המטרה היא להקל על הגדרת יישומי שרת שאולי תרצה לארח בעצמך. + + [:octicons-home-16: דף הבית](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=תיעוד} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=לתרומה } + +## סנכרון קבצים + +### Nextcloud (שרת-לקוח) + +!!! recommendation + + ![Nextcloud לוגו](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** היא חבילה של תוכנות שרת-לקוח חינמיות וקוד פתוח ליצירת שירותי אירוח קבצים משלך בשרת פרטי שאתה שולט בו. + + [:octicons-home-16: דף הבית](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "סַכָּנָה" + + אנו לא ממליצים להשתמש ב-[E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) עבור Nextcloud מכיוון שהיא עלולה להוביל לאובדן נתונים; זה מאוד ניסיוני ולא איכות ייצור. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing לוגו](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** הוא כלי עזר רציף לסנכרון קבצים עמית לעמית בקוד פתוח. הוא משמש לסנכרון קבצים בין שני מכשירים או יותר ברשת המקומית או באינטרנט. Syncthing אינו משתמש בשרת מרכזי; הוא משתמש ב-[Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) כדי להעביר נתונים בין מכשירים. כל הנתונים מוצפנים באמצעות TLS. + + [:octicons-home-16: דף הבית](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +#### דרישות מינימליות + +- חייב לא לדרוש שרת מרוחק/ענן של צד שלישי. +- חייבת להיות תוכנת קוד פתוח. +- חייב להיות לקוחות עבור Linux, macOS ו-Windows; או בעלי ממשק אינטרנט. + +#### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- יש לו לקוחות ניידים עבור iOS ואנדרואיד, שלפחות תומכים בתצוגה מקדימה של מסמכים. +- תומך בגיבוי תמונות מ-iOS ואנדרואיד, ותומך באופן אופציונלי בסנכרון קבצים/תיקיות באנדרואיד. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/frontends.md b/i18n/he/frontends.md new file mode 100644 index 00000000..ab9c0186 --- /dev/null +++ b/i18n/he/frontends.md @@ -0,0 +1,268 @@ +--- +title: "חזיתות" +icon: material/flip-to-front +--- + +לפעמים שירותים ינסו לאלץ אותך להירשם לחשבון על ידי חסימת גישה לתוכן עם חלונות קופצים מעצבנים. הם יכולים להישבר גם ללא הפעלת JavaScript. חזיתות אלה יכולות לאפשר לך לעקוף את ההגבלות הללו. + +## קליינטים + +### Librarian + +!!! recommendation + + ![Librarian לוגו](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian לוגו](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** היא חזית חינמית וקוד פתוח עבור [Odysee](https://odysee.com/) (LBRY) שגם היא ניתנת לאירוח עצמי. + + ישנם מספר מופעים ציבוריים, כאשר בחלק מהמקרים יש תמיכה בשירותי בצל [Tor](https://www.torproject.org). + + [:octicons-repo-16: מאגר](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="קוד מקור" } + +!!! warning "אזהרה" + + Librarian אינו משדר סרטוני פרוקסי כברירת מחדל. סרטונים שנצפו באמצעות Librarian עדיין יבצעו חיבורים ישירים לשרתים של Odysee (למשל `odycdn.com`); עם זאת, מופעים מסוימים עשויים לאפשר שרת proxy אשר יפורט במדיניות הפרטיות של המופע. + +!!! tip "טיפ" + + Librarian שימושי אם אתה רוצה לצפות בתוכן LBRY בנייד ללא טלמטריה חובה ואם אתה רוצה להשבית את JavaScript בדפדפן שלך, כפי שקורה עם [דפדפן Tor](https://www.torproject.org/) באבטחה הבטוחה ביותר רָמָה. + +בעת אירוח עצמי, חשוב כי יש לך אנשים אחרים באמצעות המקרה שלך, כמו גם על מנת שתוכל להשתלב. עליך להיות זהיר עם היכן וכיצד אתה מארח את Librarian, מכיוון שהשימוש של אנשים אחרים יהיה מקושר לאירוח שלך. + +כאשר אתה משתמש במופע Librarian, הקפד לקרוא את מדיניות הפרטיות של אותו מופע ספציפי. מופעי Librarian יכולים להשתנות על ידי בעליהם ולכן עשויים שלא לשקף את מדיניות ברירת המחדל. מקרים של Librarian כוללים "תווית תזונה פרטית" כדי לספק סקירה כללית של המדיניות שלהם. במקרים מסוימים יש כתובות .onion Tor אשר עשוי להעניק קצת פרטיות כל עוד שאילתות החיפוש שלך אינן מכילות PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![לוגו של Nitter]( assets/img/frontends/nitter.svg){ align=right } + + **Nitter** הוא ממשק קוד פתוח בחינם עבור [Twitter](https://twitter.com) שגם הוא ניתן לאירוח עצמי. + + ישנם מספר מופעים ציבוריים, כאשר בחלק מהמקרים יש תמיכה בשירותי בצל [Tor](https://www.torproject.org). + + [:octicons-repo-16: מאגר](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=לתרומה } + +!!! tip "טיפ" + + Nitter שימושי אם ברצונך לדפדף בתוכן של טוויטר ללא צורך בהתחברות ואם ברצונך להשבית את JavaScript בדפדפן שלך, כפי שקורה עם [Tor Browser](https://www.torproject.org/) ברמת האבטחה הבטוחה ביותר. זה גם מאפשר לך [ליצור הזנות RSS עבור טוויטר](news-aggregators.md#twitter). + +בעת אירוח עצמי, חשוב כי יש לך אנשים אחרים באמצעות המקרה שלך, כמו גם על מנת שתוכל להשתלב. אתה צריך להיות זהיר עם איפה ואיך אתה מארח Nitter, כמו השימוש של אנשים אחרים יהיה מקושר אירוח שלך. + +כאשר אתה משתמש במופע של Nitter, הקפד לקרוא את מדיניות הפרטיות של מופע ספציפי זה. ניתן לשנות מופעים של Nitter על ידי בעליהם ולכן ייתכן שלא ישקפו את מדיניות ברירת המחדל. במקרים מסוימים יש כתובות .onion Tor אשר עשוי להעניק קצת פרטיות כל עוד שאילתות החיפוש שלך אינן מכילות PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok לוגו](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** הוא ממשק קוד פתוח לאתר [TikTok](https://www.tiktok.com) שגם הוא ניתן לאירוח עצמי. + + ישנם מספר מופעים ציבוריים, כאשר בחלק מהמקרים יש תמיכה בשירותי בצל [Tor](https://www.torproject.org). + + [:octicons-repo-16: מאגר](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="קוד מקור" } + +!!! tip "טיפ" + + ProxiTok שימושי אם ברצונך להשבית את JavaScript בדפדפן שלך, כגון [Tor Browser](https://www.torproject.org/) ברמת האבטחה הבטוחה ביותר. + +בעת אירוח עצמי, חשוב כי יש לך אנשים אחרים באמצעות המקרה שלך, כמו גם על מנת שתוכל להשתלב. אתה צריך להיות זהיר עם היכן וכיצד אתה מארח את ProxiTok, מכיוון שהשימוש של אנשים אחרים יהיה מקושר לאירוח שלך. + +כאשר אתה משתמש במופע של ProxiTok, הקפד לקרוא את מדיניות הפרטיות של אותו מופע ספציפי. מופעי ProxiTok ניתנים לשינוי על ידי בעליהם ולכן עשויים שלא לשקף את מדיניות הפרטיות הקשורה אליהם. במקרים מסוימים יש כתובות .onion Tor אשר עשוי להעניק קצת פרטיות כל עוד שאילתות החיפוש שלך אינן מכילות PII. + +## יוטיוב + +### FreeTube + +!!! recommendation + + ![FreeTube לוגו](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** הוא יישום שולחן עבודה חינם וקוד פתוח עבור [יוטיוב](https://youtube.com). בעת שימוש ב- FreeTube, רשימת המנויים ורשימות ההשמעה שלך נשמרות באופן מקומי במכשיר שלך. + + כברירת מחדל, FreeTube חוסמת את כל הפרסומות של יוטיוב. בנוסף, FreeTube משתלבת באופן אופציונלי עם [SponsorBlock](https://sponsor.ajay.app) כדי לעזור לך לדלג על קטעי וידאו ממומנים. + + [:octicons-home-16: דף הבית](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning "אזהרה" + + בעת השימוש ב-FreeTube, ייתכן שכתובת ה-IP שלך עדיין ידועה ליוטיוב, [Invidious](https://instances.invidious.io) או [SponsorBlock](https://sponsor.ajay.app/) בהתאם לתצורה שלך. שקול להשתמש ב-[VPN](vpn.md) או [Tor](https://www.torproject.org) אם [מודל האיום](basics/threat-modeling.md) שלך דורש הסתרת כתובת ה-IP שלך. + +### Yattee + +!!! recommendation + + ![Yattee לוגו](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** הוא נגן וידאו חינמי וקוד פתוח מוכוון פרטיות עבור iOS, tvOS ו-macOS עבור [יוטיוב](https://youtube.com). בעת השימוש ב - Yattee, רשימת המנויים שלך נשמרת באופן מקומי במכשיר שלך. + + תצטרך לבצע כמה [צעדים נוספים](https://gonzoknows.com/posts/Yattee/) לפני שתוכל להשתמש ב-Yattee כדי לצפות ב-YouTube, עקב הגבלות של App Store. + + [:octicons-home-16: דף הבית](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning "אזהרה" + + בעת השימוש ב- Yattee, כתובת ה- IP שלך עשויה עדיין להיות ידועה ליוטיוב, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) או [SponsorBlock](https://sponsor.ajay.app/) בהתאם לתצורה שלך. שקול להשתמש ב-[VPN](vpn.md) או [Tor](https://www.torproject.org) אם [מודל האיום](basics/threat-modeling.md) שלך דורש הסתרת כתובת ה-IP שלך. + +כברירת מחדל, Yattee חוסם את כל הפרסומות ב - YouTube. בנוסף, Yattee משתלב באופן אופציונלי עם [SponsorBlock](https://sponsor.ajay.app) כדי לעזור לך לדלג על קטעי וידאו ממומנים. + +### LibreTube (אנדרואיד) + +!!! recommendation + + ![LibreTube לוגו](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube לוגו](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** היא אפליקציית אנדרואיד בחינם וקוד פתוח עבור [YouTube](https://youtube.com) המשתמשת בממשק ה-API של [Piped](#piped). + + LibreTube מאפשר לך לאחסן את רשימת המנויים והפלייליסטים שלך באופן מקומי במכשיר האנדרואיד שלך, או בחשבון במופע Piped שבחרת, מה שמאפשר לך לגשת אליהם בצורה חלקה גם במכשירים אחרים. + + [:octicons-home-16: דף הבית](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning "אזהרה" + + בעת שימוש ב-LibreTube, כתובת ה-IP שלך תהיה גלויה למופע [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) שתבחר ו/או ל-[SponsorBlock](https://sponsor.ajay.app/) בהתאם לתצורה שלך. שקול להשתמש ב-[VPN](vpn.md) או [Tor](https://www.torproject.org) אם [מודל האיום](basics/threat-modeling.md) שלך דורש הסתרת כתובת ה-IP שלך. + +כברירת מחדל, LibreTube חוסמת את כל פרסומות יוטיוב. בנוסף, Libretube משתמשת ב[SponsorBlock](https://sponsor.ajay.app) כדי לעזור לך לדלג על קטעי וידאו ממומנים. אתה יכול להגדיר באופן מלא את סוגי הפלחים שSponsorBlock ידלג עליהם, או להשבית אותו לחלוטין. יש גם כפתור בנגן הווידאו עצמו כדי להשבית אותו עבור סרטון מסוים אם תרצה בכך. + +### NewPipe (אנדרואיד) + +!!! recommendation annotate + + ![Newpipe לוגו](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** היא אפליקציית אנדרואיד חינמית וקוד פתוח עבור [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), ו-[PeerTube](https://joinpeertube.org/) (1). + + רשימת המנויים והפלייליסטים שלך נשמרים באופן מקומי במכשיר האנדרואיד שלך. + + [:octicons-home-16: דף הבית](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. מופע ברירת המחדל הוא [FramaTube](https://framatube.org/), עם זאת ניתן להוסיף יותר דרך **הגדרות** ← **תוכן** ← **מופעים PeerTube** + +!!! warning "אזהרה" + + בעת שימוש ב-NewPipe, כתובת ה-IP שלך תהיה גלויה לספקי הווידאו שבהם נעשה שימוש. שקול להשתמש ב-[VPN](vpn.md) או [Tor](https://www.torproject.org) אם [מודל האיום](basics/threat-modeling.md) שלך דורש הסתרת כתובת ה-IP שלך. + +### Invidious + +!!! recommendation + + ![Invidious לוגו](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious לוגו](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** הוא ממשק קצה חינמי וקוד פתוח עבור [YouTube](https://youtube.com) שמתארח גם בעצמו. + + ישנם מספר מופעים ציבוריים, כאשר בחלק מהמקרים יש תמיכה בשירותי בצל [Tor](https://www.torproject.org). + + [:octicons-home-16: דף הבית](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=לתרומה } + +!!! warning "אזהרה" + + כברירת מחדל, Invidious לא מזרימה פרוקסי וידאו. סרטונים שנצפו באמצעות Invidious עדיין יבצעו חיבורים ישירים לשרתים של Google (למשל `googlevideo.com`); עם זאת, מופעים מסוימים תומכים ב-proxy של וידאו - פשוט הפעל *סרטוני פרוקסי* בהגדרות של המופעים או הוסף '&local=true' לכתובת האתר. + +!!! tip "טיפ" + + Invidious שימושי אם ברצונך להשבית את JavaScript בדפדפן שלך, כגון [Tor Browser]( https://www.torproject.org/) ברמת האבטחה הבטוחה ביותר. הוא אינו מספק פרטיות בפני עצמו, ואנחנו לא ממליצים להיכנס לחשבונות כלשהם. + +בעת אירוח עצמי, חשוב כי יש לך אנשים אחרים באמצעות המקרה שלך, כמו גם על מנת שתוכל להשתלב. עליכם להיות זהירים לגבי המיקום והאופן שבו אתם מארחים את Invidious, מכיוון שהשימוש של אנשים אחרים יקושר לאירוח שלכם. + +כאשר אתה משתמש ב - Invidious instance, הקפד לקרוא את מדיניות הפרטיות של אותו מופע ספציפי. מקרים לא נעימים יכולים להשתנות על ידי בעליהם, ולכן ייתכן שלא ישקפו את מדיניות הפרטיות המשויכת אליהם. במקרים מסוימים יש כתובות .onion Tor אשר עשוי להעניק קצת פרטיות כל עוד שאילתות החיפוש שלך אינן מכילות PII. + +### Piped + +!!! recommendation + + ![Piped לוגו](assets/img/frontends/piped.svg){ align=right } + + **Piped** הוא חזית קוד פתוח בחינם ל-[YouTube](https://youtube.com) שמתארח גם בעצמו. + + Piped דורש JavaScript כדי לתפקד ויש מספר מופעים ציבוריים. + + [:octicons-repo-16: מאגר](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=לתרומה } + +!!! tip "טיפ" + + Piped שימושי אם ברצונך להשתמש ב - [SponsorBlock](https://sponsor.ajay.app) מבלי להתקין תוסף או לגשת לתוכן מוגבל לגיל ללא חשבון. הוא אינו מספק פרטיות בפני עצמו, ואנחנו לא ממליצים להיכנס לחשבונות כלשהם. + +בעת אירוח עצמי, חשוב כי יש לך אנשים אחרים באמצעות המקרה שלך, כמו גם על מנת שתוכל להשתלב. עליכם להיות זהירים לגבי המיקום והאופן שבו אתם מארחים Piped, מכיוון שהשימוש של אנשים אחרים יקושר לאירוח שלכם. + +כאשר אתה משתמש ב - Piped instance, הקפד לקרוא את מדיניות הפרטיות של אותו מופע ספציפי. בעליהם יכולים לשנות מופעים מקוטעים ולכן ייתכן שהם לא ישקפו את מדיניות הפרטיות המשויכת אליהם. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +חזיתות מומלצות... + +- חייבת להיות תוכנת קוד פתוח. +- חייב להיות ניתן לאירוח עצמי. +- חייב לספק את כל הפונקציונליות הבסיסית של האתר הזמינה למשתמשים אנונימיים. + +אנו מתייחסים רק לחזיתות עבור אתרים שהם... + +- לא נגיש בדרך כלל ללא JavaScript. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/index.md b/i18n/he/index.md new file mode 100644 index 00000000..8f4be845 --- /dev/null +++ b/i18n/he/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.he.html +hide: + - navigation + - toc + - feedback +--- + + +## למה שיהיה אכפת לי? + +##### “אין לי מה להסתיר. למה שאדאג לפרטיות שלי?" + +בדומה לזכות לנישואים בין-גזעיים, זכות בחירה לאישה, חופש הביטוי ורבים אחרים, זכותנו לפרטיות לא תמיד נשמרה. בכמה דיקטטורות, זה עדיין לא. דורות לפנינו נלחמו על זכותנו לפרטיות. ==פרטיות היא זכות אדם, הטבועה בכולנו,== שמגיעה לנו (ללא אפליה). + +אתה לא צריך לבלבל פרטיות עם סודיות. אנחנו יודעים מה קורה בשירותים, אבל אתה עדיין סוגר את הדלת. זה בגלל שאתה רוצה פרטיות, לא סודיות. **לכל** אחד יש על מה להגן. פרטיות היא משהו שהופך אותנו לאנושיים. + +[:material-target-account: איומים נפוצים באינטרנט](basics/common-threats.md ""){.md-button.md-button--primary} + +## מה עליי לעשות? + +##### ראשית, אתה צריך להכין תוכנית + +ניסיון להגן על כל הנתונים שלך מפני כולם כל הזמן הוא לא מעשי, יקר ומתיש. אבל אל תדאג! אבטחה היא תהליך, ועל ידי חשיבה קדימה, אתה יכול להרכיב תוכנית שמתאימה לך. אבטחה אינה עוסקת רק בכלים שבהם אתה משתמש או בתוכנה שאתה מוריד. במקום זאת, זה מתחיל בהבנת האיומים הייחודיים שאתה מתמודד איתם, וכיצד אתה יכול להפחית אותם. + +==תהליך זה של זיהוי איומים והגדרת אמצעי נגד נקרא **מודלים של איומים**==, והוא מהווה את הבסיס לכל תוכנית אבטחה ופרטיות טובה. + +[:material-book-outline: למד עוד על מודל איומים](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## אנחנו זקוקים לך! הנה איך להיות מעורב: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="הצטרף לפורום שלנו" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="עקבו אחרינו במסטודון" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="תרום לאתר זה" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="עזור לתרגם את האתר הזה" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="שוחח איתנו במטריקס" } +[:material-information-outline:](about/index.md){ title="למד עוד אודותינו" } +[:material-hand-coin-outline:](about/donate.md){ title="תמכו בפרויקט" } + +חשוב שאתר כמו Privacy Guides יישאר תמיד מעודכן. אנחנו צריכים שהקהל שלנו יפקח עין על עדכוני תוכנה עבור היישומים הרשומים באתר שלנו ויעקוב אחר החדשות האחרונות לגבי ספקים שאנחנו ממליצים עליהם. קשה לעמוד בקצב המהיר של האינטרנט, אבל אנחנו מנסים כמיטב יכולתנו. אם אתה מזהה שגיאה, חושב שספק לא צריך להיות רשום, שם לב שחסר ספק מוסמך, מאמין שתוסף דפדפן הוא כבר לא הבחירה הטובה ביותר, או חשף כל בעיה אחרת, אנא הודע לנו. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/kb-archive.md b/i18n/he/kb-archive.md new file mode 100644 index 00000000..9e276b56 --- /dev/null +++ b/i18n/he/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: ארכיון KB +icon: material/archive +--- + +# דפים הועברו לבלוג + +כמה דפים שהיו בעבר במאגר הידע שלנו נמצאים כעת בבלוג שלנו: + +- [GrapheneOS לעומת CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal תצורה והקשחה](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [לינוקס - הקשחת המערכת](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [לינוקס - ארגז חול ליישומים](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [מחיקת נתונים מאובטחת](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [הסרה משולבת של מטא נתונים](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [מדריך התצורה של iOS](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/meta/brand.md b/i18n/he/meta/brand.md new file mode 100644 index 00000000..0a896597 --- /dev/null +++ b/i18n/he/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/meta/git-recommendations.md b/i18n/he/meta/git-recommendations.md new file mode 100644 index 00000000..f25bb90d --- /dev/null +++ b/i18n/he/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/meta/uploading-images.md b/i18n/he/meta/uploading-images.md new file mode 100644 index 00000000..ea51f475 --- /dev/null +++ b/i18n/he/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/meta/writing-style.md b/i18n/he/meta/writing-style.md new file mode 100644 index 00000000..a0dc4e5d --- /dev/null +++ b/i18n/he/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/mobile-browsers.md b/i18n/he/mobile-browsers.md new file mode 100644 index 00000000..c9661e91 --- /dev/null +++ b/i18n/he/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "דפדפני אינטרנט לנייד" +icon: material/cellphone-information +--- + +אלו הם דפדפני האינטרנט הניידים המומלצים כרגע והתצורות שלנו לגלישה רגילה/לא אנונימית באינטרנט. אם אתה צריך לגלוש באינטרנט באופן אנונימי, אתה צריך להשתמש [Tor](tor.md) במקום. באופן כללי, אנו ממליצים לשמור על הרחבות למינימום; יש להם גישה מוסמכת בתוך הדפדפן שלך, דורשים ממך לסמוך על המפתח, יכולים לגרום לך [להיות בולט](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), [ולהחליש](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) את בידוד האתר. + +## אנדרואיד + +באנדרואיד, פיירפוקס עדיין פחות מאובטח מאלטרנטיבות מבוססות Chromium: המנוע של מוזילה, [GeckoView](https://mozilla.github.io/geckoview/), עדיין לא תמך [בבידוד אתרים](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) או איפשר את [תהליך מבודד](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave לוגו](assets/img/browsers/brave.svg){ align=right } + + **דפדפן Brave** כולל חוסם תוכן מובנה ו [תכונות פרטיות ]( https://brave.com/privacy-features/), רבים מהם מופעלים כברירת מחדל. + + Brave בנוי על פרויקט דפדפן Chromium, כך שהוא אמור להרגיש מוכר ושיהיו לו בעיות תאימות מינימליות לאתר. + + [:octicons-home-16: דף הבית](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="שירות בצל" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="קוד פתוח" } + + ??? downloads annotate "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### תצורה מומלצת + +דפדפן Tor הוא הדרך היחידה לגלוש באמת באינטרנט באופן אנונימי. כאשר אתה משתמש ב-Brave, אנו ממליצים לשנות את ההגדרות הבאות כדי להגן על פרטיותך מפני גורמים מסוימים, אך כל הדפדפנים מלבד [Tor דפדפן](tor.md#tor-browser) יהיו ניתנים למעקב על ידי *מישהו* בהקשר זה או אחר. + +ניתן למצוא אפשרויות אלו ב :material-menu: → **הגדרות** → **Brave Shields & פרטיות** + +##### Shields + +Brave כולל כמה אמצעים נגד טביעת אצבע בתכונת [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) שלו. אנו מציעים להגדיר את האפשרויות האלה [גלובלי](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) בכל הדפים שבהם אתה מבקר. + +##### ברירות מחדל גלובליות של Brave Shield + +ניתן לשדרג לאחור את האפשרויות של Shields על בסיס אתר לפי הצורך, אך כברירת מחדל אנו ממליצים להגדיר את האפשרויות הבאות: + +
+ +- [x] בחר **אגרסיבי** תחת חסימת עוקבים ומודעות + + ??? warning "השתמש ברשימות סינון ברירת מחדל" + Brave מאפשר לך לבחור מסנני תוכן נוספים בדף הפנימי `brave://adblock`. אנו ממליצים לא להשתמש בתכונה זו; במקום זאת, שמור על רשימות הסינון המוגדרות כברירת מחדל. שימוש ברשימות נוספות יגרום לך להתבלט ממשתמשי Brave אחרים ועלול גם להגדיל את שטח ההתקפה אם יש ניצול ב-Brave וכלל זדוני יתווסף לאחת הרשימות שבהן אתה משתמש. + +- [x] בחר **שדרג חיבורים ל- HTTPS** +- [x] (אופציונלי) בחר **חסום סקריפטים** (1) +- [x] בחר **קפדני, עלול לשבור אתרים** תחת **חסום טביעת אצבע** + +
+ +1. אפשרות זו מספקת פונקציונליות דומה למצבי החסימה [המתקדמים של uBlock Origin](https://github.com/gorhill/uBlock/wiki/Blocking-mode) או להרחבה [NoScript](https://noscript.net/). + +##### IPFS + +- [x] בחר **נקה נתונים ביציאה** + +##### חסימת מדיה חברתית + +- [ ] בטל את הסימון של כל רכיבי המדיה החברתית + +##### הגדרות פרטיות אחרות + +
+ +- [x] בחר **השבת UDP שאינו פרוקסי** תחת [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] בטל סימון **אפשר לאתרים לבדוק אם יש לך שיטות תשלום שנשמרו** +- [ ] בטל סימון **IPFS Gateway** (1) +- [x] בחר **סגור כרטיסיות ביציאה** +- [ ] בטל סימון **אפשר ניתוח מוצרים ששומר על הפרטיות (P3A)** +- [ ] בטל סימון **שלח דוחות אבחון אוטומטיים** +- [ ] בטל סימון **שליחה אוטומטית של פינג שימוש יומי ל-Brave** + +1. מערכת קבצים בין - כוכבית (באנגלית: InterPlanetary File System, בראשי תיבות: IPF) היא רשת מבוזרת המשמשת לאחסון ושיתוף נתונים במערכת קבצים מבוזרת. אלא אם כן אתה משתמש בתכונה, להשבית אותו. + +
+ +#### סנכרון Brave + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) מאפשר לנתוני הגלישה שלך (היסטוריה, סימניות וכו ') להיות נגישים בכל המכשירים שלך ללא צורך בחשבון ומגן עליהם באמצעות E2EE. + +## iOS + +ב-iOS, כל אפליקציה שיכולה לגלוש באינטרנט [מוגבלת](https://developer.apple.com/app-store/review/guidelines) לשימוש ב[מסגרת WebKit](https://developer.apple.com/documentation/webkit), כך שאין סיבה קטנה להשתמש בדפדפן אינטרנט של צד שלישי. + +### Safari + +!!! recommendation + + ![Safari לוגו](assets/img/browsers/safari.svg){ align=right } + + **Safari** הוא דפדפן ברירת המחדל ב - iOS. הוא כולל [תכונות פרטיות](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) כגון הגנת מעקב חכמה, דוח פרטיות, כרטיסיות גלישה פרטית מבודדות, iCloud Private Relay ושדרוגי HTTPS אוטומטיים. + + [:octicons-home-16: דף הבית](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=תיעוד} + +#### תצורה מומלצת + +ניתן למצוא אפשרויות אלה ב - :gear: **הגדרות** ← **Safari** ← **פרטיות ואבטחה**. + +##### מניעת מעקב חוצה אתרים + +- [x] אפשר **מנע מעקב בין אתרים** + +זה מאפשר [הגנת מעקב אינטליגנטי](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp) של WebKit. התכונה מסייעת בהגנה מפני מעקב לא רצוי על ידי שימוש בלמידת מכונה במכשיר כדי לעצור עוקבים. ITP מגן מפני איומים נפוצים רבים, אך הוא אינו חוסם את כל אפיקי המעקב מכיוון שהוא נועד לא להפריע לשימושיות האתר. + +##### דוח פרטיות + +דוח הפרטיות מספק תמונה של עוקבים חוצי אתרים שכרגע מונעים ממך ליצור פרופיל באתר שבו אתה מבקר. הוא יכול גם להציג דוח שבועי כדי להראות אילו עוקבים נחסמו לאורך זמן. + +ניתן לגשת לדוח הפרטיות דרך התפריט 'הגדרות דף '. + +##### שמירת הפרטיות של מדידת המודעות + +- [ ] השבת **פרטיות שמירה על מדידת מודעות** + +מדידת קליקים על מודעה השתמשה באופן מסורתי בטכנולוגיית מעקב הפוגעת בפרטיות המשתמש. [מדידת קליקים פרטית](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) היא תכונה של WebKit ותקן אינטרנט מוצע שמטרתו לאפשר למפרסמים למדוד האפקטיביות של מסעות פרסום באינטרנט מבלי להתפשר על פרטיות המשתמש. + +לתכונה יש מעט חששות פרטיות בפני עצמה, כך שבעוד שאתה יכול לבחור להשאיר אותה פועלת, אנו רואים בעובדה שהיא מושבתת אוטומטית בגלישה פרטית כאינדיקטור להשבית התכונה. + +##### גלישה פרטית תמיד + +פתח את Safari והקש על כפתור הכרטיסיות, הממוקם בפינה השמאלית התחתונה. לאחר מכן, הרחב את רשימת קבוצות הכרטיסיות. + +- [x] בחר **פרטי** + +מצב הגלישה הפרטית של Safari מציע הגנות פרטיות נוספות. גלישה פרטית משתמשת בהפעלה חדשה [>חולפת](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) עבור כל כרטיסייה, כלומר כרטיסיות מבודדות זו מזו. יש גם יתרונות פרטיות קטנים יותר עם גלישה פרטית, כגון אי שליחת כתובת של דף אינטרנט לאפל בעת שימוש בתכונת התרגום של Safari. + +שימו לב שגלישה פרטית אינה שומרת קובצי עוגיות ונתוני אתר, כך שלא ניתן יהיה להישאר מחובר לאתרים. זה עשוי להיות אי נוחות. + +##### iCloud Sync + +סנכרון של היסטוריית ספארי, קבוצות כרטיסיות, כרטיסיות iCloud וסיסמאות שמורות הם E2EE. עם זאת, כברירת מחדל, סימניות [לא](https://support.apple.com/en-us/HT202303). Apple יכולה לפענח ולגשת אליהם בהתאם ל[מדיניות הפרטיות](https://www.apple.com/legal/privacy/en-ww/) שלהם. + +אתה יכול להפעיל את E2EE עבור הסימניות וההורדות של Safari על ידי הפעלת [הגנה על נתונים מתקדמת](https://support.apple.com/en-us/HT212520). עבור אל **שם Apple ID שלך ← iCloud ← הגנת נתונים מתקדמת**. + +- [x] הפעל **הגנת נתונים מתקדמת** + +אם אתה משתמש ב-iCloud עם הגנת נתונים מתקדמת מושבתת, אנו ממליצים גם לבדוק כדי לוודא שמיקום ההורדה המוגדר כברירת מחדל של Safari מוגדר באופן מקומי במכשיר שלך. ניתן למצוא אפשרות זו ב -:gear: **הגדרות** ← **Safari** ← **כללי** ← **הורדות**. + +### AdGuard + +!!! recommendation + + ![AdGuard לוגו](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** הוא תוסף חסימת תוכן בקוד פתוח בחינם עבור Safari המשתמש ב-[Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + ל-AdGuard for iOS יש כמה תכונות פרימיום; עם זאת, חסימת תוכן ספארי רגילה אינה כרוכה בתשלום. + + [:octicons-home-16: דף הבית](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +רשימות פילטרים נוספות מאטות את הקצב ועשויות להגדיל את משטח ההתקפה שלך, אז יש ליישם רק את מה שאתה צריך. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### דרישות מינימליות + +- חייב לתמוך בעדכונים אוטומטיים. +- חייב לקבל עדכוני מנוע בתוך 0 -1 ימים משחרורו במעלה הזרם. +- כל שינוי שיידרש כדי להפוך את הדפדפן ליותר מכבד פרטיות לא צריך להשפיע לרעה על חוויית המשתמש. +- דפדפני אנדרואיד חייבים להשתמש במנוע ה - Chromium. + - למרבה הצער, Mozilla GeckoView עדיין פחות מאובטחת מ-Chromium באנדרואיד. + - דפדפני iOS מוגבלים ל-WebKit. + +### קריטריונים להרחבה + +- אסור לשכפל דפדפן מובנה או פונקציונליות מערכת הפעלה. +- חייב להשפיע ישירות על פרטיות המשתמש, כלומר לא חייב פשוט לספק מידע. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/multi-factor-authentication.md b/i18n/he/multi-factor-authentication.md new file mode 100644 index 00000000..3dfb9fb8 --- /dev/null +++ b/i18n/he/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "מאמתים מרובי גורמים" +icon: 'material/two-factor-authentication' +--- + +## מפתחות אבטחה של חומרה + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + **YubiKeys** הם בין מפתחות האבטחה הפופולריים ביותר. לחלק מדגמי YubiKey יש מגוון רחב של תכונות כגון: [גורם שני אוניברסלי (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 ו-WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [אימות זהות אישית (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/),[TOTP ו HOTP](https://developers.yubico.com/OATH). + + אחד היתרונות של YubiKey הוא שמפתח אחד יכול לעשות כמעט הכל (YubiKey 5), שאפשר לצפות ממפתח אבטחת חומרה. אנו ממליצים לך לקחת את [חידון](https://www.yubico.com/quiz/) לפני הרכישה כדי לוודא שאתה עושה את הבחירה הנכונה. + + [:octicons-home-16: דף הבית](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=תיעוד} + +[טבלת ההשוואה](https://www.yubico.com/store/compare/) מציגה את התכונות ואת אופן ההשוואה של YubiKeys. אנו ממליצים בחום לבחור במפתחות מסדרת YubiKey 5. + +ניתן לתכנת את [YubiKey מנהל](https://www.yubico.com/support/download/yubikey-manager/) או [YubiKey כלי התאמה אישית](https://www.yubico.com/support/download/yubikey-personalization-tools/). לניהול קודי TOTP, תוכל להשתמש ב - [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). כל הקליינטים של Yubico הם בקוד פתוח. + +עבור דגמים התומכים ב - HOTP וב - TOTP, ישנם 2 חריצים בממשק ה - OTP שניתן להשתמש בהם עבור HOTP ו -32 חריצים לאחסון סודות TOTP. סודות אלה מאוחסנים מוצפנים על המפתח ואף פעם לא לחשוף אותם למכשירים הם מחוברים. ברגע שזרע (סוד משותף) ניתן למאמת Yubico, הוא ייתן רק את הקודים בני שש הספרות, אך לעולם לא את הזרע. מודל אבטחה זה עוזר להגביל את מה שתוקף יכול לעשות אם הוא מסכן את אחד המכשירים המריצים את המאמת של Yubico והופך את ה - YubiKey לעמיד בפני תוקף פיזי. + +!!! warning "אזהרה" + הקושחה של YubiKey אינה קוד פתוח ואינה ניתנת לעדכון. אם אתה רוצה תכונות בגרסאות קושחה חדשות יותר, או אם ישנה פגיעות בגרסת הקושחה שבה אתה משתמש, תצטרך לרכוש מפתח חדש. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **ל - Nitrokey** יש מפתח אבטחה המסוגל ל- [FIDO2 ו- WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) בשם **Nitrokey FIDO2**. לתמיכה ב-PGP, עליך לרכוש אחד מהמפתחות האחרים שלהם כגון **Nitrokey Start**, **Nitrokey Pro 2** או **Nitrokey Storage 2**. + + [:octicons-home-16: דף הבית](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=תיעוד} + +[טבלת ההשוואה](https://www.nitrokey.com/#comparison) מציגה את התכונות ואת ההשוואה בין דגמי Nitrokey. ל**Nitrokey 3** המופיע ברשימה תהיה ערכת תכונות משולבת. + +ניתן להגדיר דגמי Nitrokey באמצעות [Nitrokey app](https://www.nitrokey.com/download). + +עבור הדגמים התומכים ב - HOTP וב - TOTP, ישנם 3 חריצים עבור HOTP ו -15 עבור TOTP. Nitrokeys מסוימים יכולים לשמש כמנהל סיסמאות. הם יכולים לאחסן 16 אישורים שונים ולהצפין אותם באמצעות אותה סיסמה כמו ממשק OpenPGP. + +!!! warning "אזהרה" + + בעוד ש-Nitrokeys אינם משחררים את סודות ה-HOTP/TOTP למכשיר שאליו הם מחוברים, אחסון ה-HOTP וה-TOTP **לא** מוצפן ופגיע להתקפות פיזיות. אם אתם מחפשים לאחסן HOTP או TOTP סודות אלה, אנו ממליצים בחום להשתמש ב- Yubikey במקום זאת. + +!!! warning "אזהרה" + + איפוס ממשק OpenPGP על Nitrokey גם יגרום למסד הנתונים סיסמה [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + + Nitrokey Pro 2, Nitrokey Storage 2 וה-Nitrokey 3 הקרובים תומכים באימות שלמות המערכת עבור מחשבים ניידים עם הקושחה [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/). [Librem Key](https://puri.sm/products/librem-key/) של Purism הוא NitroKey Pro 2 ממותג מחדש עם קושחה דומה וניתן להשתמש בו גם לאותן מטרות. + +הקושחה של Nitrokey היא קוד פתוח, שלא כמו YubiKey. הקושחה בדגמי NitroKey המודרניים (למעט ה**NitroKey Pro 2**) ניתנת לעדכון. + +!!! tip "טיפ" + + אפליקציית Nitrokey, על אף שהיא תואמת ל-Librem Keys, דורשת 'libnitrokey' גרסה 3.6 ומעלה כדי לזהות אותם. נכון לעכשיו, החבילה מיושנת ב-Windows, macOS ורוב ההפצות של לינוקס, כך שסביר להניח שתצטרך להרכיב את אפליקציית Nitrokey בעצמך כדי לגרום לה לעבוד עם מפתח Librem. על לינוקס, אתה יכול לקבל גרסה מעודכנת מ [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +#### דרישות מינימליות + +- יש להשתמש במודולי אבטחה עמידים לחומרה באיכות גבוהה. +- חייב לתמוך במפרט FIDO2 העדכני ביותר. +- אסור לאפשר חילוץ מפתח פרטי. +- מכשירים שעולים מעל $35 חייבים לתמוך בטיפול ב-OpenPGP וב-S/MIME. + +#### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- אמור להיות זמין בפורמט USB-C. +- אמור להיות זמין עם NFC. +- אמור לתמוך באחסון סודי ב-TOTP. +- אמור לתמוך בעדכוני קושחה מאובטחים. + +## אפליקציות מאמתות + +יישומי אימות מיישמים תקן אבטחה שאומץ על ידי כוח המשימה להנדסת אינטרנט (IETF) הנקרא **סיסמאות חד פעמיות חד פעמיות מבוססות זמן**, או **TOTP**. זוהי שיטה שבה אתרי אינטרנט משתפים איתך סוד המשמש את אפליקציית האימות שלך כדי ליצור קוד בן שש ספרות (בדרך כלל) בהתבסס על השעה הנוכחית, שאותה אתה מזין בעת הכניסה לאתר כדי לבדוק. בדרך כלל קודים אלה מתחדשים כל 30 שניות, וברגע שנוצר קוד חדש הקוד הישן הופך לחסר תועלת. גם אם האקר מקבל קוד אחד בן שש ספרות, אין דרך להפוך את הקוד כדי לקבל את הסוד המקורי או אחרת להיות מסוגל לחזות מה כל קודים עתידיים עשויים להיות. + +אנו ממליצים בחום להשתמש באפליקציות TOTP למכשירים ניידים במקום בחלופות לשולחן העבודה, מכיוון שלאנדרואיד ול-iOS יש אבטחה ובידוד אפליקציות טובים יותר מרוב מערכות ההפעלה השולחניות. + +### Aegis Authenticator (אנדרואיד) + +!!! recommendation + + ![Aegis לוגו](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** היא אפליקציה חינמית, מאובטחת וקוד פתוח לניהול אסימוני האימות הדו-שלביים שלך עבור השירותים המקוונים שלך. + + [:octicons-home-16: דף הבית](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP לוגו](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** הוא קליינט סיסמאות מקורי, קל משקל ומאובטח מבוסס זמן (TOTP) & ומבוסס נגד (HOTP) עבור iOS. Raivo OTP מציע אופציונלי גיבוי iCloud & סנכרון. Raivo OTP זמין גם עבור macOS בצורה של יישום שורת מצב, אולם יישום Mac אינו פועל ללא תלות ביישום iOS. + + [:octicons-home-16: דף הבית](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייבת להיות תוכנת קוד פתוח. +- אסור לדרוש חיבור לאינטרנט. +- אסור לסנכרן לשירות סנכרון/גיבוי בענן של צד שלישי. + - **אופציונלי** תמיכה בסנכרון E2EE עם כלים מקוריים של מערכת ההפעלה מקובלת, למשל. סנכרון מוצפן באמצעות iCloud. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/news-aggregators.md b/i18n/he/news-aggregators.md new file mode 100644 index 00000000..313fc71f --- /dev/null +++ b/i18n/he/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "צוברי חדשות" +icon: material/rss +--- + +[צובר חדשות](https://en.wikipedia.org/wiki/News_aggregator) הוא דרך לשמור על קשר עם הבלוגים ואתרי החדשות האהובים עליך. + +## קליינטים צוברי חדשות + +### Akregator + +!!! recommendation + + ![Akregator לוגו](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** הוא קורא ניוז פיד המהווה חלק מפרויקט [KDE](https://kde.org). הוא מגיע עם חיפוש מהיר, פונקציונליות ארכיון מתקדמת ודפדפן פנימי לקריאת חדשות קלה. + + [:octicons-home-16: דף הבית](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=תיעוד} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** הוא קליינט RSS מודרני עבור אנדרואיד שיש לו רבים [features](https://gitlab.com/spacecowboy/Feeder#features) ועובד היטב עם תיקיות של הזנות RSS. הוא תומך ב [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: מאגר](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader לוגו](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** הוא צובר חדשות מאובטח חוצה פלטפורמות הכולל תכונות פרטיות שימושיות כגון מחיקת קובצי Cookie ביציאה, [מדיניות אבטחת תוכן (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) קפדנית ותמיכה בפרוקסי, כלומר אתה יכול להשתמש בו מעל [Tor](tor.md). + + [:octicons-home-16: דף הבית](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds לוגו](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **Feeds GNOME** הם [RSS](https://en.wikipedia.org/wiki/RSS) ו-[Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) קורא חדשות עבור [GNOME](https://www.gnome.org). יש לו ממשק פשוט והוא די מהיר. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads "הורדות" + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux לוגו](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux לוגו](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** הוא צובר חדשות מבוסס אינטרנט שתוכלו לארח בעצמכם. הוא תומך ב [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: דף הבית](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=לתרומה } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire לוגו](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** קורא עדכונים חינמי וקוד פתוח עבור macOS ו-iOS עם התמקדות בעיצוב ותכונות מקוריות. הוא תומך בפורמטי הפיד הטיפוסיים לצד תמיכה מובנית בפיד של טוויטר ו-Reddit. + + [:octicons-home-16: דף הבית](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat לוגו](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** הוא קורא הזנת RSS/Atom עבור קונסולת הטקסט. זהו נגזר מתוחזק באופן פעיל של [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). הוא קל מאוד, ואידיאלי לשימוש מעל [Secure Shell]( https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייבת להיות תוכנת קוד פתוח. +- חייב לפעול באופן מקומי, כלומר חייב לא להיות שירות ענן. + +## תמיכה ב- RSS של מדיה חברתית + +חלק משירותי המדיה החברתית תומכים גם ב - RSS, אם כי הוא לא מפורסם לעתים קרובות. + +### Reddit + +Reddit מאפשר לך להירשם ל subreddits באמצעות RSS. + +!!! example "דוגמא" + החלף `subreddit_name` עם subreddit שברצונך להירשם אליו. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +באמצעות כל אחד מ[מופעים](https://github.com/zedeus/nitter/wiki/Instances) של Nitter תוכל להירשם בקלות באמצעות RSS. + +!!! example "דוגמא" + 1. בחר מופע והגדר `nitter_instance`. + 2. החלף את `twitter_account` בשם החשבון. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### יוטיוב + +אתה יכול להירשם לערוצי יוטיוב מבלי להתחבר ולשייך פרטי שימוש לחשבון גוגל שלך. + +!!! example "דוגמא" + + כדי להירשם לערוץ YouTube עם לקוח RSS, חפש תחילה את [קוד הערוץ](https://support.google.com/youtube/answer/6180214), החלף את '[מזהה ערוץ]' למטה: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/notebooks.md b/i18n/he/notebooks.md new file mode 100644 index 00000000..4c34472e --- /dev/null +++ b/i18n/he/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "פנקס רשימות" +icon: material/notebook-edit-outline +--- + +עקוב אחר ההערות והיומנים שלך מבלי למסור אותם לצד שלישי. + +אם אתה משתמש כעת באפליקציה כמו Evernote, Google Keep או Microsoft OneNote, אנו מציעים שתבחר כאן חלופה שתומכת ב-E2EE. + +## מבוסס ענן + +### Joplin + +!!! recommendation + + ![Joplin לוגו](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** הוא יישום חינמי, קוד פתוח ומלא תכונות לרישום הערות ומשימות שיכול להתמודד עם מספר רב של הערות סימון מאורגנים במחברות ותגים. הוא מציע E2EE ויכול לסנכרן דרך Nextcloud, Dropbox ועוד. הוא מציע גם ייבוא קל מ-Evernote והערות בטקסט רגיל. + + [:octicons-home-16: דף הבית](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin אינו תומך בהגנה על סיסמה/PIN עבור [יישום עצמו או רשימות ומחברות בודדות](https://github.com/laurent22/joplin/issues/289). עם זאת, הנתונים שלך עדיין מוצפנים במעבר ובמיקום הסנכרון באמצעות מפתח הראשי שלך. + +### Standard Notes + +!!! recommendation + + ![Standard Notes לוגו](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** היא אפליקציית הערות פשוטה ופרטית שהופכת את ההערות שלך לקלות וזמינות בכל מקום שבו אתה נמצא. הוא כולל E2EE בכל פלטפורמה, וחוויית שולחן עבודה רבת עוצמה עם ערכות עיצוב ואפשריות עריכה מותאמים אישית. הוא גם עבר [ביקורת עצמאית (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee לוגו](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee לוגו](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** הוא קוד פתוח מבוסס אינטרנט E2EE עורך מסמכים ויישום אחסון תמונות. Cryptee הוא PWA, מה שאומר שהוא עובד בצורה חלקה בכל המכשירים המודרניים מבלי לדרוש אפליקציות מקוריות עבור כל פלטפורמה בהתאמה. + + [:octicons-home-16: דף הבית](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee מציע 100MB של אחסון בחינם, עם אפשרויות בתשלום אם אתה צריך יותר. ההרשמה אינה דורשת דואר אלקטרוני או מידע מזהה אישי אחר. + +## מחברות מקומיות + +### מצב ארגון + +!!! recommendation + + ![Org-mode לוגו](assets/img/notebooks/org-mode.svg){ align=right } + + **מצב ארגוני** הוא [מצב ראשי](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) עבור גנו Emacs. מצב ארגוני מיועד לשמירת הערות, שמירה על רשימות TODO, תכנון פרויקטים ועריכת מסמכים באמצעות מערכת טקסט רגיל מהירה ויעילה. סינכרון אפשרי באמצעות הכלי [file synchronization](file-sharing.md#file-sync). + + [:octicons-home-16: דף הבית](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=לתרומה } + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- הלקוחות צריכים להיות בקוד פתוח. +- כל פונקציונליות של סנכרון ענן חייבת להיות E2EE. +- חייב לתמוך בייצוא מסמכים לפורמט סטנדרטי. + +### המקרה הטוב ביותר + +- פונקציונליות גיבוי/סנכרון מקומית אמורה לתמוך בהצפנה. +- פלטפורמות מבוססות ענן צריכות לתמוך בשיתוף מסמכים. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/os/android-overview.md b/i18n/he/os/android-overview.md new file mode 100644 index 00000000..e81644ca --- /dev/null +++ b/i18n/he/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: סקירה כללית של אנדרואיד +icon: simple/android +--- + +אנדרואיד היא מערכת הפעלה מאובטחת הכוללת [ארגז חול חזק של אפליקציות](https://source.android.com/security/app-sandbox), [אתחול מאומת](https://source.android.com/security/verifiedboot) (AVB) ומערכת בקרת [הרשאות](https://developer.android.com/guide/topics/permissions/overview) חזקה. + +## בחירת הפצת אנדרואיד + +כאשר אתה קונה טלפון אנדרואיד, מערכת ההפעלה המוגדרת כברירת מחדל של המכשיר מגיעה לרוב עם אינטגרציה פולשנית עם אפליקציות ושירותים שאינם חלק מ[פרויקט הקוד הפתוח של אנדרואיד](https://source.android.com/). דוגמה כזו היא שירותי Google Play, שיש לו הרשאות בלתי חוזרות לגשת לקבצים שלך, אחסון אנשי הקשר, יומני שיחות, הודעות SMS, מיקום, מצלמה, מיקרופון, מזהי חומרה וכו'. אפליקציות ושירותים אלו מגדילים את משטח ההתקפה של המכשיר שלך ומהווים מקור לחששות פרטיות שונים עם אנדרואיד. + +ניתן לפתור בעיה זו באמצעות הפצת אנדרואיד מותאמת אישית שאינה מגיעה עם אינטגרציה פולשנית כזו. לרוע המזל, הפצות רבות של אנדרואיד מותאמות אישית מפרות לעתים קרובות את מודל האבטחה של אנדרואיד בכך שאינן תומכות בתכונות אבטחה קריטיות כגון AVB, הגנה לאחור, עדכוני קושחה וכן הלאה. חלק מההפצות מספקות גם רכיבי [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) אשר חושפים שורש באמצעות [ADB](https://developer.android.com/studio/command-line/adb) ודורשים [מדיניות](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux מתירנית יותר כדי להתאים לתכונות ניפוי באגים, וכתוצאה מכך משטח התקפה מוגדל נוסף ומודל אבטחה מוחלש. + +באופן אידיאלי, בעת בחירת הפצת אנדרואיד מותאמת אישית, עליך לוודא שהיא מקיימת את מודל האבטחה של אנדרואיד. לכל הפחות, להפצה צריכה להיות בניית ייצור, תמיכה ב-AVB, הגנה על חזרה, עדכוני קושחה ומערכת הפעלה בזמן, ו-SELinux ב[מצב אכיפה](https://source.android.com/security/selinux/concepts#enforcement_levels). כל הפצות האנדרואיד המומלצות שלנו עומדות בקריטריונים האלה. + +[המלצות מערכת אנדרואיד שלנו :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## הימנע מהשתרשות + +[השרשת](https://en.wikipedia.org/wiki/Rooting_(Android)) טלפונים אנדרואיד יכולים להפחית את האבטחה באופן משמעותי מכיוון שהוא מחליש את [מודל האבטחה של אנדרואיד](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). זה יכול להפחית את הפרטיות אם יש ניצול הנעזר בירידה באבטחה. שיטות השתרשות נפוצות כוללות התעסקות ישירה במחיצת האתחול, מה שהופך את זה לבלתי אפשרי לבצע אתחול מאומת בהצלחה. אפליקציות הדורשות שורש ישנו גם את מחיצת המערכת, כלומר אתחול מאומת יצטרך להישאר מושבת. חשיפת השורש ישירות בממשק המשתמש גם מגדילה את [משטח ההתקפה](https://en.wikipedia.org/wiki/Attack_surface) של המכשיר שלך ועשויה לסייע ב[הסלמה של הרשאות](https://en.wikipedia.org/wiki/Privilege_escalation) פגיעויות ועקיפות מדיניות SELinux. + +חוסמי פרסומות, המשנים את [קובץ המארחים](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) וחומות אש (AFWall+) הדורשות גישת בסיס מתמשכת הם מסוכנים ו אסור להשתמש. הם גם לא הדרך הנכונה לפתור את מטרותיהם המיועדות. לחסימת מודעות אנו מציעים במקום זאת פתרונות חסימת שרת [DNS](../dns.md) או [VPN](../vpn.md) מוצפנים. RethinkDNS, TrackerControl ו-AdAway במצב ללא-שורש יתפסו את חריץ ה-VPN (על ידי שימוש ב-VPN עם לולאה מקומית) וימנעו ממך להשתמש בשירותים לשיפור הפרטיות כגון Orbot או שרת VPN אמיתי. + +AFWall+ פועל על בסיס גישת [סינון חבילות](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) וייתכן שניתן לעקוף אותו במצבים מסוימים. + +אנחנו לא מאמינים שקורבנות האבטחה שנעשו על ידי השתרשות טלפון שווים את יתרונות הפרטיות המפוקפקים של אפליקציות אלה. + +## אתחול מאומת + +[אתחול מאומת](https://source.android.com/security/verifiedboot) הוא חלק חשוב ממודל האבטחה של אנדרואיד. הוא מספק הגנה מפני התקפות [משרתת רעה](https://en.wikipedia.org/wiki/Evil_maid_attack), התמדה של תוכנות זדוניות, ומבטיח שלא ניתן לשדרג לאחור עדכוני אבטחה עם [הגנה לאחור](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +אנדרואיד 10 ומעלה עברה מהצפנה בדיסק מלא ל[הצפנה מבוססת קבצים](https://source.android.com/security/encryption/file-based) גמישה יותר. הנתונים שלך מוצפנים באמצעות מפתחות הצפנה ייחודיים, וקבצי מערכת ההפעלה נותרים לא מוצפנים. + +אתחול מאומת מבטיח את שלמות קבצי מערכת ההפעלה, ובכך מונע מיריב בעל גישה פיזית לחבל או להתקין תוכנה זדונית במכשיר. במקרה הבלתי סביר שתוכנות זדוניות מסוגלות לנצל חלקים אחרים של המערכת ולהשיג גישה מוסמכת יותר, אתחול מאומת ימנע ותחזיר שינויים במחיצת המערכת עם אתחול המכשיר מחדש. + +למרבה הצער, יצרני ציוד מקורי מחויבים לתמוך באתחול מאומת רק בהפצת אנדרואיד בברירת מחדל שלהם. רק כמה יצרני OEM כגון גוגל תומכים ברישום מפתח AVB מותאם אישית במכשירים שלהם. בנוסף, חלק מנגזרות AOSP כגון LineageOS או /e/ OS אינן תומכות ב-Verified Boot אפילו בחומרה עם תמיכה ב-Verified Boot עבור מערכות הפעלה של צד שלישי. אנו ממליצים לבדוק אם יש תמיכה **לפני** רכישת מכשיר חדש. נגזרות AOSP שאינן תומכות באתחול מאומת **לא** מומלצות. + +יצרני OEM רבים גם עשו יישום שבור של אתחול מאומת שעליך להיות מודע אליו מעבר לשיווק שלהם. לדוגמה, ה-Fairphone 3 ו-4 אינם מאובטחים כברירת מחדל, מכיוון ש[מטען האתחול של הברירת מחדל סומך על מפתח החתימה הציבורי של ](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11)AVB. זה שובר אתחול מאומת במכשיר Fairphone ברירת מחדל, מכיוון שהמערכת תאתחל מערכות הפעלה חלופיות של אנדרואיד כגון (כגון /e/) [ללא כל אזהרה](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) לגבי שימוש מותאם אישית במערכת ההפעלה. + +## עדכוני קושחה + +עדכוני קושחה הם קריטיים לשמירה על האבטחה ובלעדיהם המכשיר שלך לא יכול להיות מאובטח. ליצרני ציוד מקורי יש הסכמי תמיכה עם השותפים שלהם כדי לספק את רכיבי הקוד הסגור לתקופת תמיכה מוגבלת. אלה מפורטים ב[עלוני האבטחה של אנדרואיד](https://source.android.com/security/bulletin) החודשיים. + +מכיוון שרכיבי הטלפון, כגון טכנולוגיות המעבד והרדיו, מסתמכים על רכיבי קוד סגור, העדכונים חייבים להיות מסופקים על ידי היצרנים המתאימים. לכן, חשוב שתרכוש מכשיר בתוך מחזור תמיכה פעיל. [קוואלקום](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) ו[סמסונג](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) תומכות במכשירים שלהן במשך 4 שנים, בעוד שלמוצרים זולים יותר יש לרוב מחזורי תמיכה קצרים יותר. עם ההשקה של [פיקסל 6](https://support.google.com/pixelphone/answer/4457705), גוגל מייצרת כעת את ה-SoC שלהם והם יספקו לפחות 5 שנים של תמיכה. + +מכשירי EOL שאינם נתמכים עוד על ידי יצרן ה-SoC אינם יכולים לקבל עדכוני קושחה מספקי OEM או מפיצי אנדרואיד לאחר השוק. משמעות הדבר היא שבעיות אבטחה במכשירים אלה יישארו ללא תיקון. + +Fairphone, למשל, משווקת את המכשירים שלהם כמקבלים 6 שנות תמיכה. עם זאת, ל-SoC (Qualcomm Snapdragon 750G ב-Fairphone 4) יש תאריך EOL קצר בהרבה. המשמעות היא שעדכוני אבטחת קושחה מ-Qualcomm עבור Fairphone 4 יסתיימו בספטמבר 2023, ללא קשר לשאלה אם Fairphone תמשיך לשחרר עדכוני אבטחה תוכנה. + +## גרסאות אנדרואיד + +חשוב לא להשתמש בגרסת [סוף החיים](https://endoflife.date/android) של אנדרואיד. גרסאות חדשות יותר של אנדרואיד לא רק מקבלות עדכוני אבטחה עבור מערכת ההפעלה אלא גם עדכונים חשובים לשיפור הפרטיות. לדוגמה, [לפני אנדרואיד 10](https://developer.android.com/about/versions/10/privacy/changes), כל אפליקציה עם הרשאת [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) יכלו לגשת למספרים סידוריים רגישים וייחודיים של הטלפון שלך כגון [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), כרטיס ה-SIM שלך[IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), בעוד שכעת הם חייבים להיות אפליקציות מערכת כדי לעשות זאת. אפליקציות מערכת מסופקות רק על ידי הפצת OEM או אנדרואיד. + +## הרשאות אנדרואיד + +[הרשאות ב-אנדרואיד](https://developer.android.com/guide/topics/permissions/overview) מעניקות לך שליטה על האפליקציות המורשות לגשת. גוגל מבצעת בקביעות [שיפורים](https://developer.android.com/about/versions/11/privacy/permissions) במערכת ההרשאות בכל גרסה עוקבת. כל האפליקציות שאתה מתקין הן אך ורק [ארגז חול](https://source.android.com/security/app-sandbox), לכן, אין צורך להתקין אפליקציות אנטי וירוס. סמארטפון עם הגרסה העדכנית ביותר של אנדרואיד תמיד יהיה מאובטח יותר מסמארטפון ישן עם אנטי וירוס ששילמת עליו. עדיף לא לשלם על תוכנת אנטי וירוס ולחסוך כסף בקניית סמארטפון חדש כמו גוגל פיקסל. + +אם תרצה להפעיל אפליקציה שאינך בטוח לגביה, שקול להשתמש בפרופיל משתמש או עבודה. + +## גישה למדיה + +לא מעט אפליקציות מאפשרות "לחלוק" איתם קובץ להעלאת מדיה. אם אתה רוצה, למשל, לצייץ תמונה לטוויטר, אל תעניק לטוויטר גישה ל"מדיה ותמונות" שלך, כי אז תהיה לה גישה לכל התמונות שלך. במקום זאת, עבור אל מנהל הקבצים שלך (documentsUI), שמור את התמונה ולאחר מכן שתף אותה עם טוויטר. + +## פרופילי משתמשים + +ניתן למצוא פרופילי משתמש מרובים ב**הגדרות** ← **מערכת** ← **משתמש מרובים** והם הדרך הפשוטה ביותר לבודד באנדרואיד. + +עם פרופילי משתמש, אתה יכול להטיל הגבלות על פרופיל ספציפי, כגון: ביצוע שיחות, שימוש ב-SMS או התקנת אפליקציות במכשיר. כל פרופיל מוצפן באמצעות מפתח הצפנה משלו ואינו יכול לגשת לנתונים של אף פרופיל אחר. אפילו בעל המכשיר לא יכול לראות את הנתונים של פרופילים אחרים מבלי לדעת את הסיסמה שלהם. פרופילי משתמשים מרובים הם שיטה בטוחה יותר לבידוד. + +## פרופיל עבודה + +[פרופילי עבודה](https://support.google.com/work/android/answer/6191949) הם דרך נוספת לבודד אפליקציות בודדות ועשויה להיות נוחה יותר מפרופילי משתמשים נפרדים. + +נדרשת אפליקציית **בקר מכשיר** כגון [Shelter](#recommended-apps) כדי ליצור פרופיל עבודה ללא MDM ארגוני, אלא אם אתה משתמש במערכת הפעלה אנדרואיד מותאמת אישית הכוללת אחת. + +פרופיל העבודה תלוי בבקר התקן כדי לתפקד. תכונות כגון *מעבורת קבצים* ו*חסימת חיפוש אנשי קשר* או כל סוג של תכונות בידוד חייבות להיות מיושמות על ידי הבקר. עליך גם לסמוך באופן מלא על אפליקציית בקר המכשיר, מכיוון שיש לה גישה מלאה לנתונים שלך בתוך פרופיל העבודה. + +שיטה זו בדרך כלל פחות מאובטחת מפרופיל משתמש משני; עם זאת, זה כן מאפשר לך את הנוחות של הפעלת אפליקציות בפרופיל העבודה וגם בפרופיל האישי בו-זמנית. + +## מתג הרג VPN + +אנדרואיד 7 ומעלה תומך ב-VPN Killswitch והוא זמין ללא צורך בהתקנת אפליקציות של צד שלישי. תכונה זו יכולה למנוע דליפות אם ה-VPN מנותק. ניתן למצוא אותו ב:gear: **הגדרות** ← **רשת & אינטרנט** ← **VPN** ← :gear: ← **חסום חיבורים ללא VPN**. + +## חילופי מצבים גלובליים + +למכשירי אנדרואיד מודרניים יש בוררים גלובליים לביטול Bluetooth ושירותי מיקום. אנדרואיד 12 הציגה את המתגים למצלמה ולמיקרופון. כאשר לא בשימוש, אנו ממליצים להשבית תכונות אלה. אפליקציות לא יכולות להשתמש בתכונות מושבתות (גם אם ניתנה להן הרשאה פרטנית) עד להפעלה מחדש. + +## גוגל + +אם אתה משתמש במכשיר עם שירותי Google, בין אם מערכת ההפעלה ברירת מחדל שלך או מערכת הפעלה המארחת בבטחה את שירותי Google Play כמו GrapheneOS, ישנם מספר שינויים נוספים שתוכל לבצע כדי לשפר את הפרטיות שלך. אנו עדיין ממליצים להימנע לחלוטין משירותי Google, או להגביל את שירותי Google Play לפרופיל משתמש/עבודה ספציפי על ידי שילוב של בקר מכשיר כמו *Shelter* עם Google Play Sandboxed של GrapheneOS. + +### תוכנית הגנה מתקדמת + +אם יש לך חשבון Google, אנו מציעים להירשם ל[תוכנית ההגנה המתקדמת](https://landing.google.com/advancedprotection/). הוא זמין ללא עלות לכל מי שיש לו שני מפתחות אבטחה חומרה או יותר עם תמיכה ב[FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online). + +תוכנית ההגנה המתקדמת מספקת ניטור איומים משופר ומאפשרת: + +- אימות דו-גורמי מחמיר יותר; למשל שחייבים להשתמש ב-[FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** ואוסר את השימוש ב- [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) ו [OAuth](https://en.wikipedia.org/wiki/OAuth) +- רק גוגל ואפליקציות צד שלישי מאומתות יכולות לגשת לנתוני החשבון +- סריקה של הודעות דוא"ל נכנסות בחשבונות Gmail עבור ניסיונות [דיוג](https://en.wikipedia.org/wiki/Phishing#Email_phishing) +- [סריקת דפדפן בטוחה](https://www.google.com/chrome/privacy/whitepaper.html#malware) מחמירה יותר עם Google Chrome +- תהליך שחזור מחמיר יותר עבור חשבונות עם אישורים שאבדו + + עבור משתמשים שמשתמשים בשירותי Google Play המועדפים (הנפוצים במערכות הפעלה שמגיעות בברירת מחדל), תוכנית ההגנה המתקדמת מגיעה גם עם [הטבות נוספות](https://support.google.com/accounts/answer/9764949?hl=en) כגון: + +- לא לאפשר התקנת אפליקציות מחוץ לחנות Google Play, חנות האפליקציות של ספק מערכת ההפעלה או דרך [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- סריקת התקן אוטומטית חובה עם [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- אזהרה לגבי יישומים לא מאומתים + +### עדכוני מערכת Google Play + +בעבר, עדכוני אבטחה אנדרואיד היו צריכים להישלח על ידי ספק מערכת ההפעלה. אנדרואיד הפכה מודולרית יותר החל מאנדרואיד 10, וגוגל יכולה לדחוף עדכוני אבטחה עבור **חלק** רכיבי מערכת באמצעות שירותי Play המועדפים. + +אם יש לך מכשיר EOL שנשלח עם אנדרואיד 10 ומעלה ואינך יכול להריץ אף אחת ממערכות ההפעלה המומלצות שלנו במכשיר שלך, סביר להניח שעדיף לך להישאר עם התקנת האנדרואיד של היצרן ציוד המקורי (בניגוד למערכת הפעלה שאינה מופיעה ברשימה כאן כגון LineageOS או /e/ OS). זה יאפשר לך לקבל **כמה**תיקוני אבטחה מגוגל, מבלי להפר את מודל האבטחה של אנדרואיד על ידי שימוש בנגזרת אנדרואיד לא מאובטחת והגדלת משטח ההתקפה שלך. אנו עדיין ממליצים לשדרג למכשיר נתמך בהקדם האפשרי. + +### מזהה פרסום + +כל המכשירים עם שירותי Google Play מותקנים באופן אוטומטי מייצרים [>מזהה פרסום](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) המשמש לפרסום ממוקד. השבת תכונה זו כדי להגביל את הנתונים שנאספו עליך. + +בהפצות אנדרואיד עם [Google Play בארגז חול](https://grapheneos.org/usage#sandboxed-google-play), עבור אל :gear: **הגדרות** ← **אפליקציות** → **Google Play בארגז חול** ← **הגדרות גוגל** ← **מודעות**, ותבחר *מחק מזהה פרסום*. + +בהפצות אנדרואיד עם שירותי Google Play מורשים (כגון מערכת הפעלה ברירת מחדל), ההגדרה עשויה להיות באחד מכמה מיקומים. בדיקה + +- :gear: **הגדרות** ← **גוגל** ← **מודעות** +- :gear: **הגדרות** ← **גוגל** ← **מודעות** + +תינתן לך האפשרות למחוק את מזהה הפרסום שלך או *לבטל את הסכמתך למודעות מבוססות עניין*, זה משתנה בין הפצות OEM של אנדרואיד. אם מוצגת האפשרות למחוק את מזהה הפרסום המועדף. אם לא, הקפד לבטל את הסכמתך ולאפס את מזהה הפרסום שלך. + +### SafetyNet ו-Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) וה[ממשק API של Play Integrity](https://developer.android.com/google/play/integrity) משמשים בדרך כלל עבור [אפליקציות בנקאיות](https://grapheneos.org/usage#banking-apps). אפליקציות בנקאות רבות יעבדו מצוין ב-GrapheneOS עם שירותי Play בארגז חול, אולם לחלק מהאפליקציות הלא פיננסיות יש מנגנוני אנטי-שיבוש גולמיים משלהם שעלולים להיכשל. GrapheneOS עובר את בדיקת `basicIntegrity`, אך לא את בדיקת האישור `ctsProfileMatch`. למכשירים עם אנדרואיד 8 ואילך יש תמיכה באישורי חומרה שלא ניתן לעקוף ללא מפתחות דלופים או פגיעויות חמורות. + +לגבי ארנק Google, אנו לא ממליצים על כך בשל [ מדיניות הפרטיות שלהם](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), הקובעת שעליך לבטל את הסכמתך אם אינך רוצה שדירוג האשראי והמידע האישי שלך ישותפו עם שירותי שיווק שותפים. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/os/linux-overview.md b/i18n/he/os/linux-overview.md new file mode 100644 index 00000000..a0815905 --- /dev/null +++ b/i18n/he/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: סקירה כללית של לינוקס +icon: simple/linux +--- + +לעתים קרובות מאמינים שתוכנת [קוד פתוח](https://en.wikipedia.org/wiki/Open-source_software) מאובטחת מטבעה מכיוון שקוד המקור זמין. קיימת ציפייה שאימות קהילה מתרחש באופן קבוע; עם זאת, זה לא תמיד [המקרה](https://seirdy.one/posts/2022/02/02/floss-security/). זה אכן תלוי במספר גורמים, כגון פעילות הפרויקט, חוויית מפתח, רמת הקפדה על [ביקורות קוד](https://en.wikipedia.org/wiki/Code_review), וכן באיזו תדירות ניתנת תשומת לב לחלקים ספציפיים של [בסיס הקוד](https://en.wikipedia.org/wiki/Codebase) שעלולים להישאר ללא נגיעה במשך שנים. + +נכון לעכשיו, ללינוקס שולחני יש כמה תחומים שניתן לשפר טוב יותר בהשוואה לעמיתיהם הקנייניים, למשל.: + +- שרשרת אתחול מאומתת, כמו [אתחול מאובטח](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) של אפל (עם [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)),של אנדרואיד [אתחול מאומת](https://source.android.com/security/verifiedboot), ChromeOS' [אתחול מאומת](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), או Microsoft Windows’s [תהליך האתחול](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) עם [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). תכונות וטכנולוגיות חומרה אלו יכולות לעזור למנוע התעסקות מתמשכת על ידי תוכנות זדוניות או [התקפות עוזרות מרושעות](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- פתרון ארגזי חול חזק כמו זה שנמצא ב- [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), ו- [אנדרואיד](https://source.android.com/security/app-sandbox). פתרונות ארגז חול נפוצים של לינוקס כגון [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) ו- [Firejail](https://firejail.wordpress.com/) עדיין יש דרך ארוכה לפניו +- חזק [ניצול ההקלות](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +למרות החסרונות הללו, הפצות לינוקס לשולחן העבודה הן נהדרות אם אתה רוצה: + +- הימנע מטלמטריה שמגיעה לרוב עם מערכות הפעלה קנייניות +- לשמור על [חופש תוכנה](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- יש מערכות ממוקדות פרטיות כגון [Whonix](https://www.whonix.org) או [Tails](https://tails.boum.org/) + +האתר שלנו משתמש בדרך כלל במונח "לינוקס" כדי לתאר הפצות לינוקס לשולחן העבודה. מערכות הפעלה אחרות המשתמשות גם בליבת לינוקס כמו ChromeOS, אנדרואיד ו-Qubes OS אינן נדונות כאן. + +[המלצות לינוקס שלנו :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## בחירת ההפצה שלך + +לא כל ההפצות של לינוקס נוצרו שוות. בעוד שדף ההמלצות שלנו ללינוקס לא נועד להיות מקור סמכותי לגבי ההפצה שבה אתה צריך להשתמש, יש כמה דברים שאתה צריך לזכור כאשר אתה בוחר באיזו הפצה להשתמש. + +### מחזור שחרור + +אנו ממליצים בחום לבחור בהפצות שנשארות קרובות למהדורות התוכנה היציבות במעלה הזרם, המכונה לעתים קרובות הפצות מהדורות מתגלגלות. הסיבה לכך היא שהפצות מחזור שחרור קפוא לרוב אינן מעדכנות גרסאות חבילה ונגררות לפי עדכוני אבטחה. + +עבור הפצות קפואות כגון [Debian](https://www.debian.org/security/faq#handling), מתחזקים חבילות צפויים לבצע אחורה תיקונים כדי לתקן נקודות תורפה במקום להקפיץ את התוכנה ל- "הגרסה הבאה" שפורסמה על ידי המפתח במעלה הזרם. חלק מתיקוני האבטחה [אינם](https://arxiv.org/abs/2105.14565) מקבלים [CVE ](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (במיוחד תוכנה פחות פופולרית) בכלל ולכן אל תכנסו להפצה עם מודל התיקון הזה. כתוצאה מכך תיקוני אבטחה קלים מתעכבים לפעמים עד לגרסה הגדולה הבאה. + +אנחנו לא מאמינים שהחזקת חבילות והחלת תיקוני ביניים הם רעיון טוב, מכיוון שהוא שונה מהדרך שבה המפתח התכוון שהתוכנה תעבוד. ל [Richard Brown](https://rootco.de/aboutme/) יש מצגת על נושא זה: + +
+ +
+ +### עדכונים מסורתיים לעומת עדכונים אטומיים + +באופן מסורתי, הפצות לינוקס מתעדכנות על ידי עדכון רציף של החבילות הרצויות. עדכונים מסורתיים כמו אלה המשמשים בהפצות מבוססות פדורה, Arch Linux ודביאן יכולים להיות פחות אמינים אם מתרחשת שגיאה בזמן העדכון. + +הפצות עדכון אטומי מיישמות עדכונים במלואם או לא בכלל. בדרך כלל, מערכות עדכון עסקאות הן גם אטומיות. + +מערכת עדכון עסקה יוצרת תמונת מצב שנעשתה לפני ואחרי החלת עדכון. אם עדכון נכשל בכל עת (אולי בגלל הפסקת חשמל), ניתן להחזיר את העדכון בקלות ל"מצב התקין האחרון הידוע." + +שיטת העדכון Atomic משמשת להפצות בלתי ניתנות לשינוי כמו Silverblue, Tumbleweed ו-NixOS ויכולה להשיג אמינות עם מודל זה. [Adam Šamalík](https://twitter.com/adsamalik) סיפק מצגת על האופן שבו `rpm-ostree` עובד עם Silverblue: + +
+ +
+ +### הפצות "ממוקדות אבטחה" + +לעתים קרובות קיים בלבול מסוים בין הפצות "ממוקדות אבטחה" והפצות "לבדיקת חדירות". חיפוש מהיר של "הפצת לינוקס המאובטחת ביותר" יביא לרוב תוצאות כמו Kali Linux, Black Arch ו- Parrot OS. הפצות אלו הן הפצות בדיקות חדירה פוגעניות המאגדות כלים לבדיקת מערכות אחרות. הם אינם כוללים "אבטחה נוספת" או הקלות הגנתיות המיועדות לשימוש קבוע. + +### הפצות מבוססות Arch + +הפצות מבוססות Arch אינן מומלצות לחדשים ב-Linux, (ללא קשר להפצה) מכיוון שהן דורשות [תחזוקת מערכת](https://wiki.archlinux.org/title/System_maintenance) רגילה. ל- Arch אין מנגנון עדכון הפצה עבור אפשרויות התוכנה הבסיסיות. כתוצאה מכך, עליך להישאר מודע למגמות הנוכחיות ולאמץ טכנולוגיות מכיוון שהן מחליפות שיטות ישנות בעצמך. + +עבור מערכת מאובטחת, מצפים ממך גם שיהיה לך מספיק ידע בלינוקס כדי להגדיר כראוי אבטחה עבור המערכת שלהם, כגון אימוץ מערכת [בקרת כניסה חובה](https://en.wikipedia.org/wiki/Mandatory_access_control), הגדרת רשימות שחורות של [מודול ליבה](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) רשימות שחורות, הקשחת פרמטרי אתחול, מניפולציה של [סיסקטל](https://en.wikipedia.org/wiki/Sysctl) פרמטרים, ולדעת אילו רכיבים הם צריכים כמו [Polkit](https://en.wikipedia.org/wiki/Polkit). + +כל מי שמשתמש ב[Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **חייב** להיות נוח בביקורת PKGBUILDs שהם מתקינים משירות זה. חבילות AUR הן תוכן המיוצר בקהילה ואינן נבדקות בשום צורה, ולכן הן פגיעות להתקפות שרשרת אספקת תוכנה, [מה שקרה למעשה](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). יש להשתמש תמיד במשורה ב-AUR ולעיתים קרובות יש הרבה עצות רעות בדפים שונים שמפנים אנשים להשתמש באופן עיוור ב [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) ללא אזהרה מספקת. אזהרות דומות חלות על שימוש בארכיון חבילות אישיות של צד שלישי (PPA) בהפצות מבוססות דביאן או בפרויקטים קהילתיים (COPR) בפדורה. + +אם אתה מנוסה עם לינוקס וברצונך להשתמש בהפצה מבוססת Arch, אנו ממליצים רק על Arch Linux הראשי, לא על אף אחת מהנגזרות שלו. אנו ממליצים נגד שתי נגזרות Arch אלה באופן ספציפי: + +- **Manjaro**: הפצה זו מעכבת חבילות למשך שבועיים כדי לוודא שהשינויים שלהן לא יישברו, לא כדי לוודא שהמעלה הזרם יציב. כאשר נעשה שימוש בחבילות AUR, הן בנויות לרוב על פי [ספריות](https://en.wikipedia.org/wiki/Library_(computing)) העדכניות ביותר מהמאגרים של Arch. +- **Garuda**: הם משתמשים ב[Chaotic-AUR](https://aur.chaotic.cx/) אשר מרכיב באופן אוטומטי ועיוור חבילות מה- AUR. אין תהליך אימות כדי לוודא שחבילות AUR אינן סובלות מהתקפות שרשרת האספקה. + +### Kicksecure + +למרות שאנו ממליצים בחום לא להשתמש בהפצות מיושנות כמו דביאן, יש מערכת הפעלה מבוססת דביאן שהוקשה להיות בטוחה הרבה יותר מהפצות לינוקס טיפוסיות: [Kicksecure ](https://www.kicksecure.com/). Kicksecure, במונחים פשוטים מדי, היא קבוצה של סקריפטים, תצורות וחבילות שמצמצמות באופן משמעותי את משטח ההתקפה של דביאן. זה מכסה הרבה המלצות לפרטיות והקשחה כברירת מחדל. + +### הפצות ליבה של לינוקס ו-"Libre" + +אנו ממליצים בחום **נגד** להשתמש בליבת Linux-libre, שכן היא [מסירה הגבלות אבטחה](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) ו[מדכא אזהרות ליבה](https://news.ycombinator.com/item?id=29674846) על מיקרוקוד פגיע מסיבות אידיאולוגיות. + +## המלצות כלליות + +### הצפנת כונן + +לרוב ההפצות של לינוקס יש אפשרות בתוך תוכנית ההתקנה שלה להפעלת [LUKS](../encryption.md#linux-unified-key-setup) FDE. אם אפשרות זו לא מוגדרת בזמן ההתקנה, תצטרך לגבות את הנתונים שלך ולהתקין מחדש, מכיוון שההצפנה מוחלת לאחר [חלוקת דיסקים ](https://en.wikipedia.org/wiki/Disk_partitioning), אבל לפני ש[מערכות הקבצים](https://en.wikipedia.org/wiki/File_system) מתעצבות. אנו מציעים גם למחוק בצורה מאובטחת את מכשיר האחסון שלך: + +- [מחיקת נתונים מאובטחת :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### החלף + +שקול להשתמש ב-[ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) או [החלפה מוצפנת](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) במקום החלפה לא מוצפנת כדי למנוע בעיות אבטחה פוטנציאליות עם דחיפה של נתונים רגישים ל[מרחב החלפה](https://en.wikipedia.org/wiki/Memory_paging). הפצות מבוססות פדורה [משתמשות ב-ZRAM כברירת מחדל](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +אנו ממליצים להשתמש בסביבת שולחן עבודה התומכת בפרוטוקול התצוגה [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) כפי שפותח [תוך מחשבה](https://lwn.net/Articles/589147/) על אבטחה. קודמו, [X11](https://en.wikipedia.org/wiki/X_Window_System), אינו תומך בבידוד GUI, מה שמאפשר לכל החלונות [רשום מסך, רישום והכנס קלט בחלונות אחרים](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), מה שהופך כל ניסיון לארגז חול לחסר תועלת. אמנם יש אפשרויות לעשות X11 מקונן כגון [Xpra](https://en.wikipedia.org/wiki/Xpra) או [Xephyr](https://en.wikipedia.org/wiki/Xephyr), לעתים קרובות הם מגיעים עם השלכות ביצועים שליליות ואינם נוחים להגדרה ואינם עדיפים על פני Wayland. + +למרבה המזל, סביבות נפוצות כגון [GNOME](https://www.gnome.org), [KDE](https://kde.org) וה- למנהל החלונות [Sway](https://swaywm.org) יש תמיכה ב-Wayland. חלק מההפצות כמו Fedora ו- Tumbleweed משתמשות בו כברירת מחדל, וחלק אחרות עשויות לעשות זאת בעתיד מכיוון ש-X11 נמצא ב[מצב תחזוקה קשה](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). אם אתה משתמש באחת מהסביבות האלה זה קל כמו לבחור את הפגישה "Wayland" במנהל התצוגה של שולחן העבודה ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +אנו ממליצים **נגד** להשתמש בסביבות שולחן עבודה או במנהלי חלונות שאין להם תמיכה ב-Wayland, כגון Cinnamon (ברירת מחדל ב-Linux Mint), Pantheon (ברירת מחדל במערכת ההפעלה היסודית), MATE, Xfce, ו-i3. + +### קושחה קניינית (עדכוני מיקרוקוד) + +הפצות לינוקס כגון אלו שהן [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) או DIY (Arch Linux) אינן מגיעות עם עדכוני [microcode](https://en.wikipedia.org/wiki/Microcode) שלעתים קרובות מתקנים נקודות תורפה. כמה דוגמאות בולטות לפגיעויות אלה כוללות [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), ועוד [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +אנו **ממליצים בחום** להתקין את עדכוני המיקרוקוד, מכיוון שהמעבד שלך כבר מריץ את המיקרוקוד הקנייני מהמפעל. לפדורה ול-openSUSE יש את עדכוני המיקרוקוד כברירת מחדל. + +### עדכונים + +רוב ההפצות של לינוקס יתקינו עדכונים אוטומטית או יזכירו לך לעשות זאת. חשוב לשמור על מערכת ההפעלה שלך מעודכנת כדי שהתוכנה שלך תתוקן כאשר מתגלה פגיעות. + +חלק מההפצות (במיוחד אלו המיועדות למשתמשים מתקדמים) הן יותר חשופות ומצפות ממך לעשות דברים בעצמך (למשל Arch או Debian). אלה ידרשו להפעיל את "מנהל החבילות" (`apt`, `pacman`, `dnf` וכו') באופן ידני על מנת לקבל עדכוני אבטחה חשובים. + +בנוסף, הפצות מסוימות לא יוריד עדכוני קושחה באופן אוטומטי. לשם כך תצטרך להתקין את [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## תיקוני פרטיות + +### כתובת MAC אקראית + +הפצות רבות של לינוקס לשולחן העבודה (Fedora, openSUSE וכו') יגיעו עם [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), כדי להגדיר הגדרות Ethernet ו-Wi-Fi. + +אפשר [לבצע באקראי](https://fedoramagazine.org/randomize-mac-address-nm/) את [כתובת MAC](https://en.wikipedia.org/wiki/MAC_address) בעת שימוש ב-NetworkManager. זה מספק קצת יותר פרטיות ברשתות Wi-Fi מכיוון שהוא מקשה על מעקב אחר מכשירים ספציפיים ברשת שאליה אתה מחובר. זה [**לא**](https://papers.mathyvanhoef.com/wisec2016.pdf) הופך אותך לאנונימי. + +אנו ממליצים לשנות את ההגדרה ל-**אקראי** במקום** יציב**, כפי שהוצע ב[מאמר](https://fedoramagazine.org/randomize-mac-address-nm/). + +אם אתה משתמש ב [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), יהיה עליך להגדיר [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) אשר יאפשר [RFC 7844 (פרופילי אנונימיות עבור לקוחות DHCP)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +אין הרבה נקודות בביצוע אקראי של כתובת ה-MAC עבור חיבורי Ethernet, שכן מנהל מערכת יכול למצוא אותך על ידי התבוננות ביציאה שבה אתה משתמש ב-[מתג רשת](https://en.wikipedia.org/wiki/Network_switch). הקצאה אקראית של כתובות Wi-Fi MAC תלויה בתמיכה מהקושחה של ה-Wi-Fi. + +### מזהים אחרים + +ישנם מזהי מערכת נוספים שתרצו להיזהר מהם. עליך להקדיש לכך מחשבה כדי לראות אם הוא חל על [מצב האיום ](../basics/threat-modeling.md)שלך: + +- **שמות מארח:** שם המארח של המערכת שלך משותף עם הרשתות שאליהן אתה מתחבר. עליך להימנע מלכלול מונחים מזהים כמו השם או מערכת ההפעלה שלך בשם המארח שלך, במקום להיצמד למונחים גנריים או מחרוזות אקראיות. +- **שמות משתמש:** באופן דומה, שם המשתמש שלך משמש במגוון דרכים במערכת שלך. שקול להשתמש במונחים גנריים כמו "משתמש" ולא בשמך האמיתי. +- **מזהה מכונה:** במהלך ההתקנה נוצר מזהה מכונה ייחודי ומאוחסן במכשיר שלך. שקול [להגדיר אותו למזהה גנרי](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### ספירת מערכת + +פרויקט Fedora [סופר](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) כמה מערכות ייחודיות ניגשים למראות שלו באמצעות [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) משתנה במקום מזהה ייחודי. פדורה עושה זאת כדי לקבוע עומס והספקת שרתים טובים יותר עבור עדכונים במידת הצורך. + +[אפשרות](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) זו כבויה כעת כברירת מחדל. אנו ממליצים להוסיף את `countme=false` ל-`/etc/dnf/dnf.conf` למקרה שהוא יופעל בעתיד. במערכות המשתמשות ב-`rpm-ostree` כגון Silverblue, אפשרות ה-countme מושבתת על ידי מיסוך של [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) טיימר. + +openSUSE משתמשת גם ב[מזהה ייחודי](https://en.opensuse.org/openSUSE:Statistics) כדי לספור מערכות, אותן ניתן להשבית על ידי מחיקת הקובץ `/var/lib/zypp/AnonymousUniqueId`. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/os/qubes-overview.md b/i18n/he/os/qubes-overview.md new file mode 100644 index 00000000..1f3464e1 --- /dev/null +++ b/i18n/he/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "סקירה כללית של Qubes" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) היא מערכת הפעלה המשתמשת ב [Xen](https://en.wikipedia.org/wiki/Xen) היפרוויזר לספק אבטחה חזקה עבור מחשוב שולחני באמצעות מכונות וירטואליות מבודדות. כל VM נקרא *Qube* ואתה יכול להקצות לכל Qube רמת אמון על סמך מטרתו. מכיוון שמערכת ההפעלה Qubes מספקת אבטחה על ידי שימוש בבידוד, ומתירה רק פעולות על בסיס כל מקרה, זה ההפך מ[ספירת רעות](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## איך עובדת מערכת ההפעלה של Qubes? + +Qubes משתמשת ב[מידור](https://www.qubes-os.org/intro/) כדי לשמור על אבטחת המערכת. Qubes נוצרים מתבניות, ברירת המחדל היא עבור Fedora, Debian ו-[Whonix](../desktop.md#whonix). מערכת ההפעלה Qubes מאפשרת לך גם ליצור מכונות וירטואליות לשימוש [חד פעמי](https://www.qubes-os.org/doc/how-to-use-disposables/). + +![ארכיטקטורת Qubes](../assets/img/qubes/qubes-trust-level-architecture.png) +
ארכיטקטורת Qubes, קרדיט: מהי הקדמה למערכת ההפעלה של Qubes
+ +לכל אפליקציה של Qubes יש [גבול צבעוני](https://www.qubes-os.org/screenshots/) שיכול לעזור לך לעקוב אחר המכונה הוירטואלית שבה היא פועלת. אתה יכול, למשל, להשתמש בצבע ספציפי עבור הדפדפן הבנקאי שלך, תוך שימוש בצבע אחר עבור דפדפן כללי שאינו מהימן. + +![גבול צבוע](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
גבולות החלונות של Qubes, קרדיט: צילומי מסך של Qubes
+ +## מדוע עלי להשתמש ב-Qubes? + +מערכת ההפעלה של Qubes שימושית אם [מודל האיום](../basics/threat-modeling.md) שלך דורש מידור ואבטחה חזקות, כגון אם אתה חושב שתפתח קבצים לא מהימנים ממקורות לא מהימנים. סיבה טיפוסית לשימוש ב-Qubes OS היא פתיחת מסמכים ממקורות לא ידועים. + +מערכת ההפעלה Qubes משתמשת ב-[Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (כלומר, "AdminVM") לשליטה ב-VM אורחים או Qubes אחרים במערכת ההפעלה המארח. VMs אחרים מציגים חלונות יישומים בודדים בתוך סביבת שולחן העבודה של Dom0. זה מאפשר לך לצבוע חלונות על סמך רמות אמון ולהפעיל יישומים שיכולים לקיים אינטראקציה זה עם זה עם שליטה פרטנית מאוד. + +### העתקה והדבקה של טקסט + +אתה יכול [להעתיק ולהדביק טקסט](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) באמצעות `qvm-copy -to-vm` או ההוראות שלהלן: + +1. הקש על **Ctrl+C** כדי לומר ל-VM שאתה נמצא בו שאתה רוצה להעתיק משהו. +2. הקש על **Ctrl+Shift+C** כדי לומר ל-VM להפוך את המאגר הזה לזמין ללוח הגלובלי. +3. הקש על **Ctrl+Shift+V** ב-VM היעד כדי להפוך את הלוח הגלובלי לזמין. +4. הקש על **Ctrl+V** ב-VM היעד כדי להדביק את התוכן במאגר. + +### החלפת קבצים + +כדי להעתיק ולהדביק קבצים וספריות (תיקיות) מ-VM אחד לאחר, אתה יכול להשתמש באפשרות **העתק ל-AppVM אחר...** או **עבור ל-AppVM אחר...**. ההבדל הוא שהאפשרות ה**העבר** תמחק את הקובץ המקורי. כל אחת מהאפשרויות תגן על הלוח שלך מפני דליפה לכל Qubes אחר. זה מאובטח יותר מהעברת קבצים עם רווח אוויר מכיוון שמחשב עם רווח אוויר עדיין ייאלץ לנתח מחיצות או מערכות קבצים. זה לא נדרש עם מערכת ההעתקה inter-qube. + +??? info "ל-AppVMs או qubes אין מערכות קבצים משלהם" + + אתה יכול [להעתיק ולהעביר קבצים](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) בין Qubes. כאשר עושים זאת השינויים לא מתבצעים באופן מיידי וניתן לבטל אותם בקלות במקרה של תאונה. + +### אינטראקציות בין-VM + +[מסגרת qrexec](https://www.qubes-os.org/doc/qrexec/) היא חלק מרכזי ב-Qubes המאפשר תקשורת מכונה וירטואלית בין דומיינים. הוא בנוי על גבי ספריית Xen *vchan*, המאפשרת [בידוד באמצעות מדיניות](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## מקורות נוספים + +למידע נוסף, אנו ממליצים לך לעיין בדפי התיעוד הנרחבים של Qubes OS הממוקמים ב[אתר האינטרנט של Qubes OS](https://www.qubes-os.org/doc/). ניתן להוריד עותקים לא מקוונים מ[מאגר התיעוד](https://github.com/QubesOS/qubes-doc) של Qubes OS. + +- Open Technology Fund: [*ללא ספק מערכת ההפעלה המאובטחת בעולם*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*מידור תוכנה לעומת הפרדה פיזית*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*חלוקת החיים הדיגיטליים שלי לתחומי אבטחה*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*מאמרים קשורים*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/passwords.md b/i18n/he/passwords.md new file mode 100644 index 00000000..a28dc688 --- /dev/null +++ b/i18n/he/passwords.md @@ -0,0 +1,230 @@ +--- +title: "מנהלי סיסמאות" +icon: material/form-textbox-password +--- + +מנהלי סיסמאות מאפשרים לך לאחסן ולנהל בצורה מאובטחת סיסמאות ואישורים אחרים עם שימוש בסיסמת אב. + +[מבוא לסיסמאות :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info "מידע" + + מנהלי סיסמאות מובנים בתוכנות כמו דפדפנים ומערכות הפעלה אינם טובים לפעמים כמו תוכנות ייעודיות למנהל סיסמאות. היתרון של מנהל סיסמאות מובנה הוא אינטגרציה טובה עם התוכנה, אך לרוב זה יכול להיות פשוט מאוד וחסר תכונות פרטיות ואבטחה שיש להצעות עצמאיות. + + לדוגמה, מנהל הסיסמאות ב-Microsoft Edge אינו מציע E2EE כלל. למנהל הסיסמאות של Google יש E2EE [אופציונלי](https://support.google.com/accounts/answer/11350823), ו-[של Apple](https://support.apple.com/en-us/HT202303) מציע E2EE על ידי ברירת מחדל. + +## מבוסס ענן + +מנהלי סיסמאות אלו מסנכרנים את הסיסמאות שלך עם שרת ענן לצורך נגישות קלה מכל המכשירים שלך ובטיחות מפני אובדן מכשירים. + +### Bitwarden + +!!! recommendation + + ![Bitwarden לוגו](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** הוא מנהל סיסמאות חינמי ובקוד פתוח. מטרתו היא לפתור בעיות ניהול סיסמאות עבור יחידים, צוותים וארגונים עסקיים. Bitwarden הוא בין הפתרונות הטובים והבטוחים ביותר לאחסון כל פרטי ההתחברות והסיסמאות שלך תוך שמירה נוחה על סנכרון בין כל המכשירים שלך. + + [:octicons-home-16: דף הבית](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden כולל גם [Bitwarden Send](https://bitwarden.com/products/send/), המאפשר לך לשתף טקסט וקבצים בצורה מאובטחת עם [הצפנה מקצה לקצה](https://bitwarden.com/help/send-encryption). ניתן לדרוש [סיסמה](https://bitwarden.com/help/send-privacy/#send-passwords) יחד עם קישור השליחה. Bitwarden Send כולל גם תכונות [מחיקה אוטומטית](https://bitwarden.com/help/send-lifespan). + +אתה צריך [תוכנית פרימיום](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) כדי להיות מסוגל לשתף קבצים. התוכנית החינמית מאפשרת שיתוף טקסט בלבד. + +הקוד בצד השרת של Bitwarden הוא [קוד-פתוח](https://github.com/bitwarden/server), כך שאם אינכם רוצים להשתמש בענן Bitwarden, תוכלו לארח בקלות שרת סינכרון Bitwarden משלכם. + +**Vaultwarden** הוא יישום חלופי של שרת הסנכרון של Bitwarden שנכתב ב-Rust ותואם ללקוחות רשמיים של Bitwarden, מושלם לפריסה באירוח עצמי שבו הפעלת השירות הרשמי עתיר המשאבים עשויה להיות לא אידיאלית. אם אתם מחפשים לארח את Bitwarden באופן עצמאי בשרת שלכם, קרוב לוודאי שתרצו להשתמש ב-Vaultwarden על פני קוד השרת הרשמי של Bitwarden. + +[:octicons-repo-16: Vaultwarden מאגר](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=תיעוד} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="קוד מקור" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=לתרומה } + +### 1Password + +!!! recommendation + + ![1Password לוגו](assets/img/password-management/1password.svg){ align=right } + + **1Password** הוא מנהל סיסמאות עם דגש חזק על אבטחה וקלות שימוש, המאפשר לך לאחסן סיסמאות, כרטיסי אשראי, רישיונות תוכנה וכל מידע רגיש אחר בכספת דיגיטלית מאובטחת. הכספת שלכם מתארחת בשרתים של 1Password תמורת [תשלום חודשי](https://1password.com/sign-up/). 1Password [מבוקרת](https://support.1password.com/security-assessments/) על בסיס קבוע ומספקת תמיכת לקוחות יוצאת דופן. 1Password הוא מקור סגור; עם זאת, האבטחה של המוצר מתועדת ביסודיות ב[מסמך האבטחה הלבן](https://1passwordstatic.com/files/security/1password-white-paper.pdf) שלהם. + + [:octicons-home-16: דף הבית](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=תיעוד} + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +באופן מסורתי, **1Password** הציעה את חוויית המשתמש הטובה ביותר של מנהל סיסמאות לאנשים המשתמשים ב-macOS ו-iOS; עם זאת, הוא השיג כעת שוויון תכונה בכל הפלטפורמות. הוא מתהדר בתכונות רבות המיועדות למשפחות ולאנשים פחות טכניים, כמו גם בפונקציונליות מתקדמת. + +כספת 1Password שלך מאובטחת גם עם סיסמת האב שלך וגם עם מפתח אבטחה אקראי בן 34 תווים כדי להצפין את הנתונים שלך בשרתים שלהם. מפתח אבטחה זה מוסיף שכבת הגנה לנתונים שלך מכיוון שהנתונים שלך מאובטחים באנטרופיה גבוהה ללא קשר לסיסמת המאסטר שלך. פתרונות רבים אחרים של מנהל סיסמאות תלויים לחלוטין בחוזקה של סיסמת המאסטר שלך כדי לאבטח את הנתונים שלך. + +יתרון אחד שיש ל-1Password על פני Bitwarden הוא התמיכה המדרגה הראשונה שלה עבור לקוחות מקומיים. בעוד Bitwarden מסירה מטלות רבות, במיוחד תכונות ניהול חשבונות, לממשק הכספת האינטרנטית שלה, 1Password הופכת כמעט כל תכונה לזמינה בתוך הלקוחות המקוריים שלה לנייד או למחשב שולחני. ללקוחות של 1Password יש גם ממשק משתמש אינטואיטיבי יותר, מה שמקל עליהם את השימוש והניווט. + +### Psono + +!!! recommendation + + ![Psono לוגו](assets/img/password-management/psono.svg){ align=right } + + **Psono** הוא מנהל סיסמאות חינמי ובקוד פתוח מגרמניה, עם התמקדות בניהול סיסמאות לצוותים. Psono תומכת בשיתוף מאובטח של סיסמאות, קבצים, סימניות ודואר אלקטרוני. כל הסודות מוגנים באמצעות סיסמת מאסטר. + + [:octicons-home-16: דף הבית](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="מדיניות-פרטיות" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=תיעוד} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono מספקת תיעוד נרחב עבור המוצר שלהם. לקוח האינטרנט של Psono יכול להתארח בעצמו; לחלופין, אתה יכול לבחור את מהדורת הקהילה המלאה או את המהדורה הארגונית עם תכונות נוספות. + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +#### דרישות מינימליות + +- חייב להשתמש ב-E2EE חזק, מבוסס תקנים/מודרני. +- חייב להיות מתועד ביסודיות נוהלי הצפנה ואבטחה. +- חייב להיות ביקורת שפורסמה מצד שלישי מכובד ובלתי תלוי. +- כל טלמטריה לא חיונית חייבת להיות אופציונלית. +- אסור לאסוף יותר PII ממה שנדרש למטרות חיוב. + +#### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- יש להצטרף לטלמטריה (מושבת כברירת מחדל) או לא לאסוף כלל. +- צריך להיות קוד פתוח וניתן לאירוח עצמי סביר. + +## אחסון מקומי + +אפשרויות אלה מאפשרות לך לנהל מסד נתונים של סיסמאות מוצפנות באופן מקומי. + +### KeePassXC + +!!! recommendation + + ![KeePassXC לוגו](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** הוא מזלג קהילתי של KeePassX, יציאה מקורית בין פלטפורמות של KeePass Password Safe, במטרה להרחיב ולשפר אותה עם תכונות חדשות ותיקוני באגים כדי לספק גישה עשירה בתכונות, חוצת פלטפורמות ומודרנית פתוחה- מנהל סיסמאות מקור. + + [:octicons-home-16: דף הבית](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC מאחסן את נתוני הייצוא שלו כקובצי [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). המשמעות עשויה להיות אובדן נתונים אם אתה מייבא קובץ זה למנהל סיסמאות אחר. אנו ממליצים לך לבדוק כל רשומה באופן ידני. + +### KeePassDX (אנדרואיד) + +!!! recommendation + + ![KeePassDX לוגו](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** הוא מנהל סיסמאות קל משקל לאנדרואיד, מאפשר עריכת נתונים מוצפנים בקובץ בודד בפורמט KeePass ויכול למלא את הטפסים בצורה מאובטחת. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) מאפשר ביטול נעילה של תוכן קוסמטי ותכונות פרוטוקול לא סטנדרטיות, אך חשוב מכך, זה עוזר ומעודד התפתחות. + + [:octicons-home-16: דף הבית](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="קוד מקור } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![לוגו Strongbox](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** הוא מנהל סיסמאות מקורי בקוד פתוח עבור iOS ו-macOS. תמיכה בפורמטים של KeePass ו- Password Safe, ניתן להשתמש ב-Strongbox במקביל למנהלי סיסמאות אחרים, כמו KeePassXC, בפלטפורמות שאינן של אפל. על ידי שימוש ב[מודל freemium](https://strongboxsafe.com/pricing/), Strongbox מציעה את רוב התכונות תחת השכבה החינמית שלה עם [תכונות](https://strongboxsafe.com/comparison/) יותר מוכוונות נוחות - כגון כאימות ביומטרי - נעול מאחורי מנוי או רישיון תמידי. + + [:octicons-home-16: דף הבית](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +בנוסף, קיימת גרסה לא מקוונת בלבד המוצעת: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). גרסה זו מופשטת בניסיון לצמצם את שטח התקיפה. + +### שורת הפקודה + +מוצרים אלה הם מנהלי סיסמאות מינימליים שניתן להשתמש בהם בתוך יישומי סקריפטים. + +#### gopass + +!!! recommendation + + ![לוגו gopass](assets/img/password-management/gopass.svg){ align=right } + + **gopass** הוא מנהל סיסמאות עבור שורת הפקודה הכתובה ב-Go. זה עובד על כל מערכות ההפעלה העיקריות של שולחן העבודה והשרת (Linux, macOS, BSD, Windows). + + [:octicons-home-16: דף הבית](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייב להיות חוצה פלטפורמות. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/productivity.md b/i18n/he/productivity.md new file mode 100644 index 00000000..bcde91ed --- /dev/null +++ b/i18n/he/productivity.md @@ -0,0 +1,156 @@ +--- +title: "כלי פרודוקטיביות" +icon: material/file-sign +--- + +רוב חבילות המשרד המקוונות אינן תומכות ב-E2EE, כלומר לספק הענן יש גישה לכל מה שאתה עושה. מדיניות הפרטיות עשויה להגן על זכויותיך באופן חוקי, אך היא אינה מספקת אילוצי גישה טכניים. + +## פלטפורמות שיתוף פעולה + +### Nextcloud + +!!! recommendation + + ![Nextcloud לוגו](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** היא חבילה של תוכנות שרת-לקוח חינמיות וקוד פתוח ליצירת שירותי אירוח קבצים משלך בשרת פרטי שאתה שולט בו. + + [:octicons-home-16: דף הבית](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "סַכָּנָה" + + אנו לא ממליצים להשתמש ב-[E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) עבור Nextcloud מכיוון שהיא עלולה להוביל לאובדן נתונים; זה מאוד ניסיוני ולא איכות ייצור. מסיבה זו, איננו ממליצים על ספקי NextCloud של צד שלישי. + +### CryptPad + +!!! recommendation + + ![CryptPad לוגו](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** הוא אלטרנטיבה פרטית-עיצובית לכלי משרד פופולריים. כל התוכן בשירות אינטרנט זה מוצפן מקצה לקצה וניתן לשתף אותו עם משתמשים אחרים בקלות. + + [:octicons-home-16: דף הבית](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=לתרומה } + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +באופן כללי, אנו מגדירים פלטפורמות שיתוף פעולה כחבילות מן המניין שיכולות לשמש באופן סביר כתחליף לפלטפורמות שיתוף פעולה כמו Google Drive. + +- קוד פתוח. +- הופך קבצים לנגישים דרך WebDAV אלא אם זה בלתי אפשרי בגלל E2EE. +- יש לו לקוחות סנכרון עבור לינוקס, macOS ו-Windows. +- תומך בעריכת מסמכים וגיליון אלקטרוני. +- תומך בשיתוף פעולה מסמכים בזמן אמת. +- תומך בייצוא מסמכים לפורמטים סטנדרטיים של מסמכים (למשל ODF). + +#### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- צריך לאחסן קבצים במערכת קבצים קונבנציונלית. +- צריך לתמוך בתמיכה באימות רב-גורמי TOTP או FIDO2, או כניסות מפתח סיסמה. + +## חבילות אופיס + +### LibreOffice + +!!! recommendation + + ![לוגו LibreOffice](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** היא חבילת משרדים חינמית וקוד פתוח עם פונקציונליות נרחבת. + + [:octicons-home-16: דף הבית](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=תיעוד} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![לוגו OnlyOffice](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** היא חבילת משרדים חינמית מבוססת ענן וקוד פתוח עם פונקציונליות נרחבת, כולל אינטגרציה עם Nextcloud. + + [:octicons-home-16: דף הבית](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +באופן כללי, אנו מגדירים חבילות משרדיות כיישומים שיכולים לשמש באופן סביר כתחליף ל-Microsoft Word עבור רוב הצרכים. + +- חייב להיות חוצה פלטפורמות. +- חייבת להיות תוכנת קוד פתוח. +- חייב לתפקד במצב לא מקוון. +- חייב לתמוך בעריכת מסמכים, גיליונות אלקטרוניים ומצגות שקופיות. +- יש לייצא קבצים לפורמטים סטנדרטיים של מסמכים. + +## שירותי הדבקה + +### PrivateBin + +!!! recommendation + + ![לוגו PrivateBin](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** הוא מינימליסטי, קוד פתוח מקוון Pastebin שבו לשרת יש אפס ידע על נתונים מודבקים. הנתונים מוצפנים/מפוענים בדפדפן באמצעות 256 סיביות AES. זוהי הגרסה המשופרת של ZeroBin. יש [רשימת מופעים](https://privatebin.info/directory/). + + [:octicons-home-16: דף הבית](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="קוד מקור" } + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/real-time-communication.md b/i18n/he/real-time-communication.md new file mode 100644 index 00000000..ce4d7cb6 --- /dev/null +++ b/i18n/he/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "תקשורת בזמן אמת" +icon: material/chat-processing +--- + +אלו ההמלצות שלנו לתקשורת מוצפנת בזמן אמת. + +[סוגי רשתות תקשורת :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## מסנג'רים מוצפנים + +מסנג'רים אלה נהדרים לאבטחת התקשורת הרגישה שלך. + +### Signal + +!!! recommendation + + ![Signal לוגו](assets/img/messengers/signal.svg){ align=right } + + **Signal** היא אפליקציה לנייד שפותחה על ידי סיגנל מסנג'ר LLC. האפליקציה מספקת הודעות מיידיות, כמו גם שיחות קוליות ושיחות וידאו. + + כל התקשורת היא E2EE. רשימות אנשי קשר מוצפנות באמצעות קוד ה - PIN שלך ולשרת אין גישה אליהן. גם פרופילים אישיים מוצפנים ומשותפים רק עם אנשי קשר שאיתם אתה משוחח בצ'אט. + + [:octicons-home-16: דף הבית](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal תומך ב[קבוצות פרטיות](https://signal.org/blog/signal-private-group-system/). לשרת אין תיעוד של חברות בקבוצה, כותרות קבוצות, אווטרים של קבוצות או תכונות קבוצה. לSignal יש מטא נתונים מינימליים כאשר [שולח חתום](https://signal.org/blog/sealed-sender/) מופעל. כתובת השולח מוצפנת יחד עם גוף ההודעה, ורק כתובת הנמען גלויה לשרת. 'שולח אטום' זמין רק עבור אנשים ברשימת אנשי הקשר שלך, אך ניתן להפוך אותו לזמין עבור כל הנמענים עם סיכון מוגבר לקבלת דואר זבל. סיגנל דורש את מספר הטלפון שלך כמזהה אישי. + +הפרוטוקול היה מבוקר [באופן עצמאי](https://eprint.iacr.org/2016/1013.pdf) בשנת 2016. ניתן למצוא את המפרט של פרוטוקול סיגנל בתיעוד [](https://signal.org/docs/)שלהם. + +יש לנו כמה טיפים נוספים להגדרה והקשחה של התקנת הSignal שלך: + +[תצורת סיגנל והקשחה :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![לוגו Simplex](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat הוא מסנג'ר מיידי מבוזר ואינו תלוי במזהים ייחודיים כגון מספרי טלפון או שמות משתמש. משתמשי SimpleX Chat יכולים לסרוק קוד QR או ללחוץ על קישור הזמנה כדי להשתתף בשיחות קבוצתיות. + + [:octicons-home-16: דף הבית](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [נבדק](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) על ידי Trail of Bits באוקטובר 2022. + +נכון לעכשיו SimpleX Chat מספק לקוח רק עבור אנדרואיד ו-iOS. פונקציונליות בסיסית של צ'אט קבוצתי, הודעות ישירות, עריכת הודעות וסימון נתמכים. שיחות שמע ווידאו E2EE נתמכות גם כן. + +ניתן לייצא את הנתונים שלך ולייבא אותם למכשיר אחר, מכיוון שאין שרתים מרכזיים שבהם הם מגובים. + +### Briar + +!!! recommendation + + ![לוגו של Briar](assets/img/messengers/briar.svg){ align=right } + + **Briar** הוא מסנג'ר מיידי מוצפן ש[מתחבר](https://briarproject.org/how-it-works/) ללקוחות אחרים המשתמשים ברשת Tor. Briar יכול גם להתחבר באמצעות Wi-Fi או Bluetooth כאשר הוא נמצא בקרבה מקומית. מצב הרשת המקומי של Briar יכול להיות שימושי כאשר זמינות האינטרנט היא בעיה. + + [:octicons-home-16: דף הבית](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=תיעוד} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="אפשרויות התרומה מפורטות בתחתית דף הבית" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +כדי להוסיף איש קשר ב Briar, שניכם חייבים להוסיף אחד את השני קודם. באפשרותך להחליף `קישורים ` או לסרוק את קוד ה - QR של איש הקשר אם הוא נמצא בקרבת מקום. + +תוכנת הקליינט נבדקה באופן עצמאי [](https://briarproject.org/news/2017-beta-released-security-audit/), ופרוטוקול הניתוב האנונימי משתמש ברשת Tor שנבדקה אף היא. + +ל Briar יש מפרט ש[פורסם במלואו](https://code.briarproject.org/briar/briar-spec). + +Briar תומך בסודיות קדימה מושלמת על ידי שימוש ב-[Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) ו [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) פרוטוקול. + +## אפשרויות נוספות + +!!! warning "אזהרה" + + למסנג'רים האלה אין [סודיות קדימה](https://en.wikipedia.org/wiki/Forward_secrecy) מושלם (PFS), ולמרות שהם ממלאים צרכים מסוימים שהמלצות קודמות שלנו אולי לא, אנחנו לא ממליצים עליהם לאורך זמן- מונחים או תקשורת רגישה. כל פשרה מרכזית בין מקבלי ההודעות תשפיע על הסודיות של **כל** התקשורת העבר. + +### Element + +!!! recommendation + + ![לוגו אלמנט](assets/img/messengers/element.svg){ align=right } + + **Element** הוא לקוח הייחוס עבור פרוטוקול [Matrix](https://matrix.org/docs/guides/introduction), [תקן פתוח](https://matrix.org/docs/spec) עבור תקשורת מבוזרת מאובטחת בזמן אמת. + + הודעות וקבצים המשותפים בחדרים פרטיים (אלו הדורשים הזמנה) הם כברירת מחדל E2EE וכך גם שיחות קול ווידאו אחד לאחד. + + [:octicons-home-16: דף הבית](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://element.io/help){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +תמונות פרופיל, תגובות וכינויים אינם מוצפנים. + +שיחות קוליות ושיחות וידאו קבוצתיות [אינן](https://github.com/vector-im/element-web/issues/12878) E2EE, ומשתמשות ב- Jitsi, אך זה צפוי להשתנות עם[ איתות VoIP קבוצתי מקורי](https://github.com/matrix-org/matrix-doc/pull/3401). שיחות קבוצתיות כוללות [שיחות ללא אימות](https://github.com/vector-im/element-web/issues/13074) כרגע, כלומר, כל משתתפים יכולים גם להצטרף לשיחות. אנו ממליצים שלא להשתמש בתכונה זו לפגישות פרטיות. + +פרוטוקול Matrix עצמו [תומך תיאורטית ב-PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), עם זאת, זה [לא נתמך כרגע ב-Element](https://github.com/vector-im/element-web/issues/7101) בגלל שהוא שובר היבטים מסוימים של חוויית המשתמש, כגון גיבויי מפתח והיסטוריית הודעות משותפת. + +הפרוטוקול היה מבוקר [באופן עצמאי](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) בשנת 2016. את המפרט לפרוטוקול מטריקס ניתן למצוא [בתיעוד שלהם](https://spec.matrix.org/latest/). מחגר ההצפנה [Olm](https://matrix.org/docs/projects/other/olm) המשמש את Matrix הוא יישום של [אלגוריתם ה-Double Ratchet](https://signal.org/docs/specifications/doubleratchet/) של Signal. + +### Session + +!!! recommendation + + ![לוגו Session](assets/img/messengers/session.svg){ align=right } + + **Session** הוא מסנג'ר מבוזר עם התמקדות בתקשורת פרטית, מאובטחת ואנונימית. Session מציע תמיכה בהודעות ישירות, צ'אטים קבוצתיים ושיחות קוליות. + + Session משתמש ב-[Oxen Service Node Network](https://oxen.io/) המבוזר כדי לאחסן ולנתב הודעות. כל הודעה מוצפנת מנותבת דרך שלושה צמתים ברשת Oxen Service Node Network, מה שהופך את זה למעשה לבלתי אפשרי עבור הצמתים לאסוף מידע משמעותי על המשתמשים ברשת. + + [:octicons-home-16: דף הבית](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="מדיניות-פרטיות" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="קוד מקור } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session מאפשרת E2EE בצ'אטים אחד על אחד או קבוצות סגורות המאפשרות עד 100 חברים. לקבוצות פתוחות אין הגבלה על מספר החברים, אך הן פתוחות על פי עיצוב. + +Session [לא](https://getsession.org/blog/session-protocol-technical-information) תומך ב-PFS, כלומר כאשר מערכת הצפנה משנה באופן אוטומטי ותדיר את המפתחות שבה היא משתמשת להצפנה ולפענח מידע, כך שאם המפתח האחרון נפגע הוא חושף חלק קטן יותר של מידע רגיש. + +Oxen ביקשה ביקורת בלתי תלויה למפגש במרץ 2020. הביקורת [הסתיימה](https://getsession.org/session-code-audit) באפריל 2021, "רמת האבטחה הכללית של האפליקציה הזו טובה והופכת אותה לשמישה לפרטיות אנשים." + +להפעלה יש [נייר לבן](https://arxiv.org/pdf/2002.04609.pdf) המתאר את התכונות הטכניות של האפליקציה והפרוטוקול. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייבים להיות לקוחות קוד פתוח. +- חייב להשתמש ב- E2EE עבור הודעות פרטיות כברירת מחדל. +- חייב לתמוך ב- E2EE עבור כל ההודעות. +- חייב להיות נבדק באופן עצמאי. + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- צריך להיות סודיות קדימה מושלמת. +- צריכים להיות שרתי קוד פתוח. +- צריך להיות מבוזר, כלומר מאוחד או P2P. +- אמור להשתמש ב- E2EE עבור כל ההודעות כברירת מחדל. +- צריך לתמוך בלינוקס, macOS, ווינדוס, אנדרואיד ו-iOS. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/router.md b/i18n/he/router.md new file mode 100644 index 00000000..17fe452b --- /dev/null +++ b/i18n/he/router.md @@ -0,0 +1,51 @@ +--- +title: "קושחת הנתב" +icon: material/router-wireless +--- + +להלן מספר מערכות הפעלה חלופיות, שניתן להשתמש בהן בנתבים, נקודות גישה ל-Wi-Fi וכו'. + +## OpenWrt + +!!! recommendation + + ![לוגו OpenWrt](assets/img/router/openwrt.svg#only-light){ align=right } + ![לוגו OpenWrt](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** היא מערכת הפעלה מבוססת לינוקס; הוא משמש בעיקר במכשירים משובצים לניתוב תעבורת רשת. זה כולל util-linux, uClibc ו-BusyBox. כל הרכיבים עברו אופטימיזציה עבור נתבים ביתיים. + + [:octicons-home-16: דף הבית](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=לתרומה } + +אתה יכול לעיין ב[טבלת החומרה](https://openwrt.org/toh/start) של OpenWrt כדי לבדוק אם המכשיר שלך נתמך. + +## OPNsense + +!!! recommendation + + ![OPNsense לוגו](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** היא חומת אש ופלטפורמת ניתוב מבוססת קוד פתוח, מבוססת FreeBSD, המשלבת תכונות מתקדמות רבות כגון עיצוב תעבורה, איזון עומסים ויכולות VPN, עם תכונות רבות נוספות הזמינות בצורה של תוספים. OPNsense נפוץ כחומת אש היקפית, נתב, נקודת גישה אלחוטית, שרת DHCP, שרת DNS ונקודת קצה VPN. + + [:octicons-home-16: דף הבית](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=לתרומה } + +OPNsense פותחה במקור כמזלג של [pfSense](https://en.wikipedia.org/wiki/PfSense), ושני הפרויקטים ידועים לפי הפצות חומת אש חינמיות ואמינות המציעות ציוד דומה נמצא רק בחומות אש מסחריות יקרות. הושק בשנת 2015, מפתחי OPNsense [ציטטו](https://docs.opnsense.org/history/thefork.html) מספר בעיות אבטחה ואיכות ב-pfSense שלדעתם היו נחוצות חלק מהפרויקט, כמו גם חששות לגבי רכישת הרוב של Netgate של pfSense והכיוון העתידי של פרויקט pfSense. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייב להיות קוד פתוח. +- חייב לקבל עדכונים שוטפים. +- חייב לתמוך במגוון רחב של חומרה. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/search-engines.md b/i18n/he/search-engines.md new file mode 100644 index 00000000..fca5b8f0 --- /dev/null +++ b/i18n/he/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "מנועי חיפוש" +icon: material/search-web +--- + +השתמש במנוע חיפוש שאינו בונה פרופיל פרסום על סמך החיפושים שלך. + +ההמלצות כאן מבוססות על היתרונות של מדיניות הפרטיות של כל שירות. אין **ערובה לכך** שמדיניות פרטיות זו תכובד. + +מומלץ להשתמש ב - [VPN](vpn.md) או [Tor](https://www.torproject.org/) אם מודל האיום דורש הסתרת כתובת ה - IP שלכם מספק החיפוש. + +## חיפוש Brave + +!!! recommendation + + ![Brave Search לוגו](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** פותח על ידי Brave ומגיש תוצאות בעיקר מאינדקס עצמאי משלו. האינדקס מותאם לחיפוש Google ולכן עשוי לספק תוצאות מדויקות יותר מבחינה הקשרית בהשוואה לחלופות אחרות. + + Brave Search כולל תכונות ייחודיות כגון דיונים, המדגישים תוצאות הממוקדות בשיחה - כגון הודעות בפורום. + + אנו ממליצים להשבית את [מדדי שימוש אנונימיים](https://search.brave.com/help/usage-metrics) מכיוון שהוא מופעל כברירת מחדל וניתן להשבית אותו בהגדרות. + + [:octicons-home-16: דף הבית](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=תיעוד} + +Brave Search מבוסס בארצות הברית. [מדיניות הפרטיות](https://search.brave.com/help/privacy-policy) שלהם קובעת שהם אוספים מדדי שימוש מצטברים, הכוללים את מערכת ההפעלה והדפדפן שבשימוש, אולם לא נאסף מידע המאפשר זיהוי אישי. כתובות IP מעובדות באופן זמני, אך אינן נשמרות. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo לוגו](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** היא אחת האפשרויות היותר מיינסטרים במנועי חיפוש פרטיים. תכונות החיפוש הבולטות של DuckDuckGo כוללות [bangs](https://duckduckgo.com/bang) והרבה [תשובות מיידיות](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). מנוע החיפוש מסתמך על Bing API מסחרי כדי להגיש את רוב התוצאות, אך הוא משתמש במספר [מקורות אחרים](https://help.duckduckgo.com/results/sources/) לתשובות מיידיות ולתוצאות אחרות שאינן ראשוניות. + + DuckDuckGo הוא מנוע החיפוש המוגדר כברירת מחדל עבור דפדפן Tor והוא אחת האפשרויות הבודדות הזמינות בדפדפן הספארי של אפל. + + [:octicons-home-16: דף הבית](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=תיעוד} + +DuckDuckGo מבוססת בארצות הברית. [מדיניות הפרטיות](https://duckduckgo.com/privacy) שלהם קובעת **שהם** שומרים את החיפושים שלך למטרות שיפור מוצרים, אך לא את כתובת ה-IP שלך או כל מידע מזהה אישי אחר. + +DuckDuckGo מציעה שתי [גרסאות אחרות](https://help.duckduckgo.com/features/non-javascript/) של מנוע החיפוש שלהם, שתיהן אינן דורשות JavaScript. עם זאת, גרסאות אלו חסרות תכונות. ניתן להשתמש בגרסאות אלה גם יחד עם [Tor כתובת בצל](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) על-ידי צירוף [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) או [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) עבור הגרסה המתאימה. + +## SearXNG + +!!! recommendation + + ![SearXNG לוגו](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** הוא מנוע חיפוש מטה-חיפוש, מתארח בעצמו, קוד-פתוח, אוסף את התוצאות של מנועי חיפוש אחרים מבלי לאחסן מידע בעצמו. זהו מזלג מתוחזק פעיל של [SearX](https://github.com/searx/searx). + + [:octicons-home-16: דף הבית](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="מופעים ציבוריים"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="קוד מקור" } + +SearXNG הוא פרוקסי בינך לבין מנועי החיפוש שמהם הוא צובר. שאילתות החיפוש שלך עדיין יישלחו למנועי החיפוש שמהם SearXNG מקבל את תוצאותיו. + +בעת אירוח עצמי, חשוב שאנשים אחרים ישתמשו במקרה שלך כדי שהשאילתות ישתלבו. עליכם להיזהר היכן וכיצד אתם מארחים את SearXNG, מכיוון שאנשים שמחפשים תוכן לא חוקי בהפצה שלכם עלולים למשוך תשומת לב לא רצויה מהרשויות. + +כאשר אתה משתמש בהפצה של SearXNG, הקפד לקרוא את מדיניות הפרטיות שלהם. מאחר שמופעי SearXNG עשויים להשתנות על ידי בעליהם, הם לא בהכרח משקפים את מדיניות הפרטיות שלהם. חלק מהמקרים מופעלים כשירות Tor מוסתר, אשר עשוי להעניק פרטיות מסוימת כל עוד שאילתות החיפוש שלך אינן מכילות PII. + +## Startpage + +!!! recommendation + + ![Startpage לוגו](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage לוגו](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** הוא מנוע חיפוש פרטי הידוע בכך שהוא משרת את תוצאות החיפוש של גוגל. אחת התכונות הייחודיות של Startpage היא [תצוגה אנונימית](https://www.startpage.com/en/anonymous-view/), שמשקיעה מאמצים בסטנדרטיזציה של פעילות המשתמשים כדי להקשות על זיהוי ייחודי. התכונה יכולה להיות שימושית להסתרת [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) מאפייני הרשת והדפדפן. שלא כמו שהשם מרמז, אין להסתמך על התכונה לאנונימיות. אם אתה מחפש אנונימיות, השתמש במקום זאת ב [Tor Browser]( tor.md#tor - browser). + + [:octicons-home-16: דף הבית](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=תיעוד} + +!!! warning "אזהרה" + + Startpage מגביל באופן קבוע את גישת השירות לכתובות IP מסוימות, כגון כתובות IP שמורות ל-VPN או Tor. [DuckDuckGo](#duckduckgo) ו-[Brave Search](#brave-search) הן אפשרויות ידידותיות יותר אם מודל האיום שלך דורש הסתרת כתובת ה-IP שלך מספק החיפוש. + +Startpage מבוסס בהולנד. לפי [מדיניות הפרטיות](https://www.startpage.com/en/privacy-policy/) שלהם, הם רושמים פרטים כגון: מערכת הפעלה, סוג הדפדפן והשפה. הם לא רושמים את כתובת ה-IP שלך, שאילתות חיפוש או מידע אישי מזהה אחר. + +בעלת המניות הרוב של Startpage היא System1 שהיא חברת adtech. אנחנו לא מאמינים שזו בעיה מכיוון שיש להם [מדיניות פרטיות](https://system1.com/terms/privacy-policy) נפרדת באופן מובהק. צוות Privacy Guides פנה אל Startpage [בשנת 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) כדי לפתור את כל החששות מההשקעה הגדולה של System1 בשירות. היינו מרוצים מהתשובות שקיבלנו. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### דרישות מינימליות + +- אסור לאסוף מידע המאפשר זיהוי אישי בהתאם למדיניות הפרטיות שלהם. +- אסור לאפשר למשתמשים ליצור חשבון אצלם. + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- צריך להיות מבוסס על תוכנת קוד פתוח. +- אין לחסום את כתובות ה - IP של צומת היציאה של Tor. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/tools.md b/i18n/he/tools.md new file mode 100644 index 00000000..10a1a55c --- /dev/null +++ b/i18n/he/tools.md @@ -0,0 +1,442 @@ +--- +title: "כלי פרטיות" +icon: material/tools +hide: + - toc +--- + +אם אתם מחפשים פתרון ספציפי למשהו, אלו הם כלי החומרה והתוכנה שאנו ממליצים עליהם במגוון קטגוריות. כלי הפרטיות המומלצים שלנו נבחרים בעיקר על סמך תכונות אבטחה, עם דגש נוסף על כלים מבוזרים וקוד פתוח. הם ישימים למגוון מודלים של איומים, החל מהגנה מפני תוכניות מעקב המוני גלובליות והימנעות מחברות טכנולוגיה גדולות ועד למיתון התקפות, אבל רק אתה יכול לקבוע מה יעבוד הכי טוב עבור הצרכים שלך. + +אם אתה רוצה עזרה בזיהוי כלי הפרטיות והתוכניות החלופיות הטובות ביותר לצרכים שלך, התחל דיון ב[פורום](https://discuss.privacyguides.net/) או בקהילת ה- [Matrix](https://matrix.to/#/#privacyguides:matrix.org) שלנו! + +לפרטים נוספים על כל פרויקט, מדוע הם נבחרו וטיפים או טריקים נוספים שאנו ממליצים עליו, לחץ על הקישור "למד עוד" בכל חלק, או לחץ על ההמלצה עצמה כדי לעבור לאותו חלק ספציפי של העמוד. + +## רשת טור (Tor Network) + +
+ +- ![Tor Browser לוגו](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot לוגו](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake לוגו](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake לוגו](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake אינו מגביר את הפרטיות, אולם הוא מאפשר לך לתרום בקלות לרשת Tor ולעזור לאנשים ברשתות מצונזרות להשיג פרטיות טובה יותר. + +[למד עוד :material-arrow-right-drop-circle:](tor.md) + +## דפדפני אינטרנט שולחניים + +
+ +- ![Firefox לוגו](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave לוגו](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[למד עוד :material-arrow-right-drop-circle:](desktop-browsers.md) + +### מקורות נוספים + +
+ +- ![uBlock Origin לוגו](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[למד עוד :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## דפדפני אינטרנט לנייד + +
+ +- ![Brave לוגו](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari לוגו](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[למד עוד :material-arrow-right-drop-circle:](mobile-browsers.md) + +### מקורות נוספים + +
+ +- ![AdGuard לוגו](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[למד עוד :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## מערכות הפעלה + +### נייד + +
+ +- ![GrapheneOS לוגו](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS לוגו](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS לוגו](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[למד עוד :material-arrow-right-drop-circle:](android.md) + +#### אפליקציות אנדרואיד + +
+ +- ![Aurora Store לוגו](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter לוגו](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor לוגו](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera לוגו](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera לוגו](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer לוגו](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS לוגו](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[למד עוד :material-arrow-right-drop-circle:](android.md#general-apps) + +### שולחן עבודה/מחשב אישי + +
+ +- ![Qubes OS לוגו](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora לוגו](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed לוגו](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch לוגו](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue לוגו](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS לוגו](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix לוגו](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails לוגו](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[למד עוד :material-arrow-right-drop-circle:](desktop.md) + +### קושחת הנתב + +
+ +- ![OpenWrt לוגו](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense לוגו](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[למד עוד :material-arrow-right-drop-circle:](router.md) + +## ספקי שירות + +### אחסון בענן + +
+ +- ![Proton Drive לוגו](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[למד עוד :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### ספקי DNS + +אנו ממליצים [](dns.md#recommended-providers) מספר שרתי DNS מוצפנים על בסיס מגוון רחב של קריטריונים, כגון [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) ו [Quad9](https://quad9.net/) בין היתר. אנו ממליצים לך לקרוא את הדפים שלנו על DNS לפני בחירת ספק. במקרים רבים, שימוש בספק DNS חלופי אינו מומלץ. + +[למד עוד :material-arrow-right-drop-circle:](dns.md) + +#### פרוקסי DNS מוצפנים + +
+ +- ![RethinkDNS לוגו](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy לוגו](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[למד עוד :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### פתרונות אירוח עצמי + +
+ +- ![AdGuard Home לוגו](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole לוגו](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[למד עוד :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### אימייל + +
+ +- ![Proton Mail לוגו](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org לוגו](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail לוגו](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota לוגו](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[למד עוד :material-arrow-right-drop-circle:](email.md) + +#### שירותי כינוי דוא"ל + +
+ +- ![AnonAddy לוגו](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy לוגו](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin לוגו](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[למד עוד :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### אימייל לאירוח עצמי + +
+ +- ![mailcow לוגו](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box לוגו](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[למד עוד :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### מנועי חיפוש + +
+ +- ![Brave Search לוגו](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo לוגו](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG לוגו](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage לוגו](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[למד עוד :material-arrow-right-drop-circle:](search-engines.md) + +### ספקי VPN + +??? danger סכנה "רשתות VPN לא מספקות אנונימיות" + + שימוש ב-VPN **לא** ישמור על הרגלי הגלישה שלך אנונימיים, וגם לא יוסיף אבטחה לתעבורה לא מאובטחת (HTTP). + + אם אתם מחפשים **אנונימיות**, כדאי להשתמש בדפדפן Tor **במקום** ב-VPN. + + אם אתה מחפש **אבטחה** נוספת, עליך תמיד לוודא שאתה מתחבר לאתרים באמצעות HTTPS. VPN אינו תחליף לשיטות אבטחה טובות. + + [למד עוד :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN לוגו](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN לוגו](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad לוגו](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[למד עוד :material-arrow-right-drop-circle:](vpn.md) + +## תוכנה + +### סנכרון לוח שנה + +
+ +- ![Tutanota לוגו של](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar לוגו של](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[למד עוד :material-arrow-right-drop-circle:](calendar.md) + +### הפחתת נתונים ומטא נתונים + +
+ +- ![MAT2 לוגו](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho לוגו](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur לוגו](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool לוגו](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[למד עוד :material-arrow-right-drop-circle:](data-redaction.md) + +### לקוחות אימייל + +
+ +- ![Thunderbird לוגו](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail לוגו](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail לוגו](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail לוגו](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution לוגו](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail לוגו](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact לוגו](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope לוגו](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt לוגו](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[למד עוד :material-arrow-right-drop-circle:](email-clients.md) + +### תוכנת הצפנה + +??? info מידע "הצפנת דיסק של מערכת הפעלה" + + להצפנת כונן מערכת ההפעלה שלך, אנו ממליצים בדרך כלל להשתמש בכל כלי הצפנה שמערכת ההפעלה שלך מספקת, אם זה **BitLocker** בווינדוס, **FileVault** ב macOS, או **LUKS** בלינוקס. כלים אלה כלולים במערכת ההפעלה ומשתמשים בדרך כלל ברכיבי הצפנת חומרה כגון TPM שתוכנות הצפנה אחרות בדיסק מלא כמו VeraCrypt אינן עושות. VeraCrypt עדיין מתאים לדיסקים שאינם פועלים במערכת כגון כוננים חיצוניים, במיוחד כוננים שניתן לגשת אליהם ממספר מערכות הפעלה. + + [למד עוד :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator לוגו](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt לוגו](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt לוגו](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt לוגו](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh לוגו](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh לוגו](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor לוגו](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb לוגו](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[למד עוד :material-arrow-right-drop-circle:](encryption.md) + +#### לקוחות OpenPGP + +
+ +- ![GnuPG לוגו](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win לוגו](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite לוגו](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain לוגו](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[למד עוד :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### שיתוף וסנכרון קבצים + +
+ +- ![Send לוגו](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare לוגו](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox לוגו](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud לוגו](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing לוגו](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[למד עוד :material-arrow-right-drop-circle:](file-sharing.md) + +### חזיתות + +
+ +- ![Librarian לוגו](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter לוגו](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube לוגו](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee לוגו](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![NewPipe לוגו](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious לוגו](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped לוגו](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[למד עוד :material-arrow-right-drop-circle:](frontends.md) + +### כלי אימות רב-גורמי + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis לוגו](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP לוגו](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[למד עוד :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### צוברי חדשות + +
+ +- ![Akregator לוגו](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder לוגו](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader לוגו](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds לוגו](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux לוגו](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire לוגו](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat לוגו](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[למד עוד :material-arrow-right-drop-circle:](news-aggregators.md) + +### פנקס רשימות + +
+ +- ![Joplin לוגו](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes לוגו](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee לוגו](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode לוגו](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[למד עוד :material-arrow-right-drop-circle:](notebooks.md) + +### מנהלי סיסמאות + +
+ +- ![Bitwarden לוגו](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password לוגו](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono לוגו](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC לוגו](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX לוגו](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox לוגו](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass לוגו](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[למד עוד :material-arrow-right-drop-circle:](passwords.md) + +### כלי פרודוקטיביות + +
+ +- ![Nextcloud לוגו](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice לוגו](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice לוגו](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad לוגו](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin לוגו](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[למד עוד :material-arrow-right-drop-circle:](productivity.md) + +### תקשורת בזמן אמת + +
+ +- ![Signal לוגו](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar לוגו](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat לוגו](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element לוגו](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session לוגו](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[למד עוד :material-arrow-right-drop-circle:](real-time-communication.md) + +### לקוחות הזרמת וידאו + +
+ +- ![LBRY לוגו](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[למד עוד :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/tor.md b/i18n/he/tor.md new file mode 100644 index 00000000..6ab55678 --- /dev/null +++ b/i18n/he/tor.md @@ -0,0 +1,124 @@ +--- +title: "רשת טור (Tor Network)" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +הרשת **Tor** היא קבוצה של שרתים המופעלים בהתנדבות המאפשרת לך להתחבר בחינם ולשפר את הפרטיות והאבטחה שלך באינטרנט. אנשים וארגונים יכולים גם לשתף מידע על גבי רשת Tor עם ".onion hidden services" מבלי לפגוע בפרטיותם. מכיוון שקשה לחסום ולעקוב אחר תעבורת Tor, Tor הוא כלי יעיל לעקוף צנזורה. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=דף הבית } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="שירות בצל" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=תיעוד} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="קוד מקור" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=לתרומה } + +Tor פועלת על ידי ניתוב תעבורת האינטרנט שלך דרך אותם שרתים המופעלים על ידי מתנדבים, במקום ליצור חיבור ישיר לאתר שבו אתה מנסה לבקר. זה מטשטש מהיכן מגיעה התעבורה, ואף שרת בנתיב החיבור לא מסוגל לראות את הנתיב המלא של המקום ממנו מגיעה התנועה והולכת, כלומר אפילו השרתים שבהם אתה משתמש כדי להתחבר לא יכולים לשבור את האנונימיות שלך. + +
+ ![נתיב Tor ](assets/img/how-tor-works/tor-path.svg#only-light) + ![נתיב Tor](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
מסלול מעגל Tor - צמתים בנתיב יכולים לראות רק את השרתים שאליהם הם מחוברים ישירות, למשל הצומת "כניסה" המוצג יכול לראות את כתובת ה-IP שלך, ואת הכתובת של הצומת "האמצעי", אבל אין לו דרך לראות איזה האתר שאתה מבקר בו.
+
+ +- [מידע נוסף על אופן הפעולה של Tor :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## התחברות ל - Tor + +ישנן מגוון דרכים שלך להתחבר לרשת Tor מהמכשיר, הנפוץ ביותר הוא דפדפן **Tor**, נגזרת של Firefox המיועד לגלישה אנונימית למחשבים שולחניים ואנדרואיד. בנוסף לאפליקציות המפורטות למטה, יש גם מערכות הפעלה שתוכננו במיוחד להתחבר לרשת Tor כגון [Whonix](desktop.md#whonix) ב-[Qubes OS](desktop.md#qubes-os), המספקות אבטחה והגנות גבוהות עוד יותר מאשר דפדפן Tor הרגיל. + +### דפדפן Tor + +!!! recommendation + + ![Tor Browser לוגו](assets/img/browsers/tor.svg){ align=right } + + **דפדפן Tor** הוא הבחירה אם אתה זקוק לאנונימיות, מכיוון שהוא מספק לך גישה לרשת Tor ולגשרים, והוא כולל הגדרות ברירת מחדל והרחבות המוגדרות אוטומטית לפי רמות האבטחה המוגדרות כברירת מחדל: *סטנדרטי*, *בטוח יותר * ו*הבטוח ביותר*. + + [:octicons-home-16: דף הבית](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="שירות בצל" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=תיעוד } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger "סַכָּנָה" + + אתה צריך **לעולם לא** להתקין הרחבות נוספות בדפדפן Tor או לערוך את הגדרות `about:config`, כולל אלו שאנו מציעים עבור Firefox. הרחבות דפדפן והגדרות לא סטנדרטיות גורמים לך להתבלט על פני אחרים ברשת Tor, ובכך להקל על [טביעת אצבע](https://support.torproject.org/glossary/browser-fingerprinting) של הדפדפן שלך. + +דפדפן Tor נועד למנוע טביעת אצבע, או לזהות אותך על סמך תצורת הדפדפן שלך. לכן, זה הכרחי כי אתה עושה **לא** לשנות את הדפדפן מעבר ברירת המחדל [רמות אבטחה](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot לוגו](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** הוא Tor VPN בחינם לסמארטפונים שמנתב תעבורה מכל אפליקציה במכשיר שלך דרך רשת Tor. + + [:octicons-home-16: דף הבית](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +להתנגדות נגד התקפות ניתוח תעבורה, שקול להפעיל את *בודד את כתובת היעד* ב :material-menu: ← **הגדרות** ← **חיבוריות**. זה ישתמש במעגל Tor שונה לחלוטין (צמתי ממסר אמצעי וצמתי יציאה שונים) עבור כל תחום שאליו אתה מתחבר. + +!!! טיפ "טיפים עבור אנדרואיד" + + Orbot יכול לבצע שרת proxy של אפליקציות בודדות אם הם תומכים ב-SOCKS או HTTP proxy. זה יכול גם לספק את כל חיבורי הרשת שלך באמצעות [VpnService](https://developer.android.com/reference/android/net/VpnService) וניתן להשתמש בו עם מתג ה-VPN ב-:gear: **הגדרות** → * *רשת & אינטרנט** → **VPN** → :gear: → **חסום חיבורים ללא VPN**. + + Orbot מיושן לעתים קרובות ב[מאגר F-Droid](https://guardianproject.info/fdroid) ו- [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), אז שקול להוריד ישירות מ[מאגר GitHub](https://github.com/guardianproject/orbot/releases) במקום זאת. + + כל הגרסאות חתומות באמצעות אותה חתימה ולכן הן צריכות להיות תואמות זו לזו. + +## ממסרים וגשרים + +### Snowflake + +!!! recommendation + + ![Snowflake לוגו](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake לוגו](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** מאפשר לך לתרום רוחב פס לפרויקט Tor על ידי הפעלת "Snowflake proxy" בתוך הדפדפן שלך. + + אנשים שמצונזרים יכולים להשתמש בפרוקסי של Snowflake כדי להתחבר לרשת Tor. Snowflake היא דרך מצוינת לתרום לרשת גם אם אין לך את הידע הטכני להפעיל ממסר Tor או גשר. + + [:octicons-home-16: דף הבית](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=תיעוד} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "מוטבע Snowflake" + + אתה יכול להפעיל את Snowflake בדפדפן שלך על ידי לחיצה על המתג למטה ו== השארת דף זה פתוח==. אתה יכול גם להתקין את Snowflake כתוסף לדפדפן כדי להפעיל אותו תמיד כשהדפדפן שלך פתוח, אולם הוספת הרחבות של צד שלישי יכולה להגדיל את משטח ההתקפה שלך. + +
+ אם ההטמעה לא מופיעה עבורך, ודא שאינך חוסם את המסגרת של צד שלישי מ- `torproject.org`. לחלופין, בקר ב[דף זה](https://snowflake.torproject.org/embed.html). + +Snowflake אינו מגדיל את פרטיותך בשום צורה, ואינו משמש לחיבור לרשת Tor בתוך הדפדפן האישי שלך. עם זאת, אם חיבור האינטרנט שלך אינו מצונזר, עליך לשקול להפעיל אותו כדי לעזור לאנשים ברשתות מצונזרות להשיג פרטיות טובה יותר בעצמם. אין צורך לדאוג לאילו אתרים אנשים ניגשים דרך ה-proxy שלך - כתובת ה-IP הגלויה של הגלישה שלהם תתאים לצומת היציאה של Tor, לא שלך. + +הפעלת פרוקסי של Snowflake היא בסיכון נמוך, אפילו יותר מהפעלת ממסר Tor או גשר שהם כבר מאמצים לא מסוכנים במיוחד. עם זאת, היא עדיין עושה תעבורת פרוקסי דרך הרשת שלך, מה שיכול להשפיע במובנים מסוימים, במיוחד אם הרשת שלך מוגבלת ברוחב הפס. ודא שאתה מבין [איך Snowflake עובד](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) לפני שתחליט אם להפעיל פרוקסי. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/video-streaming.md b/i18n/he/video-streaming.md new file mode 100644 index 00000000..a1eb4e43 --- /dev/null +++ b/i18n/he/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "הזרמת וידאו" +icon: material/video-wireless +--- + +האיום העיקרי בעת שימוש בפלטפורמת הזרמת וידאו הוא שהרגלי הסטרימינג ורשימות המנויים שלך יוכלו לשמש אותך כדי ליצור פרופיל. עליך לשלב את הכלים האלה עם [VPN](vpn.md) או [Tor](https://www.torproject.org/) כדי להקשות על פרופיל השימוש שלך. + +## קליינטים + +!!! recommendation + + ![LBRY לוגו](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** היא רשת שיתוף וידאו מבוזרת. הוא משתמש ברשת דמוית [BitTorrent](https://wikipedia.org/wiki/BitTorrent) כדי לאחסן את תוכן הווידאו, וב-[blockchain](https://wikipedia.org/wiki/Blockchain) כדי לאחסן את האינדקסים עבור הסרטונים האלה. היתרון העיקרי של עיצוב זה הוא התנגדות לצנזורה. + + **לקוח שולחן העבודה של LBRY** עוזר לך להזרים סרטונים מרשת LBRY ומאחסן את רשימת המנויים שלך בארנק LBRY משלך. + + [:octicons-home-16: דף הבית](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note "הערה" + + מומלץ רק **לקוח שולחני LBRY**, שכן לאתר [Odysee](https://odysee.com) וללקוחות LBRY ב-F-Droid, ב-Play Store וב-App Store יש סנכרון וטלמטריה חובה. + +!!! warning "אזהרה" + + בזמן צפייה ואירוח בסרטונים, כתובת ה-IP שלך גלויה לרשת LBRY. שקול להשתמש ב-[VPN](vpn.md) או [Tor](https://www.torproject.org) אם [מודל האיום](basics/threat-modeling.md) שלך דורש הסתרת כתובת ה-IP שלך. + +אנו ממליצים **נגד** סנכרון הארנק שלך עם LBRY Inc., מכיוון שסנכרון ארנקים מוצפנים עדיין אינו נתמך. אם אתה מסנכרן את הארנק שלך עם LBRY Inc., אתה צריך לסמוך עליהם שלא יסתכלו ברשימת המנויים שלך, קרנות [LBC](https://lbry.com/faq/earn-credits), או להשתלט על הערוץ שלך. + +ניתן להשבית *שמירת נתוני אירוח כדי לעזור לרשת LBRY* באפשרות :gear: **הגדרות** ← **הגדרות מתקדמות**, כדי להימנע מחשיפת כתובת ה-IP והסרטונים שצפיתם בעת השימוש ב-LBRY למשך תקופה ממושכת. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייב לא לדרוש חשבון מרוכז כדי לצפות בסרטונים. + - אימות מבוזר, כגון באמצעות מפתח פרטי של ארנק נייד מקובל. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/he/vpn.md b/i18n/he/vpn.md new file mode 100644 index 00000000..6beefa1c --- /dev/null +++ b/i18n/he/vpn.md @@ -0,0 +1,323 @@ +--- +title: "שירותי VPN" +icon: material/vpn +--- + +מצא מפעיל VPN ללא רישום שאינו מתכוון למכור או לקרוא את תעבורת האינטרנט שלך. + +??? danger סכנה "רשתות VPN לא מספקות אנונימיות" + + שימוש ב-VPN **לא** ישמור על הרגלי הגלישה שלך אנונימיים, וגם לא יוסיף אבטחה לתעבורה לא מאובטחת (HTTP). + + אם אתם מחפשים **אנונימיות**, כדאי להשתמש בדפדפן Tor **במקום** ב-VPN. + + אם אתה מחפש **אבטחה** נוספת, עליך תמיד לוודא שאתה מתחבר לאתרים באמצעות HTTPS. VPN אינו תחליף לשיטות אבטחה טובות. + + [הורד את Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & שאלות נפוצות](advanced/tor-overview.md){ .md-button } + +??? question שאלה "מתי VPNs שימושיים?" + + אם אתה מחפש **פרטיות** נוספת מ-ISP שלך, ברשת Wi-Fi ציבורית, או תוך כדי טורנט קבצים, VPN עשוי להיות הפתרון עבורך כל עוד אתה מבין את הסיכונים הכרוכים בכך. + + [מידע נוסף ](basics/vpn-overview.md){ .md-button } + +## ספקים מומלצים + +!!! סיכום "קריטריונים" + + הספקים המומלצים שלנו משתמשים בהצפנה, מקבלים Monero, תומכים ב-WireGuard & OpenVPN, ויש להם מדיניות ללא רישום. קרא את [רשימת הקריטריונים המלאה](#our-criteria) שלנו למידע נוסף. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN לוגו](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** הוא מתחרה חזק בתחום ה-VPN, והם פועלים מאז 2016. Proton AG מבוססת בשוויץ ומציעה רמה מוגבלת בחינם, כמו גם אפשרות פרימיום מומלצת יותר. + + [:octicons-home-16: דף הבית](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? check annotate ב 67 מדינות + + ל-Proton VPN יש [שרתים ב-67 מדינות](https://protonvpn.com/vpn-servers) (1). בחירת ספק VPN עם שרת הקרוב אליך תפחית את זמן האחזור של תעבורת הרשת שאתה שולח. הסיבה לכך היא מסלול קצר יותר (פחות דילוגים) ליעד. + + אנחנו גם חושבים שעדיף לאבטחת המפתחות הפרטיים של ספק ה-VPN אם הם משתמשים ב[שרתים ייעודיים](https://en.wikipedia.org/wiki/Dedicated_hosting_service), במקום פתרונות משותפים זולים יותר (עם לקוחות אחרים) כגון [ שרתים פרטיים וירטואליים](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. נבדק אחרון: 2022-09-16 + +??? success הצלחה "מבוקר באופן עצמאי" + + החל מינואר 2020, Proton VPN עבר ביקורת בלתי תלויה על ידי SEC Consult. SEC Consult מצא כמה נקודות תורפה בסיכון בינוני ונמוך ביישומי Windows, Android ו-iOS של Proton VPN, שכולן תוקנו כראוי על ידי Proton VPN לפני פרסום הדוחות. אף אחת מהבעיות שזוהו לא הייתה מספקת לתוקף גישה מרחוק למכשיר או לתעבורה שלך. אתה יכול להציג דוחות בודדים עבור כל פלטפורמה בכתובת [protonvpn.com](https://protonvpn.com/blog/open-source/). באפריל 2022 Proton VPN עבר [ביקורת נוספת](https://protonvpn.com/blog/no-logs-audit/) והדוח הופק על ידי Securitum](https://protonvpn.com/blog/wp- content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). [מכתב אישור](https://proton.me/blog/security-audit-all-proton-apps) סופק עבור האפליקציות של Proton VPN ב-9 בנובמבר 2021 על ידי [Securitum](https://research.securitum. com). + +??? success הצלחה "לקוחות קוד פתוח" + + Proton VPN מספק את קוד המקור עבור לקוחות שולחניים וניידים שלהם ב[ארגון GitHub](https://github.com/ProtonVPN). + +??? success הצלחה "מקבל מזומן" + + Proton VPN, בנוסף לקבל כרטיסי אשראי/חיוב ו-PayPal, מקבל ביטקוין ו-**מזומן/מטבע מקומי** כאמצעי תשלום אנונימיים. + +??? success "תמיכה ב-WireGuard" + + Proton VPN תומך בעיקר בפרוטוקול WireGuard®. [WireGuard](https://www.wireguard.com) הוא פרוטוקול חדש יותר שמשתמש ב[cryptography](https://www.wireguard.com/protocol/) חדישה. בנוסף, WireGuard שואפת להיות פשוטה וביצועית יותר. + + Proton VPN [ממליץ](https://protonvpn.com/blog/wireguard/) משתמש ב - WireGuard בשירות שלהם. באפליקציות Windows, macOS, iOS, Android, ChromeOS ו-Android TV של Proton VPN, WireGuard הוא פרוטוקול ברירת המחדל; עם זאת, [תמיכה](https://protonvpn.com/support/how-to-change-vpn-protocols/) עבור הפרוטוקול אינו קיים באפליקציית הלינוקס שלהם. + +??? warning "העברת יציאות מרחוק" + + נכון לעכשיו, Proton VPN תומך רק בהעברה מרחוק של [port forwarding](https://protonvpn.com/support/port-forwarding/) ב - Windows, דבר שעשוי להשפיע על יישומים מסוימים. במיוחד יישומי Peer - to - peer כמו לקוחות Torrent. + +??? check "קליינטים ניידים" + + בנוסף לאספקת קבצי תצורה סטנדרטיים של OpenVPN, ל-Proton VPN יש לקוחות ניידים עבור [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases)מה שמאפשר חיבורים קלים לשרתים שלהם. + +??? info "פונקציונליות נוספת" + + תוכנות Proton VPN תומכים באימות דו - שלבי בכל הפלטפורמות מלבד Linux כרגע. ל - Proton VPN יש שרתים ומרכזי נתונים משלו בשוויץ, איסלנד ושוודיה. הם מציעים חסימת מודעות ודומיינים ידועים של תוכנות זדוניות שחוסמים באמצעות שירות ה - DNS שלהם. בנוסף, Proton VPN מציע גם שרתי "Tor" המאפשרים לך להתחבר בקלות לאתרי בצל, אבל אנחנו עדיין ממליצים בחום להשתמש [בדפדפן Tor הרשמי]( https://www.torproject.org/) למטרה זו. + +!!! danger "תכונת Killswitch שבורה במחשבי מקינטוש מבוססי אינטל" + + קריסות מערכת [עלולות להתרחש](https://protonvpn.com/support/macos-t2-chip-kill-switch/) במחשבי מקינטוש מבוססי אינטל בעת שימוש במתג השבתה של VPN. אם אתם זקוקים לתכונה זו, ואתם משתמשים ב - Mac עם ערכת שבבים של Intel, כדאי לכם לשקול להשתמש בשירות VPN אחר. + +### IVPN + +!!! recommendation + + ![לוגו IVPN](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** הוא עוד ספק VPN פרימיום, והם פועלים מאז 2009. IVPN מבוסס בגיברלטר. + + [:octicons-home-16: דף הבית](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate הערת הצלחה 35 מדינות + + ל-IVPN יש [שרתים ב-35 מדינות](https://www.ivpn.net/server-locations) (1). בחירת ספק VPN עם שרת הקרוב אליך תפחית את זמן האחזור של תעבורת הרשת שאתה שולח. הסיבה לכך היא מסלול קצר יותר (פחות דילוגים) ליעד. + + אנחנו גם חושבים שעדיף לאבטחת המפתחות הפרטיים של ספק ה-VPN אם הם משתמשים ב[שרתים ייעודיים](https://en.wikipedia.org/wiki/Dedicated_hosting_service), במקום פתרונות משותפים זולים יותר (עם לקוחות אחרים) כגון [ שרתים פרטיים וירטואליים](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. נבדק אחרון: 2022-09-16 + +??? success הצלחה "מבוקר באופן עצמאי" + + IVPN עבר ביקורת [ביקורת אי-תיעוד מ-Cure53](https://cure53.de/audit-report_ivpn.pdf) שהסתיימה בהסכמה עם תביעת האי - רישום של IVPN. IVPN גם השלים [דוח pentest מקיף Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) בינואר 2020. IVPN גם אמר שהם מתכננים לקבל [דוחות שנתיים]( https://www.ivpn.net/blog/independent-security-audit-concluded) בעתיד. בדיקה נוספת נערכה [באפריל 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) והופק על ידי Cure53 [באתר האינטרנט שלהם]( https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success הצלחה "לקוחות קוד פתוח" + + החל מפברואר 2020 [יישומי IVPN הם כעת קוד פתוח](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). ניתן לקבל את קוד המקור מ[GitHub organization](https://github.com/ivpn). + +??? success "מקבל מזומן ומונרו" + + בנוסף לקבלת כרטיסי אשראי/חיוב ו-PayPal, IVPN מקבל ביטקוין, **Monero** ו**מזומן/מטבע מקומי** (בתוכניות שנתיות) כאמצעי תשלום אנונימיים. + +??? success "תמיכה ב-WireGuard" + + IVPN תומך בפרוטוקול WireGuard®. [WireGuard](https://www.wireguard.com) הוא פרוטוקול חדש יותר שמשתמש ב[cryptography](https://www.wireguard.com/protocol/) חדישה. בנוסף, WireGuard שואפת להיות פשוטה וביצועית יותר. + + IVPN [recommends](https://www.ivpn.net/wireguard/) משתמש ב-WireGuard עם השירות שלהם, וככזה, הפרוטוקול הוא ברירת המחדל בכל האפליקציות של IVPN. IVPN מציע גם מחולל תצורת WireGuard לשימוש עם WireGuard הרשמי [apps](https://www.wireguard.com/install/). + +??? success "העברת יציאות מרחוק" + + מרחוק [העברת יציאות](https://en.wikipedia.org/wiki/Port_forwarding) אפשרית עם תוכנית Pro. העברת יציאות [ניתן להפעיל](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) דרך אזור הלקוח. העברת פורט זמינה רק ב - IVPN בעת שימוש בפרוטוקולי WireGuard או OpenVPN והיא [מושבתת בשרתים בארה"ב]( https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? check "קליינטים ניידים" + + בנוסף לאספקת קבצי תצורה סטנדרטיים של OpenVPN, ל-IVPN יש לקוחות ניידים עבור [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), ו [GitHub](https://github.com/ivpn/android-app/releases) המאפשרים חיבורים קלים לשרתים שלהם. + +??? info "פונקציונליות נוספת" + + תוכונת IVPN תומכים באימות דו - שלבי (הלקוחות של Mullvad לא תומכים). IVPN מספק גם פונקציונליות של "[AntiTracker](https://www.ivpn.net/antitracker)", שחוסמת רשתות פרסום ועוקבים מרמת הרשת. + +### Mullvad + +!!! recommendation + + ![לוגו Mullvad](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** הוא VPN מהיר וזול עם התמקדות רצינית בשקיפות ואבטחה. הם פועלים מאז **2009**. Mullvad מבוסס בשוודיה ואין לו ניסיון חינם. + + [:octicons-home-16: דף הבית](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="שירותי בצל" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 מדינות" + + ל-Mullvad יש [שרתים ב-41 מדינות](https://mullvad.net/servers/) (1). בחירת ספק VPN עם שרת הקרוב אליך תפחית את זמן האחזור של תעבורת הרשת שאתה שולח. הסיבה לכך היא מסלול קצר יותר (פחות דילוגים) ליעד. + + אנחנו גם חושבים שעדיף לאבטחת המפתחות הפרטיים של ספק ה-VPN אם הם משתמשים ב[שרתים ייעודיים](https://en.wikipedia.org/wiki/Dedicated_hosting_service), במקום פתרונות משותפים זולים יותר (עם לקוחות אחרים) כגון [ שרתים פרטיים וירטואליים](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. נבדק לאחרונה: 2022 -09 -16 + +??? success הצלחה "מבוקר באופן עצמאי" + + לקוחות ה-VPN של Mullvad עברו ביקורת על ידי Cure53 ו-Assured AB בדוח בדיקה [פורסם בכתובת cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). חוקרי האבטחה הגיעו למסקנה: + + > Cure53 ו-Assured AB מרוצים מתוצאות הביקורת והתוכנה משאירה רושם חיובי כללי. עם מסירות אבטחה של הצוות הפנימי במתחם ה-VPN של Mullvad, לבודקים אין ספק לגבי הפרויקט בדרך הנכונה מבחינה אבטחה. + + בשנת 2020 [הוכרזה] ביקורת שנייה (https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) ו[דוח הביקורת הסופי](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) הפך זמין באתר האינטרנט של Cure53: + + > התוצאות של פרויקט מאי-יוני 2020 המתמקד במתחם Mullvad הן חיוביות למדי. [...] המערכת האקולוגית הכוללת של היישום המשמשת את Mullvad משאירה רושם קול ומובנה. המבנה הכללי של היישום מקל על גלגול תיקונים ותיקונים באופן מובנה. יותר מכל, הממצאים שנצפו על ידי Cure53 מדגימים את החשיבות של ביקורת מתמדת והערכה מחדש של וקטורי הדליפה הנוכחיים, על מנת להבטיח תמיד את פרטיותם של משתמשי הקצה. עם זאת, Mullvad עושה עבודה נהדרת בהגנה על משתמש הקצה מפני דליפות PII נפוצות וסיכונים הקשורים לפרטיות. + + בשנת 2021 [הוכרזה] ביקורת תשתית [https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacyleaks-found-cure53s-infrastructure-audit/] ו [דוח הביקורת הסופי](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) הפך לזמין באתר האינטרנט של Cure53. דוח נוסף הוזמן [ביוני 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success הצלחה "לקוחות קוד פתוח" + + Mullvad מספקת את קוד המקור עבור הלקוחות שלהם בשולחן העבודה ובנייד בארגון שלהם [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "מקבל מזומן ומונרו" + + Mullvad, בנוסף לקבל כרטיסי אשראי/חיוב ו-PayPal, מקבל ביטקוין, ביטקוין מזומן, **Monero** ו**מזומן/מטבע מקומי** כאמצעי תשלום אנונימיים. הם גם מקבלים סוויש והעברות בנקאיות. + +??? success "תמיכה ב-WireGuard" + + Mullvad תומך בפרוטוקול WireGuard®. [WireGuard](https://www.wireguard.com) הוא פרוטוקול חדש יותר שמשתמש ב[cryptography](https://www.wireguard.com/protocol/) חדישה. בנוסף, WireGuard שואפת להיות פשוטה וביצועית יותר. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) משתמש ב WireGuard בשירות שלהם. זהו פרוטוקול ברירת המחדל או הפרוטוקול היחיד באפליקציות Android, iOS, macOS ו - Linux של Mullvad, אך ב - Windows עליך [להפעיל ידנית](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad גם מציע גנרטור תצורה WireGuard לשימוש עם הרשמי [apps](https://www.wireguard.com/install/)./install/). + +??? check "תמיכת IPv6" + + Mullvad תומך בעתיד של הרשתות [IPv6](https://en.wikipedia.org/wiki/IPv6). הרשת שלהם מאפשרת לך [לגשת לשירותים המתארחים ב - IPv6]( https://mullvad.net/en/blog/2014/9/15/ipv6-support/) בניגוד לספקים אחרים שחוסמים חיבורי IPv6. + +??? success "העברת יציאות מרחוק" + + [העברת יציאות] (https://en.wikipedia.org/wiki/Port_forwarding) מרחוק מותרת לאנשים המבצעים תשלומים חד-פעמיים, אך אינה מותרת עבור חשבונות עם אמצעי תשלום חוזר/מבוסס מנוי. זה כדי למנוע מ - Mullvad להיות מסוגל לזהות אותך בהתבסס על השימוש שלך בפורט ופרטי המנוי המאוחסנים. ראה [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) לקבלת מידע נוסף. + +??? check "קליינטים ניידים" + + Mullvad פרסם את [App Store]( https://apps.apple.com/app/mullvad-vpn/id1488466513) ואת [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) לקוחות, שניהם תומכים בממשק קל לשימוש במקום לדרוש ממך להגדיר באופן ידני את חיבור WireGuard שלך. קליינט של אנדרואיד מפורסם גם ב [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "פונקציונליות נוספת" + + Mullvad מאוד שקוף לגבי אילו צמתים הם [בעלים או שוכרים](https://mullvad.net/en/servers/). הם משתמשים ב-[ShadowSocks](https://shadowsocks.org/) בתצורת ShadowSocks + OpenVPN שלהם, מה שהופך אותם לעמידים יותר בפני חומות אש כאשר [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) מנסה כדי לחסום VPNs. לכאורה, [סין צריכה להשתמש בשיטה אחרת כדי לחסום שרתי ShadowSocks](https://github.com/net4people/bbs/issues/22). האתר של Mullvad נגיש גם דרך Tor בכתובת [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvad.mac7kwad.cn). + +## קריטריונים + +!!! danger "סַכָּנָה" + + חשוב לציין ששימוש בספק VPN לא יהפוך אתכם לאנונימיים, אבל הוא ייתן לכם פרטיות טובה יותר במצבים מסוימים. VPN הוא לא כלי לפעילויות בלתי חוקיות. אל תסמכו על מדיניות "ללא תיעוד ". + +**לידיעתך, איננו קשורים לאף אחד מהספקים שאנו ממליצים עליהם. זה מאפשר לנו לספק המלצות אובייקטיביות לחלוטין.** פיתחנו קבוצה ברורה של דרישות עבור כל ספק VPN שרוצה להיות מומלץ, כולל הצפנה חזקה, ביקורות אבטחה עצמאיות, טכנולוגיה מודרנית, ועוד. מומלץ להכיר את הרשימה לפני שבוחרים ספק אימייל, ולבצע מחקר משלך כדי לוודא שספק האימייל שבחרתם הוא הבחירה הנכונה עבורכם. + +### טכנולוגיה + +אנו דורשים מכל ספקי ה - VPN המומלצים שלנו לספק קבצי תצורה של OpenVPN לשימוש בכל לקוח. **אם** VPN מספק קליינט מותאם אישית משלו, אנו זקוקים ל-killswitch כדי לחסום דליפות נתוני רשת כאשר הוא מנותק. + +**מינימום כדי לעמוד בדרישות:** + +- תמיכה בפרוטוקולים חזקים כגון WireGuard & OpenVPN. +- Killswitch מובנה בקליינטים. +- תמיכה Multihop. Multihopping חשוב לשמור על נתונים פרטיים במקרה של פשרה צומת אחת. +- אם לקוחות VPN מסופקים, הם צריכים להיות [קוד פתוח](https://en.wikipedia.org/wiki/Open_source), כמו תוכנת ה - VPN שהם בדרך כלל בנו לתוכם. אנחנו מאמינים שזמינות של [קוד מקור](https://en.wikipedia.org/wiki/Source_code) מספקת שקיפות רבה יותר לגבי מה שהמכשיר שלך עושה בפועל. + +**המקרה הטוב ביותר:** + +- תמיכה ב - WireGuard וב - OpenVPN. +- Killswitch עם אפשרויות להגדרה גבוהה (הפעלה/השבתה ברשתות מסוימות, על אתחול, וכו ') +- קליינטים VPN קלים לשימוש +- תומך [IPv6](https://en.wikipedia.org/wiki/IPv6). אנו מצפים כי שרתים יאפשרו חיבורים נכנסים באמצעות IPv6 ויאפשרו לך לגשת לשירותים המתארחים בכתובות IPv6. +- היכולת של [העברת יציאות מרחוק](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) מסייעת ביצירת חיבורים בעת שימוש בתוכנת שיתוף קבצים P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer))או בעת אירוח שרת (לדוגמה, Mumble). + +### פרטיות + +אנו מעדיפים שהספקים המומלצים שלנו יאספו כמה שפחות נתונים. לא לאסוף מידע אישי על רישום, וקבלת צורות אנונימיות של תשלום נדרשים. + +**מינימום כדי לעמוד בדרישות:** + +- Monero או אפשרות תשלום במזומן. +- אין צורך במידע אישי כדי להירשם: רק שם משתמש, סיסמה ודוא"ל לכל היותר. + +**המקרה הטוב ביותר:** + +- מקבל Monero, מזומן וצורות אחרות של מטבעות קריפטוגרפיים ו/או אפשרויות תשלום אנונימיות (כרטיסי מתנה וכו') +- לא התקבל מידע אישי (שם משתמש שנוצר באופן אוטומטי, אין צורך בדוא"ל וכו') + +### אבטחה + +VPN הוא חסר טעם אם הוא אפילו לא יכול לספק אבטחה מספקת. אנו דורשים מכל הספקים המומלצים שלנו לציית לתקני האבטחה הנוכחיים לחיבורי OpenVPN שלהם. באופן אידיאלי, הם ישתמשו ביותר תוכניות הצפנה עתידיות כברירת מחדל. כמו כן, אנו דורשים מצד שלישי עצמאי לבדוק את האבטחה של הספק, באופן אידיאלי באופן מקיף מאוד ועל בסיס חוזר ונשנה (שנתי). + +**מינימום כדי לעמוד בדרישות:** + +- ערכות הצפנה חזקות: OpenVPN עם אימות SHA -256; RSA -2048 או לחיצת יד טובה יותר; AES -256 - GCM או הצפנת נתונים AES -256 - CBC. +- סודיות קדימה מושלמת (PFS). +- פירסם ביקורות אבטחה מחברת צד שלישי מכובדת. + +**המקרה הטוב ביותר:** + +- הצפנה חזקה ביותר: RSA -4096. +- סודיות קדימה מושלמת (PFS). +- ביקורות אבטחה מקיפות שפורסמו מחברת צד שלישי בעלת מוניטין. +- תוכניות לחיפוש באגים ו/או תהליך גילוי - פגיעות מתואם. + +### אמון + +לא היית סומך על הכספים שלך למישהו עם זהות מזויפת, אז למה לסמוך עליהם עם נתוני האינטרנט שלך? אנו דורשים מהספקים המומלצים שלנו להיות פומביים לגבי הבעלות או המנהיגות שלהם. כמו כן, היינו רוצים לראות דיווחי שקיפות תכופים, במיוחד בכל הנוגע לאופן הטיפול בבקשות ממשלתיות. + +**מינימום כדי לעמוד בדרישות:** + +- מנהיגות ציבורית או בעלות. + +**המקרה הטוב ביותר:** + +- מנהיגות מול הציבור. +- דוחות שקיפות תכופים. + +### שיווק + +עם ספקי ה - VPN אנו ממליצים לראות שיווק אחראי. + +**מינימום כדי לעמוד בדרישות:** + +- חייבים לבצע ניתוח מידע באיחסון עצמי (כלומר, ללא Google Analytics). האתר של הספק חייב גם לציית ל [DNT (לא לעקוב)](https://en.wikipedia.org/wiki/Do_Not_Track) למי שרוצה לבטל את הסכמתו. + +אסור שיהיה שיווק שהוא חסר אחריות: + +- ביצוע ערבויות של הגנה על 100% אנונימיות. כשמישהו טוען שמשהו הוא 100% זה אומר שאין ודאות לכישלון. אנחנו יודעים שאנשים יכולים בקלות להפוך את עצמם לאיאנונימיים במספר דרכים, למשל.: + - שימוש חוזר במידע אישי, למשל (חשבונות דוא"ל, שמות בדויים ייחודיים וכו ') שאליו ניגשו ללא תוכנה אנונימיות (Tor, VPN וכו ') + - [טביעת אצבע של דפדפן](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- טוענים ש - VPN במעגל אחד הוא "אנונימי יותר" מאשר Tor, שהוא מעגל של שלושה כשות או יותר שמשתנה באופן קבוע. +- השתמשו בשפה אחראית: כלומר, זה בסדר לומר ש-VPN "מנותק" או "לא מחובר", אולם לטעון שמישהו "חשוף", "פגיע" או "נפרץ" הוא שימוש מיותר בשפה מדאיגה שעשויה להיות שגויה. לדוגמה, ייתכן שהאדם הזה פשוט משתמש בשירות של ספק VPN אחר או משתמש ב - Tor. + +**המקרה הטוב ביותר:** + +שיווק אחראי כי הוא גם חינוכי ושימושי לצרכן יכול לכלול: + +- השוואה מדויקת למועד שבו יש להשתמש ב-[Tor](tor.md) במקום זאת. +- זמינות אתר האינטרנט של ספק ה - VPN מעל [Onion Service](https://en.wikipedia.org/wiki/.onion) + +### פונקציונליות נוספת + +אמנם לא דרישות קפדניות, אך ישנם כמה גורמים שבדקנו בעת קביעה על אילו ספקים להמליץ. אלה כוללים פונקציונליות של חסימת מודעות/חסימת מעקב, כנריות, חיבורי מולטי-הופ, תמיכת לקוחות מצוינת, מספר החיבורים המותרים בו זמנית וכו'. + +--8<-- "includes/abbreviations.he.txt" diff --git a/i18n/hi/404.md b/i18n/hi/404.md new file mode 100644 index 00000000..ea8d0fb0 --- /dev/null +++ b/i18n/hi/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/CODE_OF_CONDUCT.md b/i18n/hi/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/hi/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/hi/about/criteria.md b/i18n/hi/about/criteria.md new file mode 100644 index 00000000..878a68e5 --- /dev/null +++ b/i18n/hi/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/about/donate.md b/i18n/hi/about/donate.md new file mode 100644 index 00000000..00078478 --- /dev/null +++ b/i18n/hi/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/about/index.md b/i18n/hi/about/index.md new file mode 100644 index 00000000..e62a6246 --- /dev/null +++ b/i18n/hi/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/about/notices.md b/i18n/hi/about/notices.md new file mode 100644 index 00000000..ba8c57dc --- /dev/null +++ b/i18n/hi/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Notices and Disclaimers" +hide: + - toc +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licenses + +Unless otherwise noted, all content on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to this repository you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/about/privacy-policy.md b/i18n/hi/about/privacy-policy.md new file mode 100644 index 00000000..50f13af3 --- /dev/null +++ b/i18n/hi/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/about/privacytools.md b/i18n/hi/about/privacytools.md new file mode 100644 index 00000000..629182c5 --- /dev/null +++ b/i18n/hi/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/about/services.md b/i18n/hi/about/services.md new file mode 100644 index 00000000..47b16537 --- /dev/null +++ b/i18n/hi/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/about/statistics.md b/i18n/hi/about/statistics.md new file mode 100644 index 00000000..57fc3201 --- /dev/null +++ b/i18n/hi/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/advanced/communication-network-types.md b/i18n/hi/advanced/communication-network-types.md new file mode 100644 index 00000000..ee4dba11 --- /dev/null +++ b/i18n/hi/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/advanced/dns-overview.md b/i18n/hi/advanced/dns-overview.md new file mode 100644 index 00000000..f8bee757 --- /dev/null +++ b/i18n/hi/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/advanced/tor-overview.md b/i18n/hi/advanced/tor-overview.md new file mode 100644 index 00000000..391dcf44 --- /dev/null +++ b/i18n/hi/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.hi.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/hi/android.md b/i18n/hi/android.md new file mode 100644 index 00000000..c7b2365e --- /dev/null +++ b/i18n/hi/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/assets/img/account-deletion/exposed_passwords.png b/i18n/hi/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/hi/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/hi/assets/img/android/rss-apk-dark.png b/i18n/hi/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/hi/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/hi/assets/img/android/rss-apk-light.png b/i18n/hi/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/hi/assets/img/android/rss-apk-light.png differ diff --git a/i18n/hi/assets/img/android/rss-changes-dark.png b/i18n/hi/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/hi/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/hi/assets/img/android/rss-changes-light.png b/i18n/hi/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/hi/assets/img/android/rss-changes-light.png differ diff --git a/i18n/hi/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/hi/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/hi/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hi/assets/img/how-tor-works/tor-encryption.svg b/i18n/hi/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/hi/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hi/assets/img/how-tor-works/tor-path-dark.svg b/i18n/hi/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/hi/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hi/assets/img/how-tor-works/tor-path.svg b/i18n/hi/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/hi/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hi/assets/img/multi-factor-authentication/fido.png b/i18n/hi/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/hi/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/hi/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/hi/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/hi/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/hi/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/hi/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/hi/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/hi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/hi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/hi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/hi/basics/account-creation.md b/i18n/hi/basics/account-creation.md new file mode 100644 index 00000000..1c3411fd --- /dev/null +++ b/i18n/hi/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/basics/account-deletion.md b/i18n/hi/basics/account-deletion.md new file mode 100644 index 00000000..c56e5fd7 --- /dev/null +++ b/i18n/hi/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/basics/common-misconceptions.md b/i18n/hi/basics/common-misconceptions.md new file mode 100644 index 00000000..2063c099 --- /dev/null +++ b/i18n/hi/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.hi.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/hi/basics/common-threats.md b/i18n/hi/basics/common-threats.md new file mode 100644 index 00000000..63a0da87 --- /dev/null +++ b/i18n/hi/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.hi.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/hi/basics/email-security.md b/i18n/hi/basics/email-security.md new file mode 100644 index 00000000..e8486545 --- /dev/null +++ b/i18n/hi/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/basics/multi-factor-authentication.md b/i18n/hi/basics/multi-factor-authentication.md new file mode 100644 index 00000000..cb0fd3d5 --- /dev/null +++ b/i18n/hi/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/basics/passwords-overview.md b/i18n/hi/basics/passwords-overview.md new file mode 100644 index 00000000..7eeecf90 --- /dev/null +++ b/i18n/hi/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/basics/threat-modeling.md b/i18n/hi/basics/threat-modeling.md new file mode 100644 index 00000000..12e4631c --- /dev/null +++ b/i18n/hi/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/basics/vpn-overview.md b/i18n/hi/basics/vpn-overview.md new file mode 100644 index 00000000..cc8a6dc0 --- /dev/null +++ b/i18n/hi/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/calendar.md b/i18n/hi/calendar.md new file mode 100644 index 00000000..cbbbf3ef --- /dev/null +++ b/i18n/hi/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/cloud.md b/i18n/hi/cloud.md new file mode 100644 index 00000000..4c7bdf33 --- /dev/null +++ b/i18n/hi/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/data-redaction.md b/i18n/hi/data-redaction.md new file mode 100644 index 00000000..6e399daa --- /dev/null +++ b/i18n/hi/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/desktop-browsers.md b/i18n/hi/desktop-browsers.md new file mode 100644 index 00000000..8e09bd84 --- /dev/null +++ b/i18n/hi/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.hi.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/hi/desktop.md b/i18n/hi/desktop.md new file mode 100644 index 00000000..5aa6085c --- /dev/null +++ b/i18n/hi/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/dns.md b/i18n/hi/dns.md new file mode 100644 index 00000000..af197583 --- /dev/null +++ b/i18n/hi/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.hi.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/hi/email-clients.md b/i18n/hi/email-clients.md new file mode 100644 index 00000000..f8fa806a --- /dev/null +++ b/i18n/hi/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/email.md b/i18n/hi/email.md new file mode 100644 index 00000000..f889db93 --- /dev/null +++ b/i18n/hi/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/encryption.md b/i18n/hi/encryption.md new file mode 100644 index 00000000..95f38ae1 --- /dev/null +++ b/i18n/hi/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Encryption Software" +icon: material/file-lock +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/file-sharing.md b/i18n/hi/file-sharing.md new file mode 100644 index 00000000..eda8ee23 --- /dev/null +++ b/i18n/hi/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/frontends.md b/i18n/hi/frontends.md new file mode 100644 index 00000000..ba452c96 --- /dev/null +++ b/i18n/hi/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/index.md b/i18n/hi/index.md new file mode 100644 index 00000000..98f3b7a6 --- /dev/null +++ b/i18n/hi/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.hi.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/kb-archive.md b/i18n/hi/kb-archive.md new file mode 100644 index 00000000..bd5240aa --- /dev/null +++ b/i18n/hi/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/meta/brand.md b/i18n/hi/meta/brand.md new file mode 100644 index 00000000..c69aebc0 --- /dev/null +++ b/i18n/hi/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/meta/git-recommendations.md b/i18n/hi/meta/git-recommendations.md new file mode 100644 index 00000000..29f47699 --- /dev/null +++ b/i18n/hi/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/meta/uploading-images.md b/i18n/hi/meta/uploading-images.md new file mode 100644 index 00000000..993aeddc --- /dev/null +++ b/i18n/hi/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/meta/writing-style.md b/i18n/hi/meta/writing-style.md new file mode 100644 index 00000000..9d1a71dc --- /dev/null +++ b/i18n/hi/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/mobile-browsers.md b/i18n/hi/mobile-browsers.md new file mode 100644 index 00000000..372e6861 --- /dev/null +++ b/i18n/hi/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/multi-factor-authentication.md b/i18n/hi/multi-factor-authentication.md new file mode 100644 index 00000000..0ca3889a --- /dev/null +++ b/i18n/hi/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/news-aggregators.md b/i18n/hi/news-aggregators.md new file mode 100644 index 00000000..cb274afb --- /dev/null +++ b/i18n/hi/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/notebooks.md b/i18n/hi/notebooks.md new file mode 100644 index 00000000..66dee30b --- /dev/null +++ b/i18n/hi/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/os/android-overview.md b/i18n/hi/os/android-overview.md new file mode 100644 index 00000000..2c160eb4 --- /dev/null +++ b/i18n/hi/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/os/linux-overview.md b/i18n/hi/os/linux-overview.md new file mode 100644 index 00000000..f9fd41ec --- /dev/null +++ b/i18n/hi/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/os/qubes-overview.md b/i18n/hi/os/qubes-overview.md new file mode 100644 index 00000000..03ead5d1 --- /dev/null +++ b/i18n/hi/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/passwords.md b/i18n/hi/passwords.md new file mode 100644 index 00000000..60b444a1 --- /dev/null +++ b/i18n/hi/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/productivity.md b/i18n/hi/productivity.md new file mode 100644 index 00000000..9ceadc58 --- /dev/null +++ b/i18n/hi/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/real-time-communication.md b/i18n/hi/real-time-communication.md new file mode 100644 index 00000000..0173ca22 --- /dev/null +++ b/i18n/hi/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/router.md b/i18n/hi/router.md new file mode 100644 index 00000000..83ec4b44 --- /dev/null +++ b/i18n/hi/router.md @@ -0,0 +1,51 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/search-engines.md b/i18n/hi/search-engines.md new file mode 100644 index 00000000..9c28c3d2 --- /dev/null +++ b/i18n/hi/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/tools.md b/i18n/hi/tools.md new file mode 100644 index 00000000..14260007 --- /dev/null +++ b/i18n/hi/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/tor.md b/i18n/hi/tor.md new file mode 100644 index 00000000..f7433836 --- /dev/null +++ b/i18n/hi/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/video-streaming.md b/i18n/hi/video-streaming.md new file mode 100644 index 00000000..e6979347 --- /dev/null +++ b/i18n/hi/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hi/vpn.md b/i18n/hi/vpn.md new file mode 100644 index 00000000..cc88b748 --- /dev/null +++ b/i18n/hi/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN Services" +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.hi.txt" diff --git a/i18n/hu/404.md b/i18n/hu/404.md new file mode 100644 index 00000000..5897ccbe --- /dev/null +++ b/i18n/hu/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Nem Található + +Nem található az oldal, amit kerestél! Lehet, hogy ezek közül kerested valamelyiket? + +- [Bevezető a Védelmi Modellezésbe](basics/threat-modeling.md) +- [Ajánlott DNS Szolgáltatók](dns.md) +- [Legjobb Asztali Böngészők](desktop-browsers.md) +- [Legjobb VPN Szolgáltatók](vpn.md) +- [Privacy Guides Fórum](https://discuss.privacyguides.net) +- [Blogunk](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/CODE_OF_CONDUCT.md b/i18n/hu/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/hu/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/hu/about/criteria.md b/i18n/hu/about/criteria.md new file mode 100644 index 00000000..ef564b29 --- /dev/null +++ b/i18n/hu/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: Általános Követelmények +--- + +!!! example "Folyamatban lévő munka" + + Az alábbi oldal egy folyamatban lévő munka, és jelenleg nem tükrözi ajánlásaink teljes körű kritériumait. Korábbi beszélgetés erről a témáról: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/about/donate.md b/i18n/hu/about/donate.md new file mode 100644 index 00000000..91185eda --- /dev/null +++ b/i18n/hu/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Támogass Minket +--- + + +Nagyon sok [emberre](https://github.com/privacyguides/privacyguides.org/graphs/contributors) és [munkára](https://github.com/privacyguides/privacyguides.org/pulse/monthly) van szükség ahhoz, hogy a Privacy Guides-t frissen tartsuk és hogy terjesszük a szót az adatvédelemről és tömeges megfigyelésről. Ha tetszik, amit csinálunk, fontold meg, hogy részt veszel az [oldal szerkesztésében](https://github.com/privacyguides/privacyguides.org), vagy [hozzájárulsz fordításokkal](https://crowdin.com/project/privacyguides). + +Ha anyagilag szeretnél támogatni minket, a számunkra legkényelmesebb módszer az Open Collective-en keresztül történő hozzájárulás, amelyet a pénzügyi házigazdánk működtet. Az Open Collective elfogadja a hitelkártyával/betéti kártyával, PayPal és banki átutalással történő fizetéseket. + +[Adományozás az OpenCollective.com-on](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +A közvetlenül nekünk adott adományok Open Collective-en általában adólevonásra jogosultak az Egyesült Államokban, mivel a pénzügyi házigazdánk (az Open Collective Foundation) egy bejegyzett 501(c)3 szervezet. Az adományozás után egy számlát fogsz kapni az Open Collective Fundation-től. A Privacy Guides nem nyújt pénzügyi tanácsadást, ezzel kapcsolatban fordulj adótanácsadódhoz, hogy megtudd, ez vonatkozik-e rád. + +Ha már használod a GitHub szponzorálási lehetőséget, akkor ott is támogathatod szervezetünket. + +[Szponzorálj minket GitHub-on](https://github.com/sponsors/privacyguides ""){.md-button} + +## Támogatók + +Egy különleges köszönet mindazoknak akik támogatják a küldetésünket! :heart: + +*Megjegyzés: Ez a rész közvetlenül az Open Collective-ról tölt be egy widgetet. Ez a rész nem tükrözi a Open Collective-en kívüli adományokat, és nincs befolyásunk az ebben a részben szereplő konkrét adományozókra.* + + + +## Hogyan Használjuk Fel az Adományokat + +A Privacy Guides egy **nonprofit** szervezet. Az adományokat különböző célokra használjuk fel, többek között: + +**Domain Regisztrációk** +: + +Van néhány domain nevünk, mint például `privacyguides.org`, amelyek regisztrációjának fenntartása évente körülbelül 10 dollárba kerül. + +**Web Üzemeltetés** +: + +A weboldalra érkező forgalom több száz gigabájtnyi adatot használ havonta, és számos szolgáltatót használunk, hogy lépést tartsunk ezzel a forgalommal. + +**Online Szolgáltatások** +: + +[Internetes szolgáltatásokat](https://privacyguides.net) üzemeltetünk a különböző adatvédelmi termékek teszteléséhez és bemutatásához amiket kedvelünk és [ajánlunk](../tools.md). Ezek közül néhányat nyilvánosan elérhetővé teszünk a közösségünk számára (SearXNG, Tor, stb.), néhányat pedig a csapatunk tagjai számára biztosítunk (e-mail, stb.). + +**Termékvásárlások** +: + +Alkalmanként vásárolunk termékeket és szolgáltatásokat az [ajánlott eszközeink](../tools.md) tesztelése céljából. + +Még mindig dolgozunk a pénzügyi házigazdánkkal (az Open Collective Foundation-nel), hogy fogadni tudjunk kriptovaluta adományokat, jelenleg a könyvelés sok kisebb tranzakció esetében kivitelezhetetlen, de ez a jövőben valószínűleg változni fog. Addig is, ha szeretnél egy nagyobb összegű (> $100) kriptovaluta adományt tenni, kérjük, írj a [jonah@privacyguides.org](mailto:jonah@privacyguides.org) címre. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/about/index.md b/i18n/hu/about/index.md new file mode 100644 index 00000000..7a67544a --- /dev/null +++ b/i18n/hu/about/index.md @@ -0,0 +1,63 @@ +--- +title: "A Privacy Guides-ról" +--- + +A **Privacy Guides** egy szociálisan motivált weboldal, amely az adatbiztonságról és az adatvédelemről nyújt tájékoztatást. Mi egy non-profit csoport vagyunk, ameit teljes egészében önkéntes [csapattagok](https://discuss.privacyguides.net/g/team) és közreműködők működtetnek. + +[:material-hand-coin-outline: A projekt támogatása](donate.md ""){.md-button.md-button--primary} + +## Csapatunk + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Honlap](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Honlap](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Honlap](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Továbbá, [többen is](https://github.com/privacyguides/privacyguides.org/graphs/contributors) hozzá járultak a projekthez. Akár te is, nyílt forráskódúak vagyunk a GitHub-on! + +Csapatunk tagjai felülvizsgálják a weboldalon végrehajtott összes változtatást, és olyan adminisztratív feladatokat látnak el, mint a webes üzemeltetés és a pénzügyek, azonban személyesen nem profitálnak a weboldalon tett hozzájárulásokból. Pénzügyi adatainkat átláthatóan az Open Collective Foundation 501(c)(3) szervezi az [opencollective.com/privacyguides](https://opencollective.com/privacyguides) címen. A Privacy Guides-nak adott adományok általában jogosultak adólevonásra az Egyesült Államokban. + +## Webhelylicensz + +*A következő a [licensz](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE) ember által olvasható (de azt nem helyettesítő) összefoglalója:* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Eltérő megjegyzés hiányában a weboldal eredeti tartalma a [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE) alatt érhető el. Ez azt jelenti, hogy te szabadon másolhatod és terjesztheted az anyagot bármilyen médiumban vagy formátumban, bármilyen célból, akár kereskedelmi céllal is; feltéve, hogy megfelelően hivatkozol a `Privacy Guides (www.privacyguides.org)` címre, és biztosítasz egy linket a licenszhez. Te **nem** használhatod a Privacy Guides márkajelzéseit saját projektedben ennek a projektnek a kifejezett jóváhagyása nélkül. Ha a weboldal tartalmát remixeled, átalakítod, vagy arra építesz, a módosított anyagot nem terjesztheted. + +Ez a licensz azért van érvényben, hogy megakadályozzuk, hogy az emberek megfelelő elismerés nélkül osszák meg, és hogy megakadályozzuk, hogy az emberek úgy módosítsák a munkánkat, hogy azt az emberek félrevezetésére használják. Ha úgy találod, hogy a licensz feltételei túlságosan korlátozóak a projekthez, amelyen dolgozol, kérjük, fordulj hozzánk a `jonah@privacyguides.org` címen. Örömmel biztosítunk alternatív licenszelési lehetőségeket jó szándékú projektek számára adatvédelmi térben! + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/about/notices.md b/i18n/hu/about/notices.md new file mode 100644 index 00000000..16c90c84 --- /dev/null +++ b/i18n/hu/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Közlemények és Nyilatkozatok" +hide: + - toc +--- + +## Jogi Nyilatkozat + +A Privacy Guides nem jogi iroda. Mint ilyen, a Privacy Guides weboldal és közreműködői nem nyújtanak jogi tanácsadást. A weboldalunkon és az útmutatóinkban található anyagok és ajánlások nem minősülnek jogi tanácsadásnak, és a weboldalhoz való hozzájárulás, valamint a Privacy Guides, vagy más közreműködőkkel való kommunikáció a weboldalunkról sem hoz létre ügyvéd-ügyfél kapcsolatot. + +A weboldal működtetése, mint minden emberi vállalkozás, bizonytalansággal és kompromisszumokkal jár. Reméljük, hogy ez a weboldal segít, de hibákat tartalmazhat, és nem tud minden helyzetet figyelembe venni. Ha bármilyen kérdésed van a szituációddal kapcsolatban, bátorítunk, hogy végezz saját kutatásokat, keress fel más szakértőket, és vegyél részt a Privacy Guides közösségével folytatott beszélgetésekben. Ha bármilyen jogi kérdésed van, konzultálj saját jogi tanácsadóddal, mielőtt továbblépnél. + +A Privacy Guides egy nyílt forráskódú projekt, amelyhez olyan licencek alapján lehet hozzá járulni, amelyek a weboldal és a közreműködők védelme érdekében egyértelművé teszik, hogy a Privacy Guides projekt és a weboldal garancia nélkül és úgy van kínálva "ahogy van", és kizárják a felelősséget a weboldal vagy a benne található ajánlások használatából eredő károkért. A Privacy Guides nem garantálja és nem vállal semmilyen felelősséget a weboldalon található anyagok pontosságát, valószínűsíthető eredményét vagy megbízhatóságát illetően, vagy egyéb módon a weboldalon található ilyen anyagokkal kapcsolatban, illetve az ezen a weboldalon hivatkozott bármely harmadik fél weboldalán. + +A Privacy Guides továbbá nem garantálja, hogy ez a weboldal folyamatosan vagy egyáltalán elérhető lesz. + +## Licenszek + +Eltérő megjegyzés hiányában a weboldalon található minden tartalom a [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE)feltételei szerint érhető el. + +Ez nem vonatkozik az ebbe a repositoryba beágyazott, harmadik féltől származó kódra, illetve azokra a kódokra, amelyeknél a helyettesítő licensz másként van feltüntetve. Az alábbi példák figyelemre méltóak, de ez a lista nem feltétlenül teljes: + +* A [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) az [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt) licensz alatt áll. + +A közlemény egyes részeit a GitHub-on található [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) dokumentumból lett átvéve. Az a forrás és ez az oldal maga a [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE) alatt van kiadva. + +Ez azt jelenti, hogy az ebben a repositoryban található, ember által olvasható tartalmat felhasználhatod saját projektedhez, a Creative Commons Attribution-NoDerivatives 4.0 International Public License szövegben foglalt feltételei szerint. Te **nem** használhatod a Privacy Guides márkajelzéseit saját projektedben ennek a projektnek a kifejezett jóváhagyása nélkül. Te **nem** használhatod a Privacy Guides márkajelzéseit saját projektedben ennek a projektnek a kifejezett jóváhagyása nélkül. A Privacy Guides márkavédjegyei közé tartozik a "Privacy Guides" szóvédjegy és a pajzs logó. + +Úgy véljük, hogy az `assets`-ekben található logók és egyéb, harmadik féltől származó képek vagy közkincsek, vagy **fair use** alatt állnak. Dióhéjban, a jogi [fair use elmélet](https://www.copyright.gov/fair-use/more-info.html) lehetővé teszi a szerzői joggal védett képek felhasználását a téma azonosítása érdekében nyilvános komment céljából. Ezek a logók és egyéb képek azonban egy vagy több joghatóságban továbbra is védjegyekre vonatkozó törvények hatálya alá tartozhatnak. Mielőtt felhasználnád ezt a tartalmat, kérjük, győződj meg arról, hogy a védjegyet a védjegyegy tulajdonló entitás, vagy szervezet azonosítására használják, illetve hogy az általad tervezett felhasználás körülményei között alkalmazandó törvények értelmében jogosult vagy-e annak használatára. *A weboldal tartalmának másolásakor kizárólag te vagy felelős azért, hogy ne sértsd meg más védjegyét vagy szerzői jogát.* + +Amikor hozzájárulsz ehhez a repositoryhoz, akkor ezt a fenti licenszek alapján teszed, és te egy örökkévaló, világméretű, nem kizárólagos, átruházható, jogdíjmentes, visszavonhatatlan licenszt nyújtasz a Privacy Guidesnak, amely jogot biztosít arra, hogy allicencenszelje az ilyen jogokat allicenszek több szintjén keresztül, hogy a projektünk részeként reprodukálja, módosítsa, megjelenítse, bemutassa, előadja és terjessze a hozzájárulásodat. + +## Elfogadható Használat + +Nem használhatod ezt a weboldalt semmilyen módon, amely kárt okoz vagy okozhat a weboldalban, vagy a Privacy Guides elérhetőségének vagy hozzáférhetőségének károsodását okozhatja, vagy bármilyen módon, amely jogellenes, illegális, csalárd, káros, vagy bármilyen jogellenes, illegális, csalárd vagy káros céllal vagy tevékenységgel összefüggésben. + +Kifejezett írásbeli hozzájárulás nélkül nem végezhetsz semmilyen szisztematikus vagy automatizált adatgyűjtési tevékenységet ezen a weboldalon vagy azzal kapcsolatban, beleértve: + +* Túlzott autómatikus szkennek +* Denial of Service támadások +* Scrapelés +* Adatbányászat +* 'Framelés' (IFramek) + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/about/privacy-policy.md b/i18n/hu/about/privacy-policy.md new file mode 100644 index 00000000..8a308c41 --- /dev/null +++ b/i18n/hu/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +A Privacy Guides egy közösségi projekt, amelyet számos aktív önkéntes közreműködő működtet. A csapattagok nyilvános listája [megtalálható a GitHub-on](https://github.com/orgs/privacyguides/people). + +## Látogatókról Gyűjtött Adatok + +Fontos számunkra weboldalunk látogatóinak magánélete, ezért nem követünk egyetlen önálló személyt sem. Mint a honlapunk látogatója: + +- Semmilyen személyes információt nem gyűjtünk +- Semmilyen sütihez hasonló információ nincs tárolva a böngészőben +- Semmilyen információt nem osztunk meg, küldünk el, vagy adunk el harmadik feleknek +- Semmilyen információt nem osztunk meg hirdetőcégekkel +- Semmilyen információt nem bányászunk és gyűjtünk be személyes és viselkedési trendek megállapításához +- Semmilyen információt nem értékesítünk + +Az általunk gyűjtött adatokat a [statisztikák](statistics.md) oldalon tekintheted meg. + +A [Plausible Analytics](https://plausible.io) egy saját üzemeltetésű telepítését futtatjuk, hogy statisztikai célokra egyes anonim használati adatokat gyűjtsünk. A cél a weboldalunk forgalmának általános trendjeinek nyomon követése, nem pedig egyéni látogatók nyomon követése. Minden adat kizárólag csak összesített. Semmilyen személyes adatot nem gyűjtünk. + +Az összegyűjtött adatok közé tartoznak a hivatkozási források, a legnépszerűbb oldalak, a látogatás időtartama, a látogatás során használt eszközökről származó információk (eszköztípus, operációs rendszer, ország és böngésző) és még sok más. Itt tudhatsz meg többet arról, hogyan működik a Plausible, és hogyan gyűjt információkat az magánélet tiszteletben tartásával [](https://plausible.io/data-policy). + +## Fióktulajdonosokról Gyűjtött Adatok + +Egyes általunk kínált weboldalon és szolgáltatáson számos funkcióhoz fiókra lehet szükség. Egy fórumplatformon például a témákhoz való posztoláshoz és hozzászóláshoz fiókra lehet szükség. + +A legtöbb fiókhoz való regisztrációhoz egy nevet, felhasználónevet, e-mail címet és jelszót kell megadnod. Amennyiben egy weboldal az említett adatoknál több információt igényel, az egyértelműen jelezve lesz, és külön adatvédelmi nyilatkozatban lesz feltüntetve. + +A fiókadataidat arra használjuk, hogy azonosítsunk a weboldalon, és hogy jellemző oldalakat, például a profiloldaladat létrehozzuk. A fiókadataidat arra is felhasználjuk, hogy nyilvános profilt tegyünk közzé számodra a szolgáltatásainkban. + +Az email címedet a következőkre használjuk: + +- Értesítünk a weboldalakon vagy szolgáltatásokban megjelenő bejegyzésekről és egyéb tevékenységekről. +- Visszaállítjuk a jelszavadat, és segítünk megőrizni fiókod biztonságát. +- Felvesszük veled a kapcsolatot a fiókoddal összefüggő különleges körülményekkel kapcsolatban. +- Felvesszük veled a kapcsolatot jogi kérésekkel, például DMCA tiltási kérelmekkel kapcsolatban. + +Egyes weboldalakon és szolgáltatásokon további információt adhatsz meg fiókodhoz, például egy rövid életrajzot, avatart, a tartózkodási helyedet vagy a születésnapodat. Ezeket az információkat mindenki számára elérhetővé tesszük, aki hozzáférhet az adott weboldalhoz vagy szolgáltatáshoz. Ezek az információk nem szükségesek egyik szolgáltatásaink igénybevételéhez sem, és bármikor törölhetők. + +Fiókadataidat mindaddig tárolni fogjuk, amíg fiókod nyitva van. A fiók bezárása után a fiókadatok egy részét vagy egészét biztonsági mentések vagy archívumok formájában legfeljebb 90 napig megőrizhetjük. + +## Kapcsolatfelvétel + +A Privacy Guides csapata általában nem fér hozzá személyes adatokhoz, kivéve a moderációs panelek által biztosított korlátozott hozzáférést. A személyes adataiddal kapcsolatos kérdéseket a következő címre kell küldeni: + +```text +Jonah Aragon +Szolgáltatás Adminisztrátor +jonah@privacyguides.org +``` + +Minden más megkereséssel kapcsolatban csapatunk bármelyik tagjával kapcsolatba léphetsz. + +GDPR alá eső általános panaszok esetében a helyi adatvédelmi felügyeleti szervhez nyújthatsz be panaszt. Franciaországban ez a Commission Nationale de l'Informatique et des Libertés (Nemzeti Informatikai és Szabadságügyi Bizottság) ami foglalkozik és kezeli a panaszokat. Ők egy [panaszlevél sablont](https://www.cnil.fr/en/plaintes) is biztosítanak felhasználásra. + +## A Jelen Szabályzatról + +A nyilatkozat bármely új verzióját [itt fogjuk közzétenni](privacy-policy.md). Előfordulhat, hogy a dokumentum jövőbeli verzióinál megváltoztatjuk a változások bejelentésének módját. Időközben bármikor frissíthetjük elérhetőségeinket anélkül, hogy a változást bejelentenénk. A legfrissebb elérhetőségekért kérjük, hivatkozz bármikor az [Adatvédelmi tájékoztatóra](privacy-policy.md). + +Az oldal teljes [előzménye](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) a GitHub-on található meg. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/about/privacytools.md b/i18n/hu/about/privacytools.md new file mode 100644 index 00000000..3a543f2b --- /dev/null +++ b/i18n/hu/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools GYIK" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/about/services.md b/i18n/hu/about/services.md new file mode 100644 index 00000000..ef8e061b --- /dev/null +++ b/i18n/hu/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Szolgáltatások + +Számos webes szolgáltatást futtatunk, hogy teszteljünk funkciókat és népszerűsítsünk menő decentralizált, föderált és/vagy nyílt forráskódú projekteket. E szolgáltatások közül számos elérhető a nyilvánosság számára, és az alábbiakban részletesen ismertetjük őket. + +[:material-comment-alert: Probléma bejelentése](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Elérhetőség: Nyilvános +- Forrás: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Elérhetőség: Csak Meghívóval + A *Privacy Guides*-hoz kapcsolódó fejlesztéseken vagy tartalmakon dolgozó bármely csapat számára kérésre engedélyezhető a hozzáférés. +- Forrás: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Elérhetőség: Csak Meghívóval + A hozzáférés kérésre megadható a Privacy Guides csapatának tagjainak, Mátrix-moderátoroknak, harmadik feles Matrix közösség adminisztrátoroknak, Matrix-botok üzemeltetőinek és más olyan személyeknek, akiknek megbízható Matrix-jelenlétre van szükségük. +- Forrás: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Elérhetőség: Nyilvános +- Forrás: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Elérhetőség: Félig Nyilvános + Az Invidioust elsősorban beágyazott YouTube-videók szolgáltatásához üzemeltetjük a webhelyünkön, ez az instance általános célú használatra nem szolgál, és bármikor korlátozható. +- Forrás: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/about/statistics.md b/i18n/hu/about/statistics.md new file mode 100644 index 00000000..6ecfd148 --- /dev/null +++ b/i18n/hu/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Forgalom Statisztikák +--- + +## Weboldal Statisztikák + + +
Plausible Analytics által működtetett statisztikák
+ + + + +## Blog Statisztikák + + +
Plausible Analytics által működtetett statisztikák
+ + + + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/advanced/communication-network-types.md b/i18n/hu/advanced/communication-network-types.md new file mode 100644 index 00000000..0b376b8d --- /dev/null +++ b/i18n/hu/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Kommunikációs Hálózatok Típusai" +icon: 'material/transit-connection-variant' +--- + +Emberek közötti üzenetek továbbítására többféle hálózati architektúra használható. Ezek a hálózatok különböző magánéleti garanciákat nyújthatnak, ezért érdemes figyelembe venned a [védelmk modelledet](../basics/threat-modeling.md), amikor eldöntöd, hogy melyik alkalmazást fogod használni. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Központosított Hálózatok + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +A központosított üzenetküldők azok, ahol minden résztvevő ugyanazon a szerveren vagy szerverhálózaton tartózkodik, amelyet ugyanaz a szervezet irányít. + +Néhány saját működtetésű üzenetküldő lehetővé teszi, hogy saját szervert hozz létre. Az üzemeltetés saját magad álltal további adatvédelmi garanciákat nyújthat, például használati naplók hiánya, vagy korlátozott hozzáférés metaadatokhoz (arra vonatkozó adatok, hogy ki kivel beszél). A saját üzemeltetésű, központosított üzenetküldők el vannak különítve, és a kommunikációhoz mindenkinek ugyanazon a szerveren kell lennie. + +**Előnyök:** + +- Új funkciók és módosítások gyorsabban megvalósíthatók. +- Könnyebb elkzedeni a használatot és megtalálni a kapcsolatokat. +- A környezetek a legérettebb és legstabilabb funkciókkal rendelkeznek, mivel ezeket könnyebb egy központi szoftverben programozni. +- Az adatvédelmi problémák csökkenhetnek, ha egy olyan szerverben kell megbíznod, amit te magad üzemeltetsz. + +**Hátrányok:** + +- Tartalmazhat [korlátozott ellenőrzést vagy hozzáférést](https://drewdevault.com/2018/08/08/Signal.html). Ez olyan dolgokat foglalhat magában, mint: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Gyakran a Felhasználási Feltételekben van meghatározva. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Föderált Hálózatok + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Előnyök:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Hátrányok:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Hálózatok + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Előnyök:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Hátrányok:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anoním Forgalomirányítás + +![Anoním forgalomirányítási diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Előnyök:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Hátrányok:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/advanced/dns-overview.md b/i18n/hu/advanced/dns-overview.md new file mode 100644 index 00000000..37445488 --- /dev/null +++ b/i18n/hu/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/advanced/tor-overview.md b/i18n/hu/advanced/tor-overview.md new file mode 100644 index 00000000..2e5d990e --- /dev/null +++ b/i18n/hu/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Útvonalépítés + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Android + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.hu.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/hu/android.md b/i18n/hu/android.md new file mode 100644 index 00000000..cacaf736 --- /dev/null +++ b/i18n/hu/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operációs Rendszerek + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/assets/img/account-deletion/exposed_passwords.png b/i18n/hu/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/hu/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/hu/assets/img/android/rss-apk-dark.png b/i18n/hu/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/hu/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/hu/assets/img/android/rss-apk-light.png b/i18n/hu/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/hu/assets/img/android/rss-apk-light.png differ diff --git a/i18n/hu/assets/img/android/rss-changes-dark.png b/i18n/hu/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/hu/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/hu/assets/img/android/rss-changes-light.png b/i18n/hu/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/hu/assets/img/android/rss-changes-light.png differ diff --git a/i18n/hu/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/hu/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/hu/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hu/assets/img/how-tor-works/tor-encryption.svg b/i18n/hu/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/hu/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hu/assets/img/how-tor-works/tor-path-dark.svg b/i18n/hu/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/hu/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hu/assets/img/how-tor-works/tor-path.svg b/i18n/hu/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/hu/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hu/assets/img/multi-factor-authentication/fido.png b/i18n/hu/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/hu/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/hu/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/hu/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/hu/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/hu/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/hu/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/hu/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/hu/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/hu/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/hu/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/hu/basics/account-creation.md b/i18n/hu/basics/account-creation.md new file mode 100644 index 00000000..8a1bfe60 --- /dev/null +++ b/i18n/hu/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/basics/account-deletion.md b/i18n/hu/basics/account-deletion.md new file mode 100644 index 00000000..a5526014 --- /dev/null +++ b/i18n/hu/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Fiókok törlése" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/basics/common-misconceptions.md b/i18n/hu/basics/common-misconceptions.md new file mode 100644 index 00000000..43826ee5 --- /dev/null +++ b/i18n/hu/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.hu.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/hu/basics/common-threats.md b/i18n/hu/basics/common-threats.md new file mode 100644 index 00000000..708ae517 --- /dev/null +++ b/i18n/hu/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Gyakori veszélyek" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.hu.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/hu/basics/email-security.md b/i18n/hu/basics/email-security.md new file mode 100644 index 00000000..77db867d --- /dev/null +++ b/i18n/hu/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/basics/multi-factor-authentication.md b/i18n/hu/basics/multi-factor-authentication.md new file mode 100644 index 00000000..16f8844a --- /dev/null +++ b/i18n/hu/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/basics/passwords-overview.md b/i18n/hu/basics/passwords-overview.md new file mode 100644 index 00000000..8c7a57cb --- /dev/null +++ b/i18n/hu/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Jelszókezelők + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/basics/threat-modeling.md b/i18n/hu/basics/threat-modeling.md new file mode 100644 index 00000000..3e2e5a94 --- /dev/null +++ b/i18n/hu/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/basics/vpn-overview.md b/i18n/hu/basics/vpn-overview.md new file mode 100644 index 00000000..774af759 --- /dev/null +++ b/i18n/hu/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/calendar.md b/i18n/hu/calendar.md new file mode 100644 index 00000000..013dee67 --- /dev/null +++ b/i18n/hu/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Naptár Szinkronizálás" +icon: material/calendar +--- + +A naptárak a legérzékenyebb adataidat tartalmazzák; használj at rest E2EE-t megvalósító termékeket, hogy megakadályozd, hogy a szolgáltató elolvassa ezeket. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **A **Tutanota** ingyenes és titkosított naptárat kínál a támogatott platformjain keresztül. A funkciók közé tartoznak: az összes adat automatikus E2EE-je, megosztási funkciók, import/export funkciók, multifaktoros hitelesítés és még [sok más](https://tutanota.com/calendar-app-comparison/). + + A több naptár és kiterjesztett megosztási funkciók csak a fizetett előfizetőknek elérhető. + + [:octicons-home-16: Honlap](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentáció} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + A **Proton Calendar** egy titkosított naptárszolgáltatás, amely a Proton-tagok számára webes vagy mobilklienseken keresztül érhető el. A funkciók közé tartoznak: az összes adat automatikus E2EE-je, megosztási funkciók, import/export funkciók és még [sok más](https://proton.me/support/proton-calendar-guide). Az ingyenes előfizetéssel rendelkezők egyetlen naptárhoz kapnak hozzáférést, míg a fizetett előfizetők akár 20 naptárat is létrehozhatnak. Kiterjesztett megosztási funkciók szintén csak a fizetett előfizetőknek elérhető. + + [:octicons-home-16: Honlap](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimális Fenttartások + +- Szinkronizálnia és tárolnia kell információkat E2EE-vel, hogy biztosítva legyen az, hogy az adatok nem láthatóak a szolgáltató számára. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Adott esetben integrálódnia kell az operációs rendszer natív naptár- és névjegykezelő alkalmazásaival. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/cloud.md b/i18n/hu/cloud.md new file mode 100644 index 00000000..d02393d4 --- /dev/null +++ b/i18n/hu/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Felhőtárhely" +icon: material/file-cloud +--- + +Sok felhőalapú tárhelyszolgáltatónak elvárása a teljes bizalmad abban, hogy nem fogják megnézni a fájljaidat. Az lent felsorolt alternatívák kiküszöbölik a bizalom szükségességét azáltal, hogy a te kezedbe helyezik az adataid fölötti kontrollt, vagy E2E titkosítást valósítanak meg. + +Ha ezek az alternatívák nem felelnek meg az igényeidnek, javasoljuk, hogy tekintsd meg a [Titkosítási Szoftverek](encryption.md) részt. + +??? question "A Nextcloud-ot keresed?" + + A Nextcloud [továbbra is egy ajánlott eszköz](productivity.md) egy fájlkezelő csomag saját üzemeltetéséhez, azonban jelenleg nem ajánljuk a harmadik féltől származó Nextcloud tárolási szolgáltatóit, mivel a Nextcloud beépített E2EE funkcióit nem ajánljuk otthoni felhasználóknak. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + A **Proton Drive** egy E2EE általános fájltároló szolgáltatás a népszerű titkosított e-mail szolgáltatótól a [Proton Mail](https://proton.me/mail)-től. + + [:octicons-home-16: Honlap](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +A Proton Drive mobil kliensei 2022 decemberében jelentek meg, és még nem nyílt forráskódúak. Proton szokás szerint a forráskód közzétételét a termék első kiadásának utánra halasztja, és [a terveik szerint](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) 2023 végére teszi közzé a forráskódot. A Proton Drive asztali kliensek még fejlesztés alatt állnak. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Végponttól végpontig terjedő titkosítást kell érvényesítenie. +- Ingyenes csomagot vagy próbaidőszakot kell kínálnia a teszteléshez. +- Támogatnia kell TOTP vagy FIDO2 többfaktoros hitelesítés használatát, vagy Passkey bejelentkezéseket. +- Olyan webes felületet kell kínálnia, amely támogat alapvető fájlkezelési funkciókat. +- Lehetővé kell tennie az összes fájl/dokumentum egyszerű exportálását. +- Szabványos, felülvizsgált titkosítást kell használnia. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- A klienseknek nyílt forráskódúnak kell lenniük. +- A klienseket teljes egészükben független harmadik félnek kell felülvizsgálnia. +- Natív klienseket kell kínálnia Linux, Android, Windows, macOS és iOS rendszerekre. + - Ezeknek a klienseknek integrálódniuk kell natív operációs rendszer eszközökkel, amik felhőtárhely szolgáltatóknak lettek létrehozva, például a Files alkalmazás integrációjával iOS-en, vagy a DocumentsProvider funkcióval Androidon. +- Támogatnia kell az egyszerű fájlmegosztást más felhasználókkal. +- Legalább alapvető fájlelőnézeti és szerkesztési funkciókat kell kínálnia a webes felületen. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/data-redaction.md b/i18n/hu/data-redaction.md new file mode 100644 index 00000000..cee5392b --- /dev/null +++ b/i18n/hu/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Adat és Metaadat Eltávolítás" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobil + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/desktop-browsers.md b/i18n/hu/desktop-browsers.md new file mode 100644 index 00000000..af3b392f --- /dev/null +++ b/i18n/hu/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Android + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Bővítmény Követelmények + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.hu.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/hu/desktop.md b/i18n/hu/desktop.md new file mode 100644 index 00000000..b69e48aa --- /dev/null +++ b/i18n/hu/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Asztal/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + A **Qubes OS** egy nyílt forráskódú operációs rendszer, amelyet úgy terveztek, hogy erős biztonságot nyújtson asztali számítógépek számára. Qubes a Xen-en, az X Window System-en és a Linuxon alapul, képes a legtöbb Linux alkalmazás futtatására és a legtöbb Linux illesztőprogram használatára. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/dns.md b/i18n/hu/dns.md new file mode 100644 index 00000000..ec4045b2 --- /dev/null +++ b/i18n/hu/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.hu.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/hu/email-clients.md b/i18n/hu/email-clients.md new file mode 100644 index 00000000..e0a6c560 --- /dev/null +++ b/i18n/hu/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email kliensek" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimális Fenttartások + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/email.md b/i18n/hu/email.md new file mode 100644 index 00000000..fbdaee26 --- /dev/null +++ b/i18n/hu/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Követelmények + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/encryption.md b/i18n/hu/encryption.md new file mode 100644 index 00000000..c3b7a8a9 --- /dev/null +++ b/i18n/hu/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Titkosító Szoftverek" +icon: material/file-lock +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimális Fenttartások + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/file-sharing.md b/i18n/hu/file-sharing.md new file mode 100644 index 00000000..5b99ad02 --- /dev/null +++ b/i18n/hu/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "Fájlmegosztás és Szinkronizálás" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## Jelszókezelők + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/cloud/nextcloud.svg){ align=right } + + A **Nextcloud** egy ingyenes és nyílt forráskódú kliens-szerver szoftvercsomag, amellyel saját fájltárhely-szolgáltatásokat hozhatsz létre egy privát általad ellenőrzött szerveren. + + [:octicons-home-16: Kezdőlap](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + Nem javasoljuk az [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) használatát a Nextcloudhoz, mivel adatvesztéshez vezethet; ez erősen kísérleti jellegű és nem gyártási minőségű. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/frontends.md b/i18n/hu/frontends.md new file mode 100644 index 00000000..3506384f --- /dev/null +++ b/i18n/hu/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontendek" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Fontold meg egy [VPN](vpn.md) vagy a [Tor](https://www.torproject.org) használatát, ha a [védelmi modelled](basics/threat-modeling.md) igényli az IP-címed elrejtését. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Fontold meg egy [VPN](vpn.md) vagy a [Tor](https://www.torproject.org) használatát, ha a [védelmi modelled](basics/threat-modeling.md) igényli az IP-címed elrejtését. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Fontold meg egy [VPN](vpn.md) vagy a [Tor](https://www.torproject.org) használatát, ha a [védelmi modelled](basics/threat-modeling.md) igényli az IP-címed elrejtését. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Fontold meg egy [VPN](vpn.md) vagy a [Tor](https://www.torproject.org) használatát, ha a [védelmi modelled](basics/threat-modeling.md) igényli az IP-címed elrejtését. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/index.md b/i18n/hu/index.md new file mode 100644 index 00000000..ac17d427 --- /dev/null +++ b/i18n/hu/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.hu.html +hide: + - navigation + - toc + - feedback +--- + + +## Miért érdekelne a dolog? + +##### “Nincs semmi rejtegetnivalóm. Miért kellene törődnöm a magánéletemmel?” + +A kultúrák közötti házassághoz, a női választójoghoz, a szólásszabadsághoz és sok minden máshoz hasonlóan a magánélethez való jogunk sem volt mindig biztosított. Számos diktatúrában még mindig nem az. Generációink előtt nemzedékek harcoltak a mi jogunkért a magánélethez. ==A magánélet mindannyiunk emberi joga==, amelyhez (megkülönböztetés nélkül) jogunk van. + +Nem szabad összekeverni a magánéletet a titoktartással. Tudjuk, hogy mi történik a mosdóban, de az ajtó mégis becsukjuk. Ez azért van, mert magánéletet akarsz, nem titoktartást. **Mindenkinek** van valami, amit meg akar védeni. A magánélet olyasmi, ami emberré tesz minket. + +[:material-target-account: Gyakori Internetes Fenyegetések](basics/common-threats.md ""){.md-button.md-button--primary} + +## Mihez kezdjek? + +##### Először is, tervet kell készítened + +Megpróbálni az összes adatodat mindenkitől és mindig megvédeni nem praktikus, költséges és fárasztó. De ne aggódj! Az adatbiztonság egy folyamat, és ha előre gondolkodsz, akkor összeállíthatsz egy neked megfelelő tervet. A biztonság nem csak a használt eszközökről vagy a letöltött szoftverekről szól. Inkább annak megértésével kezdődik, hogy milyen egyedi fenyegetésekkel kell szembenézned, és hogyan tudsz ellenük védekezni. + +==A fenyegetések azonosításának és az ellenintézkedések meghatározásának ezt a folyamatát **védelmi modellezésnek**== nevezzük, és ez képezi minden jó biztonsági és adatvédelmi terv alapját. + +[:material-book-outline: További Információk a Védelmi Modellezésről](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## Szükségünk van rád! Így kapcsolódhatsz be: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Csatlakozz a Fórumunkhoz" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Kövess minket a Mastodonon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Járulj hozzá a weboldalhoz" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Segíts lefordítani a weboldalt" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Csevegj velünk a Matrixon" } +[:material-information-outline:](about/index.md){ title="Tudjon meg többet rólunk" } +[:material-hand-coin-outline:](about/donate.md){ title="Támogasd a projektet" } + +Fontos, hogy egy olyan weboldal, mint a Privacy Guides, mindig naprakész maradjon. Szükségünk van arra, hogy a közönségünk figyelemmel kísérje az oldalunkon felsorolt alkalmazások frissítéseit, és kövesse az általunk ajánlott szolgáltatókkal kapcsolatos legújabb híreket. Nehéz lépést tartani az internet gyors tempójával, de mi megteszünk minden tőlünk telhetőt. Ha hibát észlelsz, úgy gondolod, hogy egy szolgáltatónak nem kellene szerepelnie a listán, észreveszed, hogy egy alkalmas szolgáltató hiányzik, úgy véled, hogy egy böngésző bővítmény már nem a legjobb választás, vagy ha bármilyen más problémát észlelsz, kérjük, jelezd nekünk. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/kb-archive.md b/i18n/hu/kb-archive.md new file mode 100644 index 00000000..072f926d --- /dev/null +++ b/i18n/hu/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: TB Archívum +icon: material/archive +--- + +# Az Oldalak Át Lettek Helyezve a Blogokhoz + +Néhány oldal, amely korábban a tudásbázisunkban volt, most a blogunkon található: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Konfiguráció Hardenelés](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - Rendszer Hardenelés](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Alkalmazás Sandboxolás](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Biztonságos Adattörlés](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Metaadatok Eltávolításának Integrálása](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Konfigurációs Útmutató](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/meta/brand.md b/i18n/hu/meta/brand.md new file mode 100644 index 00000000..abbf3cff --- /dev/null +++ b/i18n/hu/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/meta/git-recommendations.md b/i18n/hu/meta/git-recommendations.md new file mode 100644 index 00000000..7237b78a --- /dev/null +++ b/i18n/hu/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/meta/uploading-images.md b/i18n/hu/meta/uploading-images.md new file mode 100644 index 00000000..a08eac66 --- /dev/null +++ b/i18n/hu/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/meta/writing-style.md b/i18n/hu/meta/writing-style.md new file mode 100644 index 00000000..0fcee20d --- /dev/null +++ b/i18n/hu/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/mobile-browsers.md b/i18n/hu/mobile-browsers.md new file mode 100644 index 00000000..acdc7801 --- /dev/null +++ b/i18n/hu/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Bővítmény Követelmények + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/multi-factor-authentication.md b/i18n/hu/multi-factor-authentication.md new file mode 100644 index 00000000..7885770f --- /dev/null +++ b/i18n/hu/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/news-aggregators.md b/i18n/hu/news-aggregators.md new file mode 100644 index 00000000..4725fac7 --- /dev/null +++ b/i18n/hu/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "Híraggregátorok" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/notebooks.md b/i18n/hu/notebooks.md new file mode 100644 index 00000000..e85b1ae6 --- /dev/null +++ b/i18n/hu/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Jegyzetfüzetek" +icon: material/notebook-edit-outline +--- + +Kövesd nyomon jegyzeteid és naplóid anélkül, hogy harmadik félnek adnád át azokat. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Felhő-alapú + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/os/android-overview.md b/i18n/hu/os/android-overview.md new file mode 100644 index 00000000..dc3dee99 --- /dev/null +++ b/i18n/hu/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Áttekintés +icon: simple/android +--- + +Az Android egy biztonságos operációs rendszer, amely erős [app sandboxoló](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB) és egy robusztus [engedély](https://developer.android.com/guide/topics/permissions/overview) ellenőrző rendszerrel rendelkezik. + +## Egy Android Disztribúció Kiválasztása + +Egy Android telefon vásárlásakor a készülék alapértelmezett operációs rendszere gyakran olyan alkalmazások és szolgáltatások invazív integrációját tartalmazza, amelyek nem részei az [Android Open-Source Project](https://source.android.com/)-nek. Ilyen például a Google Play Szolgáltatások, amely visszavonhatatlan jogosultságokkal rendelkezik a fájljaidhoz, névjegy tárolódhoz, hívásnaplóidhoz, SMS-üzeneteidhez, tartózkodási helyedhez, kamerádhoz, mikrofonodhoz, hardverazonosítóidhoz stb. való hozzáférésre. Ezek az alkalmazások és szolgáltatások növelik a készüléked támadási felületét, és számos adatvédelmi aggály forrását jelentik az Androiddal kapcsolatban. + +Ez a probléma megoldható lehet egy olyan egyedi Android-disztribúció használatával, amely nem tartalmaz ilyen invazív integrációkat. Sajnos sok egyedi Android disztribúció gyakran megsérti az Android biztonsági modellt azzal, hogy nem támogat olyan kritikus biztonsági funkciókat, mint az AVB, a rollback védelem, firmware-frissítések stb. Egyes disztribúciók [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) buildeket nyújtanak, amelyek védtelenné teszik a root-ot az [ADB](https://developer.android.com/studio/command-line/adb)-n keresztül és [több engedélyt biztosító](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policy-kat igényelnek a hibakeresési funkciókhoz, ami tovább növeli a támadási felületet és gyengébb biztonsági modellt eredményez. + +Ideális esetben, amikor egyedi Android disztribúciót választasz, győződj meg arról, hogy az, az Android biztonsági modellt követi. A disztribúciónak minimum rendelkeznie kell gyártási buildekkel, AVB támogatással, rollback védelemmel, időszerű firmware és operációs rendszer frissítésekkel, valamint SELinux-xal [enforcing módban](https://source.android.com/security/selinux/concepts#enforcement_levels). Az általunk ajánlott összes Android disztribúció megfelel ezeknek a kritériumoknak. + +[Android Rendszer Ajánlásaink :hero-arrow-circle-right-fill:](../android.md ""){.md-button} + +## Kerüld a Rootolást + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/os/linux-overview.md b/i18n/hu/os/linux-overview.md new file mode 100644 index 00000000..18334732 --- /dev/null +++ b/i18n/hu/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/os/qubes-overview.md b/i18n/hu/os/qubes-overview.md new file mode 100644 index 00000000..9e19e9ce --- /dev/null +++ b/i18n/hu/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: pg/qubes-os +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Android + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/passwords.md b/i18n/hu/passwords.md new file mode 100644 index 00000000..09e7aec2 --- /dev/null +++ b/i18n/hu/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Jelszókezelők" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Felhő-alapú + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cross-platformnak kell lennie. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/productivity.md b/i18n/hu/productivity.md new file mode 100644 index 00000000..c12259a5 --- /dev/null +++ b/i18n/hu/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Produktivitás Eszközök" +icon: material/file-sign +--- + +A legtöbb online irodai programcsomag nem támogatja az E2EE-t, ami azt jelenti, hogy a felhőszolgáltató hozzáfér mindenhez, amit csinálsz. Az adatvédelmi nyilatkozat törvényileg védheti a jogaidat, de nem biztosít technikai hozzáférési korlátokat. + +## Kollaborációs Platformok + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/cloud/nextcloud.svg){ align=right } + + A **Nextcloud** egy ingyenes és nyílt forráskódú kliens-szerver szoftvercsomag, amellyel saját fájltárhely-szolgáltatásokat hozhatsz létre egy privát általad ellenőrzött szerveren. + + [:octicons-home-16: Kezdőlap](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + Nem javasoljuk az [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) használatát a Nextcloudhoz, mivel adatvesztéshez vezethet; ez erősen kísérleti jellegű és nem gyártási minőségű. Emiatt nem ajánljuk a Nextcloud harmadik féltől származó szolgáltatóit. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + A **CryptPad** egy a népszerű irodai eszközök privátra tervezett alternatívája. A webes szolgáltatás minden tartalma végponttól végpontig titkosított, és könnyen megosztható más felhasználókkal. + + [:octicons-home-16: Honlat](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Közremőködés } + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Általános esetben az kollaborációs platformokat olyan teljes értékű csomagokként határozzuk meg, amelyek ésszerűen helyettesíthetik az olyan kollaborációs platformokat, mint a Google Drive. + +- Nyílt forráskódú. +- WebDAV-on keresztül elérhetővé tesz fájlokat, kivéve, ha az E2EE miatt nem lehetséges. +- Szinkronizáló kliensekkel rendelkezik Linux, macOS és Windows rendszerekre. +- Támogat dokumentum- és táblázatkezelést. +- Támogat valós idejű dokumentum-kollaborációt. +- Támogatja a dokumentumok szabványos dokumentumformátumba (pl. ODF) történő exportálását. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Fájlokat egy hagyományos fájlrendszerben kell tárolnia. +- Támogatnia kell TOTP vagy FIDO2 többfaktoros hitelesítés használatát, vagy Passkey bejelentkezéseket. + +## Irodai Programcsomagok + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **A **LibreOffice** egy ingyenes és nyílt forráskódú irodai programcsomag széleskörű funkcionalitással. + + [:octicons-home-16: Kezdőlap](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + Az **OnlyOffice** egy felhőalapú, ingyenes és nyílt forráskódú irodai programcsomag, amely széleskörű funkciókkal rendelkezik, beleértve a Nextclouddal való integrációt is. + + [:octicons-home-16: Kezdőlap](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Általános esetben az irodai programcsomagokat úgy határozzuk meg, mint olyan alkalmazásokat, amelyek a legtöbb igényt kielégítően helyettesíthetik a Microsoft Wordöt. + +- Cross-platformnak kell lennie. +- Must be open-source software. +- Működnie kell offline. +- Támogatnia kell a dokumentumok, táblázatok és diavetítések szerkesztését. +- Fájlokat szabványos dokumentumformátumba kell exportálnia. + +## Paste szolgáltatások + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **A **PrivateBin** egy minimalista, nyílt forráskódú online pastebin, ahol a szerver nem ismeri a pastelt adatokat. Az adatok titkosítása/dekódolása a böngészőben történik 256 bites AES használatával. Ez a ZeroBin továbbfejlesztett változata. Van egy [lista a példányokról](https://privatebin.info/directory/). + + [:octicons-home-16: Honlap](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Publikus Példányok"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Forráskód" } + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/real-time-communication.md b/i18n/hu/real-time-communication.md new file mode 100644 index 00000000..33b34535 --- /dev/null +++ b/i18n/hu/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Videó streamelő kliensek" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/router.md b/i18n/hu/router.md new file mode 100644 index 00000000..b6c49932 --- /dev/null +++ b/i18n/hu/router.md @@ -0,0 +1,48 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +--- + +Lejjebb bemutatunk néhány alternatív operációs rendszert, amelyek használhatók routereken, Wi-Fi hozzáférési pontokon stb. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + Az **OpenWrt** egy Linux alapú operációs rendszer; elsősorban beágyazott eszközökön használják hálózati forgalom irányítására. Tartalmazza az util-linux, uClibc és BusyBox programokat. Az összes komponens otthoni routerekhez lett optimalizálva. + + [:octicons-home-16: Honlap](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Közreműködés } + +Az OpenWrt [hardvertáblázatában](https://openwrt.org/toh/start) ellenőrizheted, hogy az eszközöd támogatott-e. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + Az **OPNsense** egy nyílt forráskódú, FreeBSD-alapú tűzfal és forgalom irányító platform, amely számos fejlett funkciót tartalmaz, mint például forgalom alakítás, terheléselosztás és VPN-lehetőségek, és számos további funkcióval érhető el bővítmények formájában. Az OPNsense-t általában peremtűzfalként, routerként, vezeték nélküli hozzáférési pontként, DHCP-szerverként, DNS-szerverként és VPN végpontként vetik be. + + A pfSense-t általában perem tűzfalként, routerként, vezeték nélküli hozzáférési pontként, DHCP szerverként, DNS szerverként és VPN végpontként telepítik. + +Az OPNsense eredetileg a [pfSense](https://en.wikipedia.org/wiki/PfSense) forkjaként lett kifejlesztve, és mindkét projekt arról ismert, hogy ingyenes és megbízható tűzfal disztribúciók, amelyek gyakran csak drága kereskedelmi tűzfalakban található funkciókat kínálnak. A 2015-ben indított OPNsense fejlesztői számos biztonsági és kódminőségi problémára, a Netgate általi többségi pfSense felvásárlásra, valamint a pfSense projekt jövőbeli irányára [hivatkozva](https://docs.opnsense.org/history/thefork.html) a pfSense-el kapcsolatban úgy érezték, hogy ezek miatt az aggályok miatt szükségessé vált egy projekt fork létrehozása. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Nyílt forráskódúnak kell lennie. +- Rendszeres frissítéseket kell kapnia. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/search-engines.md b/i18n/hu/search-engines.md new file mode 100644 index 00000000..7ca2643d --- /dev/null +++ b/i18n/hu/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/tools.md b/i18n/hu/tools.md new file mode 100644 index 00000000..6a603a40 --- /dev/null +++ b/i18n/hu/tools.md @@ -0,0 +1,443 @@ +--- +title: "Adatvédelmi Eszközök" +icon: material/tools +hide: + - toc +--- + +Ha valamilyen konkrét megoldást keresel, ezek a hardver- és szoftvereszközök amiket ajánlunk, különböző kategóriákban. Az általunk ajánlott adatvédelmi eszközöket elsősorban biztonsági funkciók alapján választottuk ki, további hangsúlyt fektetve a decentralizált és nyílt forráskódú eszközökre. Ezek számos védelmi modellre alkalmazhatók, globális tömeges megfigyelési programok elleni védelemtől kezdve, big tech cégek elkerüléstől, támadások enyhítéséig, de csak te tudod meghatározni, hogy a te igényeidek mi felel meg a legjobban. + +Ha segítségre kérnél a legjobb adatvédelmi eszközök és alternatív programok kiválasztásához a munkaterhelésedhez/felhasználási módodhoz illően, indíts el egy beszélgetést a [fórumon](https://discuss.privacyguides.net/), vagy a [Matrix](https://matrix.to/#/#privacyguides:matrix.org) közösségünkben! + +Ha további információt szeretnél megtudni az egyes projektekről, hogy miért választottuk őket, és további tippekről vagy trükkökről amiket ajánlunk, kattints az egyes szakaszokban található "További információ" linkre, vagy kattints magára az ajánlásra, hogy az oldal ahhoz az adott szakaszához lépj. + +## Tor Hálózat + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Böngésző](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Okostelefon Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake nem növeli az adatvédelmet, azonban lehetővé teszi, hogy könnyedén hozzájárulj a Tor-hálózathoz, és segíts a cenzúrázott hálózatokon lévő embereknek jobb adatvédelmet elérni. + +[További információ :material-arrow-right-drop-circle:](tor.md) + +## Asztali Web Böngészők + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[További információ :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Android + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[További információ :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobil Web Böngészők + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[További információ :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Android + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard iOS-hez](mobile-browsers.md#adguard) + +
+ +[További információ :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operációs Rendszerek + +### Mobil + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[További információ :material-arrow-right-drop-circle:](android.md) + +#### Android Alkalmazások + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Kliens)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Munka Profilok)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Támogatott Eszközök)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[További információ :material-arrow-right-drop-circle:](android.md#general-apps) + +### Asztal/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Disztribúció)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Élő Boot)](desktop.md#tails) + +
+ +[További információ :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[További információ :material-arrow-right-drop-circle:](router.md) + +## Szolgáltatók + +### Felhőtárhely + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[További információ :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Szolgáltatók + +Számos követelmény alapján [ajánlunk](dns.md#recommended-providers) több titkosított DNS szervert, mint [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) és [Quad9](https://quad9.net/) többek között. Javasoljuk, hogy egy szolgáltató kiválasztása előtt olvasd el a DNS-ről szóló oldalainkat. Sok esetben nem ajánlott alternatív DNS-szolgáltató használata. + +[További információ :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[További információ :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[További információ :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[További információ :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[További információ :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[További információ :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[További információ :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Szolgáltatók + +??? danger "VPNs do not provide anonymity" + + Egy VPN használata **nem** fogja anonimizálni a böngészési szokásaidat, és nem biztosít további védelmet nem biztonságos (HTTP) forgalomnak. + + Ha **anonimitást** keresel, akkor a Tor böngészőt érdemes használnod egy VPN **helyett**. + + Ha több **biztonságot** keresel, mindig győződj meg arról, hogy a weboldalakhoz HTTPS használatával csatlakozol. Egy VPN nem helyettesít helyes biztonsági gyakorlatokat. + + [További információ :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[További információ :material-arrow-right-drop-circle:](vpn.md) + +## Szoftver + +### Naptár Szinkronizálás + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[További információ :material-arrow-right-drop-circle:](calendar.md) + +### Adat és Metaadat Eltávolítás + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[További információ :material-arrow-right-drop-circle:](data-redaction.md) + +### Email kliensek + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP szabványos webmailben)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[További információ :material-arrow-right-drop-circle:](email-clients.md) + +### Titkosító Szoftverek + +??? info "Operációs Rendszer Lemez Titkosítás" + + Az operációs rendszer meghajtódnak a titkosításához általában az operációs rendszer által biztosított titkosítási eszközt javasoljuk, legyen az **BitLocker** Windowson, **FileVault** macOS-en, vagy **LUKS** Linuxon. Ezek az eszközök az operációs rendszer részét képezik, és általában olyan hardveres titkosítási elemeket használnak, mint például a TPM, amit más teljes lemez titkosító szoftverek, például a VeraCrypt nem. A VeraCrypt továbbra is alkalmas nem operációs rendszer lemezek, például külső meghajtók számára, különösen olyan meghajtók esetében, amelyekhez több operációs rendszerből is hozzáférhetnek. + + [További információ :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (TLT)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Böngésző alapú)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[További információ :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Kliensek + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[További információ :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### Fájlmegosztás és Szinkronizálás + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Sajár Üzemeltetésű)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[További információ :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontendek + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Asztal)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[További információ :material-arrow-right-drop-circle:](frontends.md) + +### Többfaktoros Hitelesítési Eszközök + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[További információ :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### Híraggregátorok + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[További információ :material-arrow-right-drop-circle:](news-aggregators.md) + +### Jegyzetfüzetek + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[További információ :material-arrow-right-drop-circle:](notebooks.md) + +### Jelszókezelők + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS és macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[További információ :material-arrow-right-drop-circle:](passwords.md) + +### Produktivitás Eszközök + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Saját Üzemeltetésű)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[További információ :material-arrow-right-drop-circle:](productivity.md) + +### Videó streamelő kliensek + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar-android) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[További információ :material-arrow-right-drop-circle:](real-time-communication.md) + +### Videó Streamelő Kliensek + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[További információ :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/tor.md b/i18n/hu/tor.md new file mode 100644 index 00000000..2098dcd6 --- /dev/null +++ b/i18n/hu/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Hálózat" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/video-streaming.md b/i18n/hu/video-streaming.md new file mode 100644 index 00000000..004d1c16 --- /dev/null +++ b/i18n/hu/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Videó Streamelés" +icon: material/video-wireless +--- + +A videó streamelő platformok használatakor az az elsődleges veszély, hogy a streaming-szokásaid és feliratkozás listáid felhasználhatók profilalkotásra rólad. Ezeket az eszközöket érdemes keverned egy [VPN](vpn.md)-nel vagy [Tor](https://www.torproject.org/)-ra, hogy megnehezítsd a felhasználás szokásaidról készített profilalkotást. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **A LBRY hálózat** egy decentralizált videómegosztó hálózat. Egy [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-szerű hálózatot használ a videotartalom tárolására, és egy [blockchain](https://wikipedia.org/wiki/Blockchain) hálózatot a videók indexeinek tárolására. Ennek a kialakításnak a fő előnye a cenzúrával szembeni ellenállás. + + **A LBRY asztali kliens** segít videókat streamelni a LBRY hálózatról, és a feliratkozás listádat a saját LBRY tárcádban tárolni. + + [:octicons-home-16: Honlap](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Csak az **LBRY asztali kliens** használata ajánlott, mivel a [Odysee](https://odysee.com) weboldal és az F-Droid, a Play Store, valamint az App Store LBRY kliensei kötelező szinkronizcióval és telemetriával rendelkeznek. + +!!! warning + + Videók megtekintése és kiszolgálása közben az IP-címed látható a LBRY-hálózat számára. Fontold meg egy [VPN](vpn.md) vagy a [Tor](https://www.torproject.org) használatát, ha a [védelmi modelled](basics/threat-modeling.md) igényli az IP-címed elrejtését. + +A tárcád szinkronizálását a LBRY Inc.-kel **nem ajánljuk**, mivel titkosított pénztárcák szinkronizálása még nem támogatott. Ha szinkronizálod a tárcád a LBRY Inc.-kel, meg kell bennük bíznod, hogy nem nézik meg az feliratkozás listádat, [LBC](https://lbry.com/faq/earn-credits) pénzösszegeidet, vagy nem veszik át az irányítást a csatornád felett. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** A [szabványos kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Nem igényelhet egy központi fiókot videók megtekintéséhez. + - Elfogadható a decentralizált hitelesítés, mint például a mobiltárca privát kulcsán keresztül. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/hu/vpn.md b/i18n/hu/vpn.md new file mode 100644 index 00000000..516deccd --- /dev/null +++ b/i18n/hu/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN Services" +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Egy VPN használata **nem** fogja anonimizálni a böngészési szokásaidat, és nem biztosít további védelmet nem biztonságos (HTTP) forgalomnak. + + Ha **anonimitást** keresel, akkor a Tor böngészőt érdemes használnod egy VPN **helyett**. + + Ha több **biztonságot** keresel, mindig győződj meg arról, hogy a weboldalakhoz HTTPS használatával csatlakozol. Egy VPN nem helyettesít helyes biztonsági gyakorlatokat. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Követelmények + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.hu.txt" diff --git a/i18n/id/404.md b/i18n/id/404.md new file mode 100644 index 00000000..008b57ea --- /dev/null +++ b/i18n/id/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Tidak Ditemukan + +Kami tidak dapat menemukan laman yang Anda cari! Mungkin Anda sedang mencari salah satu dari ini? + +- [Pengantar Pemodelan Ancaman](basics/threat-modeling.md) +- [Penyedia DNS yang Direkomendasikan](dns.md) +- [Peramban Web Desktop Terbaik](desktop-browsers.md) +- [Penyedia VPN Terbaik](vpn.md) +- [Forum Privacy Guides](https://discuss.privacyguides.net) +- [Blog Kami](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/CODE_OF_CONDUCT.md b/i18n/id/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/id/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/id/about/criteria.md b/i18n/id/about/criteria.md new file mode 100644 index 00000000..0533da31 --- /dev/null +++ b/i18n/id/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/about/donate.md b/i18n/id/about/donate.md new file mode 100644 index 00000000..c41e3ab4 --- /dev/null +++ b/i18n/id/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/about/index.md b/i18n/id/about/index.md new file mode 100644 index 00000000..ce337962 --- /dev/null +++ b/i18n/id/about/index.md @@ -0,0 +1,63 @@ +--- +title: "Tentang Privacy Guides" +--- + +**Privacy Guides** adalah situs web bermotif sosial yang menyediakan informasi untuk melindungi keamanan dan privasi data Anda. Kami adalah kolektif nirlaba yang dioperasikan sepenuhnya oleh [anggota tim](https://discuss.privacyguides.net/g/team) dan kontributor sukarelawan. + +[:material-hand-coin-outline: Dukung proyek ini](donate.md ""){.md-button.md-button--primary} + +## Tim Kami + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Beranda](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Surel](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Surel](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Beranda](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Beranda](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Selain itu, [banyak orang](https://github.com/privacyguides/privacyguides.org/graphs/contributors) telah memberikan kontribusi ke proyek ini. Anda juga bisa, kami bersumber terbuka di GitHub! + +Anggota tim kami meninjau semua perubahan yang dilakukan pada situs web dan menangani tugas-tugas administratif seperti layanan web dan keuangan, namun mereka tidak mendapatkan keuntungan pribadi dari setiap kontribusi yang dibuat untuk situs ini. Keuangan kami dikelola secara transparan oleh Open Collective Foundation 501(c)(3) di [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donasi untuk Privacy Guides umumnya dapat dikurangkan dari pajak di Amerika Serikat. + +## Lisensi Situs + +*Berikut ini adalah ringkasan yang dapat dibaca oleh manusia (dan bukan pengganti) lisensi [](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/about/notices.md b/i18n/id/about/notices.md new file mode 100644 index 00000000..2df99cb9 --- /dev/null +++ b/i18n/id/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Notices and Disclaimers" +hide: + - toc +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licenses + +Unless otherwise noted, all content on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to this repository you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/about/privacy-policy.md b/i18n/id/about/privacy-policy.md new file mode 100644 index 00000000..e4045239 --- /dev/null +++ b/i18n/id/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/about/privacytools.md b/i18n/id/about/privacytools.md new file mode 100644 index 00000000..6faff234 --- /dev/null +++ b/i18n/id/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/about/services.md b/i18n/id/about/services.md new file mode 100644 index 00000000..f1978204 --- /dev/null +++ b/i18n/id/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/about/statistics.md b/i18n/id/about/statistics.md new file mode 100644 index 00000000..ed8abba4 --- /dev/null +++ b/i18n/id/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/advanced/communication-network-types.md b/i18n/id/advanced/communication-network-types.md new file mode 100644 index 00000000..37c3ec5d --- /dev/null +++ b/i18n/id/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/advanced/dns-overview.md b/i18n/id/advanced/dns-overview.md new file mode 100644 index 00000000..7bc2e902 --- /dev/null +++ b/i18n/id/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/advanced/tor-overview.md b/i18n/id/advanced/tor-overview.md new file mode 100644 index 00000000..f2f54a1a --- /dev/null +++ b/i18n/id/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.id.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/id/android.md b/i18n/id/android.md new file mode 100644 index 00000000..1a28ee46 --- /dev/null +++ b/i18n/id/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/assets/img/account-deletion/exposed_passwords.png b/i18n/id/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/id/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/id/assets/img/android/rss-apk-dark.png b/i18n/id/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/id/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/id/assets/img/android/rss-apk-light.png b/i18n/id/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/id/assets/img/android/rss-apk-light.png differ diff --git a/i18n/id/assets/img/android/rss-changes-dark.png b/i18n/id/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/id/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/id/assets/img/android/rss-changes-light.png b/i18n/id/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/id/assets/img/android/rss-changes-light.png differ diff --git a/i18n/id/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/id/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/id/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/id/assets/img/how-tor-works/tor-encryption.svg b/i18n/id/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/id/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/id/assets/img/how-tor-works/tor-path-dark.svg b/i18n/id/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/id/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/id/assets/img/how-tor-works/tor-path.svg b/i18n/id/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/id/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/id/assets/img/multi-factor-authentication/fido.png b/i18n/id/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/id/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/id/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/id/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/id/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/id/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/id/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/id/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/id/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/id/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/id/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/id/basics/account-creation.md b/i18n/id/basics/account-creation.md new file mode 100644 index 00000000..7793be8a --- /dev/null +++ b/i18n/id/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/basics/account-deletion.md b/i18n/id/basics/account-deletion.md new file mode 100644 index 00000000..686524a5 --- /dev/null +++ b/i18n/id/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/basics/common-misconceptions.md b/i18n/id/basics/common-misconceptions.md new file mode 100644 index 00000000..ebcdb0f3 --- /dev/null +++ b/i18n/id/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.id.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/id/basics/common-threats.md b/i18n/id/basics/common-threats.md new file mode 100644 index 00000000..99de9949 --- /dev/null +++ b/i18n/id/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.id.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/id/basics/email-security.md b/i18n/id/basics/email-security.md new file mode 100644 index 00000000..b4a8732b --- /dev/null +++ b/i18n/id/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/basics/multi-factor-authentication.md b/i18n/id/basics/multi-factor-authentication.md new file mode 100644 index 00000000..81bc62f6 --- /dev/null +++ b/i18n/id/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/basics/passwords-overview.md b/i18n/id/basics/passwords-overview.md new file mode 100644 index 00000000..7be192d6 --- /dev/null +++ b/i18n/id/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/basics/threat-modeling.md b/i18n/id/basics/threat-modeling.md new file mode 100644 index 00000000..15cad795 --- /dev/null +++ b/i18n/id/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/basics/vpn-overview.md b/i18n/id/basics/vpn-overview.md new file mode 100644 index 00000000..04f761ca --- /dev/null +++ b/i18n/id/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/calendar.md b/i18n/id/calendar.md new file mode 100644 index 00000000..a1f4af64 --- /dev/null +++ b/i18n/id/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/cloud.md b/i18n/id/cloud.md new file mode 100644 index 00000000..5e694672 --- /dev/null +++ b/i18n/id/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/data-redaction.md b/i18n/id/data-redaction.md new file mode 100644 index 00000000..d2426c05 --- /dev/null +++ b/i18n/id/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/desktop-browsers.md b/i18n/id/desktop-browsers.md new file mode 100644 index 00000000..e1bb3815 --- /dev/null +++ b/i18n/id/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.id.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/id/desktop.md b/i18n/id/desktop.md new file mode 100644 index 00000000..8003f3d2 --- /dev/null +++ b/i18n/id/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/dns.md b/i18n/id/dns.md new file mode 100644 index 00000000..75593fab --- /dev/null +++ b/i18n/id/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.id.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/id/email-clients.md b/i18n/id/email-clients.md new file mode 100644 index 00000000..05bfec19 --- /dev/null +++ b/i18n/id/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/email.md b/i18n/id/email.md new file mode 100644 index 00000000..ec800f76 --- /dev/null +++ b/i18n/id/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/encryption.md b/i18n/id/encryption.md new file mode 100644 index 00000000..2799f306 --- /dev/null +++ b/i18n/id/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Perangkat Lunak Enkripsi" +icon: material/file-lock +--- + +Enkripsi data adalah satu-satunya cara untuk mengendalikan siapa saja yang dapat mengaksesnya. Jika saat ini Anda tidak menggunakan perangkat lunak enkripsi untuk perangkat penyimpanan, surel, atau berkas Anda, Anda seharusnya memilih opsi di sini. + +## Multi-platform + +Opsi yang tercantum di sini adalah multi-platform dan sangat bagus untuk membuat cadangan terenkripsi data Anda. + +### Cryptomator (Awan) + +!!! recommendation + + ![Logo Cryptomator](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** adalah solusi enkripsi yang dirancang untuk menyimpan berkas secara pribadi ke penyedia layanan awan mana pun. Ini memungkinkan Anda untuk membuat brankas yang disimpan di penyimpanan virtual, yang isinya dienkripsi dan disinkronkan dengan penyedia penyimpanan awan Anda. + + [:octicons-home-16: Laman Beranda](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Kebijakan Privasi" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Dokumentasi} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Kode Sumber" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Berkontribusi } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/file-sharing.md b/i18n/id/file-sharing.md new file mode 100644 index 00000000..2f18e254 --- /dev/null +++ b/i18n/id/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/frontends.md b/i18n/id/frontends.md new file mode 100644 index 00000000..01dbbeb8 --- /dev/null +++ b/i18n/id/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/index.md b/i18n/id/index.md new file mode 100644 index 00000000..023a56f1 --- /dev/null +++ b/i18n/id/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.id.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/kb-archive.md b/i18n/id/kb-archive.md new file mode 100644 index 00000000..7c307550 --- /dev/null +++ b/i18n/id/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: Arsip Basis Pengetahuan +icon: material/archive +--- + +# Halaman Dipindahkan ke Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/meta/brand.md b/i18n/id/meta/brand.md new file mode 100644 index 00000000..eb339fa6 --- /dev/null +++ b/i18n/id/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/meta/git-recommendations.md b/i18n/id/meta/git-recommendations.md new file mode 100644 index 00000000..97140bc9 --- /dev/null +++ b/i18n/id/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/meta/uploading-images.md b/i18n/id/meta/uploading-images.md new file mode 100644 index 00000000..49454204 --- /dev/null +++ b/i18n/id/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/meta/writing-style.md b/i18n/id/meta/writing-style.md new file mode 100644 index 00000000..3476ab63 --- /dev/null +++ b/i18n/id/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/mobile-browsers.md b/i18n/id/mobile-browsers.md new file mode 100644 index 00000000..c536f1d8 --- /dev/null +++ b/i18n/id/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/multi-factor-authentication.md b/i18n/id/multi-factor-authentication.md new file mode 100644 index 00000000..ad34f4ca --- /dev/null +++ b/i18n/id/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/news-aggregators.md b/i18n/id/news-aggregators.md new file mode 100644 index 00000000..88957455 --- /dev/null +++ b/i18n/id/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/notebooks.md b/i18n/id/notebooks.md new file mode 100644 index 00000000..e26778de --- /dev/null +++ b/i18n/id/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/os/android-overview.md b/i18n/id/os/android-overview.md new file mode 100644 index 00000000..c666269c --- /dev/null +++ b/i18n/id/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/os/linux-overview.md b/i18n/id/os/linux-overview.md new file mode 100644 index 00000000..62e18ca5 --- /dev/null +++ b/i18n/id/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/os/qubes-overview.md b/i18n/id/os/qubes-overview.md new file mode 100644 index 00000000..d392cac6 --- /dev/null +++ b/i18n/id/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/passwords.md b/i18n/id/passwords.md new file mode 100644 index 00000000..05167fd7 --- /dev/null +++ b/i18n/id/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/productivity.md b/i18n/id/productivity.md new file mode 100644 index 00000000..6c8ecbe7 --- /dev/null +++ b/i18n/id/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/real-time-communication.md b/i18n/id/real-time-communication.md new file mode 100644 index 00000000..a9395607 --- /dev/null +++ b/i18n/id/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/router.md b/i18n/id/router.md new file mode 100644 index 00000000..13c6d37b --- /dev/null +++ b/i18n/id/router.md @@ -0,0 +1,51 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/search-engines.md b/i18n/id/search-engines.md new file mode 100644 index 00000000..3f875285 --- /dev/null +++ b/i18n/id/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/tools.md b/i18n/id/tools.md new file mode 100644 index 00000000..21dc342e --- /dev/null +++ b/i18n/id/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/tor.md b/i18n/id/tor.md new file mode 100644 index 00000000..55560121 --- /dev/null +++ b/i18n/id/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/video-streaming.md b/i18n/id/video-streaming.md new file mode 100644 index 00000000..05595a75 --- /dev/null +++ b/i18n/id/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/id/vpn.md b/i18n/id/vpn.md new file mode 100644 index 00000000..a3242d3e --- /dev/null +++ b/i18n/id/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN Services" +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.id.txt" diff --git a/i18n/it/404.md b/i18n/it/404.md new file mode 100644 index 00000000..a0c5d27b --- /dev/null +++ b/i18n/it/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Non Trovato + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduzione alla modellazione delle minacce](basics/threat-modeling.md) +- [Provider DNS consigliati](dns.md) +- [I migliori browser web per desktop](desktop-browsers.md) +- [Migliori provider VPN](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Il nostro blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/CODE_OF_CONDUCT.md b/i18n/it/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/it/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/it/about/criteria.md b/i18n/it/about/criteria.md new file mode 100644 index 00000000..c3729859 --- /dev/null +++ b/i18n/it/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/about/donate.md b/i18n/it/about/donate.md new file mode 100644 index 00000000..4236a4f9 --- /dev/null +++ b/i18n/it/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Supportaci +--- + + +Sono necessari molte [persone](https://github.com/privacyguides/privacyguides.org/graphs/contributors) e [lavoro](https://github.com/privacyguides/privacyguides.org/pulse/monthly) per mantenere Privacy Guides aggiornato e diffondere il verbo sulla privacy e la sorveglianza di massa. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +Se ci vuoi supportare economicamente, il metodo per noi più conveniente è attraverso Open Collective, un sito operato dal nostro host fiscale. Open Collective accetta pagamenti via carta di credito/debito, PayPal e bonifici. + +[Dona su OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. In seguito alla tua donazione, riceverai una ricevuta dalla Open Collective Foundation. Privacy Guides non fornisce consulenza finanziaria e suggeriamo di contattare il proprio consulente finanziario per sapere se ciò è applicabile al proprio caso. + +È possibile sponsorizzare la nostra organizzazione anche mediante le sponsorizzazioni di Github. + +[Sponsorizzaci su Github](https://github.com/sponsors/privacyguides ""){.md-button} + +## Sostenitori + +Un ringraziamento speciale a tutti coloro che supportano la nostra missione! :heart: + +*Nota bene: Questa sezione carica un widget direttamente da Open Collective. Questa sezione non riflette le donazioni effettuate al di fuori di Open Collective, e non abbiamo il controllo sui donatori specifici presenti in questa sezione.* + + + +## Come utilizziamo le donazioni + +Privacy Guides è un'organizzazione **no-profit**. Utilizziamo le donazioni per una serie di scopi, tra cui: + +**Registrazione dei domini** +: + +Abbiamo alcuni nomi di dominio, come `privacyguides.org`, la cui registrazione costa circa $10 euro all'anno. + +**Web Hosting** +: + +Il traffico di questo sito utilizza centinaia di gigabytes di dati al mese; per tenerci al passo, utilizziamo diversi fornitori di servizi. + +**Servizi online** +: + +Hostiamo dei [servizi internet](https://privacyguides.net) per testare e mostrare diversi prodotti relativi alla privacy che ci piacciono e [raccomandiamo](../tools.md). Alcuni di questi sono disponibili pubblicamente per l'uso della nosta comunità (SearXNG, Tor, etc.), altri sono forniti ai membri del nostro team (email, etc.). + +**Acquisto di beni** +: + +Occasionalmente acquistiamo beni e servizi con lo scopo di testare i nostri [strumenti consigliati](../tools.md). + +Stiamo ancora lavorando con il nostro host fiscale (la Open Collective Foundation) per ricevere donazioni via criptovalute; al momento la contabilità non è fattibile per piccole transazioni, cosa che dovrebbe cambiare in futuro. Nel mentre, se desideri effettuare una donazione consistente in criptovalure (> $100), ti preghiamo di contattarci a [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/about/index.md b/i18n/it/about/index.md new file mode 100644 index 00000000..41329117 --- /dev/null +++ b/i18n/it/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. **Non è possibile** utilizzare il marchio Privacy Guides nel proprio progetto senza l'esplicita approvazione da questo progetto. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/about/notices.md b/i18n/it/about/notices.md new file mode 100644 index 00000000..5ad3178b --- /dev/null +++ b/i18n/it/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Avvisi e liberatorie" +hide: + - toc +--- + +## Avviso legale + +Privacy Guides non è uno studio legale. Pertanto, il sito web Privacy Guides e i collaboratori non forniscono consulenza legale. Il materiale e le raccomandazioni nel nostro sito web e nelle guide non costituiscono una consulenza legale, né contribuire al sito web o comunicare con Privacy Guides o altri collaboratori riguardo il nostro sito web crea un rapporto avvocato-cliente. + +La gestione di questo sito, come ogni impresa umana, comporta incertezze e compromessi. Speriamo che questo sito sia d'aiuto, ma può contenere errori e non può affrontare tutte le situazioni. Se avete domande sulla vostra situazione, vi incoraggiamo a fare le vostre ricerche, cercare altri esperti e impegnarvi in discussioni con la comunità di Privacy Guides. Se avete delle domande legali, dovreste consultare il vostro consulente legale prima di procedere. + +Privacy Guides è un progetto open source a cui si contribuisce sotto licenze che includono termini che, per la protezione del sito web e dei suoi collaboratori, chiariscono che il progetto Privacy Guides e il sito web sono offerti "così come sono", senza garanzia, e declinando la responsabilità per danni derivanti dall'uso del sito web o di qualsiasi raccomandazione contenuta al suo interno. Privacy Guides non garantisce né rilascia alcuna dichiarazione riguardante l'accuratezza, i risultati probabili o l'affidabilità dell'uso dei materiali sul sito web o comunque relativi a tali materiali sul sito web o su qualsiasi sito di terzi collegato a questo sito. + +Privacy Guides inoltre non garantisce che questo sito sarà costantemente disponibile, o disponibile affatto. + +## Licenze + +Se non diversamente specificato, tutti i contenuti di questo sito web sono resi liberamente disponibili sotto i termini del [Creative Commons CC0 1.0 Universal](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +Questo non include codice di terze parti incorporato in questo repository, o codice dove una licenza sostitutiva è altrimenti indicata. I seguenti sono esempi degni di nota, ma questa lista potrebbe non essere onnicomprensiva: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/mathjax.js) è rilasciato sotto la [Licenza Apache 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/LICENSE.mathjax.txt). + +Porzioni di questo avviso sono state adottate da [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) su GitHub. Tale risorsa e questa stessa pagina sono rilasciate sotto [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +Questo significa che puoi usare il contenuto leggibile dall'uomo in questo repository per il tuo progetto, secondo i termini delineati nel testo CC0 1.0 Universal. **Non è possibile** utilizzare il marchio Privacy Guides nel proprio progetto senza l'esplicita approvazione da questo progetto. I marchi di fabbrica di Privacy Guides includono il marchio denominativo "Privacy Guides" e il logo dello scudo. I marchi registrati di Privacy Guides includono il marchio "Privacy Guides" e il logo dello scudo. + +Riteniamo che i loghi e le altre immagini in `assets` ottenuti da fornitori terzi siano di dominio pubblico o **fair use**. In poche parole, la dottrina legale del [fair use](https://it.wikipedia.org/wiki/Fair_use) permette l'uso di immagini protette da copyright al fine di identificare l'argomento per scopi di commento pubblico. Tuttavia, questi loghi e altre immagini possono ancora essere soggetti alle leggi sui marchi in una o più giurisdizioni. Prima di usare questo contenuto, assicurati che sia usato per identificare l'entità o l'organizzazione che possiede il marchio e che tu abbia il diritto di usarlo secondo le leggi che si applicano nelle circostanze del tuo uso previsto. *Durante la copia di contenuti da questo sito Web, l'utente è l'unico responsabile di assicurarsi di non violare il marchio o il copyright di qualcun altro.* + +Quando contribuisci a questo repository lo stai facendo sotto le licenze di cui sopra. + +## Uso accettabile + +L'utente non può utilizzare questo sito web in qualsiasi modo che causi o possa causare danni al sito web o compromettere la disponibilità o l'accessibilità di Privacy Guides, o in qualsiasi modo che sia illegale, illegale, fraudolento, dannoso, o in connessione con qualsiasi scopo o attività illegale, illegale, fraudolento o dannoso. + +L'utente non deve condurre alcuna attività di raccolta dati sistematica o automatizzata su o in relazione a questo sito web senza l'espresso consenso scritto di Aragon Ventures LLC, incluso: + +* Scansioni automatiche eccessive +* Attacchi Denial of Service +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/about/privacy-policy.md b/i18n/it/about/privacy-policy.md new file mode 100644 index 00000000..154f7e19 --- /dev/null +++ b/i18n/it/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Informativa sulla privacy" +--- + +Privacy Guides è un progetto comunitario gestito da un certo numero di collaboratori volontari attivi. La lista pubblica dei membri del team [può essere trovata su GitHub](https://github.com/orgs/privacyguides/people). + +## Quali dati raccogliamo dai visitatori + +La privacy di chi visita il nostro sito web è importante per noi, quindi non tracciamo nessuna persona individualmente. Come visitatore del nostro sito: + +- Non vengono raccolte informazioni personali +- No information such as cookies are stored in the browser +- Nessuna informazione è condivisa, inviata o venduta a terze parti +- Nessuna informazione viene condivisa con compagnie pubblicitarie +- Nessuna informazione è minata e raccolta per individuare tendenze personali e comportamentali +- Nessuna informazione viene monetizzata + +You can view the data we collect on our [statistics](statistics.md) page. + +Utilizziamo un'installazione da noi gestita di [Plausible Analytics](https://plausible.io) per raccogliere alcuni dati anonimi di utilizzo a fini statistici. L'obbiettivo è quello di tracciare tendenze generali del traffico del nostro sito web, e non di tracciare singoli visitatori. Tutti i dati sono esclusivamente aggregati. Nessun dato personale viene raccolto. + +I dati raccolti includono le fonti di riferimento, le pagine più visistate, la durata della visita, informazioni del dispositivo usato durante la visita (tipo di dispositivo, sistema operativo, nazione e browser) e altro. È possibile sapere di più su come Plausible funziona e raccoglie informazioni rispettando la privacy [qui](https://plausible.io/data-policy). + +## Dati raccolti da titolari di account + +In alcuni siti e servizi che provvediamo, molte funzioni richiedono un account, ad esempio per postare e rispondere in un forum. + +Nella creazioni di molti degli account, richiediamo un nome, un nome utente, una email e una password. Nell'eventualità in cui in sito web richieda maggiori informazioni di queste, verrà adeguatamente segnalato e annotato in un'ulteriore dichiarazione della privacy per ogni sito. + +Utilizziamo i dati del tuo account per identificarti sul sito web e per creare pagine specifiche per te, come ad esempio la pagina del tuo profilo. Utilizziamo inoltre i dati dell'acount per pubblicare un tuo profilo pubblico sui nostri servizi. + +Utilizziamo la tua email per: + +- Notificarti riguardo post e altre attività sul sito web o sui servizi. +- Reimpostare la tua password e contribuire alla sicurezza del tuo account. +- Contattarti in circostanze speciali relative al tuo account. +- Contattarti riguardo richieste legali, come richieste di rimozione DMCA. + +In alcuni siti web e servizi, puoi fornire ulteriori informazioni sul tuo account, come una breve biografia, un avatar, la tua posizione, o il tuo compleanno. Le informazioni saranno disponibili a chiunque abbia accesso al sito web o servizio in questione. Queste informazioni non sono necessarie per l'utilizzo di nessuno dei nostri servizi e possono essere rimosse in qualsiasi momento. + +Conserveremo i dati del tuo account finche rimarrà aperto. Dopo la chiusura di un account, potremmo conservare alcuni o tutti i dati del tuo account in forma di backup o archivio, per un massimo 90 giorni. + +## Contattaci + +Il tem di Privacy Guides generalmente non ha accesso ai dati personali al di fuori di accessi limitati garantiti mediante alcuni pannelli di moderazione. Richieste relative i tuoi dati personali devono essere inviate direttamente a: + +```text +Jonah Aragon +Amministratore di servizi +jonah@privacyguides.org +``` + +Per tutte le altre richieste è possibile contattare qualsiasi membro del nostro team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## Con chi vengono condivisi i miei dati? + +We will post any new versions of this statement [here](privacy-policy.md). Potremo cambiare il modo in cui annunciamo modifiche in future versioni di questo documento. Nel mentre, possiamo aggiornare le nostre informazioni di contatto in qualsiasi momento senza annunciarlo. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/about/privacytools.md b/i18n/it/about/privacytools.md new file mode 100644 index 00000000..1ef8bb0b --- /dev/null +++ b/i18n/it/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Perché abbiamo abbandonato PrivacyTools + +Nel settembre 2021, tutti i collaboratori attivi hanno accettato all'unanimità di passare da PrivacyTools a questo sito: Privacy Guides. La decisione è stata presa perché il fondatore di PrivacyTools e controllore del nome di dominio era scomparso per un lungo periodo di tempo e non poteva essere contattato. + +Avendo costruito un sito e una serie di servizi affidabili su PrivacyTools.io, questo ha causato gravi preoccupazioni per il futuro di PrivacyTools, in quanto qualsiasi futura interruzione avrebbe potuto spazzare via l'intera organizzazione senza alcun metodo di recupero. Questa transizione è stata comunicata alla community di PrivacyTools con molti mesi di anticipo attraverso una serie di canali, tra cui il blog, Twitter, Reddit e Mastodon, per garantire che l'intero processo si svolgesse nel modo più semplice possibile. Lo abbiamo fatto per garantire che nessuno fosse tenuto all'oscuro, come è stato il nostro modus operandi fin dalla creazione del nostro team e per assicurarci che Privacy Guides fosse riconosciuta come la stessa organizzazione affidabile che PrivacyTools era prima della transizione. + +Una volta completata la transizione, il fondatore di PrivacyTools è tornato e ha iniziato a diffondere false informazioni sul progetto Privacy Guides. Continuano a diffondere disinformazione oltre a gestire una link farm a pagamento sul dominio PrivacyTools. Abbiamo creato questa pagina per chiarire eventuali malintesi. + +## Che cos'è PrivacyTools? + +PrivacyTools è stato creato nel 2015 da "BurungHantu", che voleva creare una risorsa d'informazione sulla privacy - strumenti utili dopo le rivelazioni di Snowden. Il sito si è trasformato in un fiorente progetto open-source con [molti collaboratori](https://github.com/privacytools/privacytools.io/graphs/contributors), ad alcuni dei quali sono state affidate diverse responsabilità organizzative, come la gestione di servizi online come Matrix e Mastodon, la gestione e la revisione delle modifiche al sito su GitHub, la ricerca di sponsor per il progetto, la scrittura di post sul blog e la gestione di piattaforme di sensibilizzazione sui social media come Twitter, ecc. + +A partire dal 2019, BurungHantu si è allontanato sempre più dallo sviluppo attivo del sito web e delle community e ha iniziato a ritardare i pagamenti di cui era responsabile per i server che gestivamo. Per evitare che il nostro amministratore di sistema pagasse di tasca propria i costi del server, abbiamo cambiato i metodi di donazione elencati sul sito, passando dai conti personali PayPal e crypto di BurungHantu a una nuova pagina OpenCollective su [31 ottobre 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). Questo ha avuto l'ulteriore vantaggio di rendere le nostre finanze completamente trasparenti, un valore in cui crediamo fermamente, e deducibili dalle tasse negli Stati Uniti, in quanto detenute dalla Open Collective Foundation 501(c)3. Questa modifica è stata approvata all'unanimità dal team e non è stata contestata. + +## Why We Moved On + +Nel 2020, l'assenza di BurungHantu è diventata molto più evidente. A un certo punto, abbiamo richiesto che i nameservers del dominio fossero modificati in nameservers controllati dal nostro amministratore di sistema per evitare interruzioni future, e questa modifica non è stata completata per oltre un mese dopo la richiesta iniziale. Scompariva dalla chat pubblica e dalle chat private del team su Matrix per mesi e mesi, facendo di tanto in tanto capolino per dare qualche piccolo feedback o promettere di essere più attivo prima di scomparire di nuovo. + +Nell'ottobre 2020, l'amministratore di sistema di PrivacyTools (Jonah) [ha lasciato](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) il progetto a causa di queste difficoltà, passando il controllo a un altro collaboratore di lunga data. Jonah ha gestito quasi tutti i servizi di PrivacyTools e ha agito come responsabile del progetto *de facto* per lo sviluppo del sito web in assenza di BurungHantu, pertanto la sua partenza ha rappresentato un cambiamento significativo per l'organizzazione. All'epoca, a causa di questi significativi cambiamenti organizzativi, BurungHantu promise al team rimanente che sarebbe tornato per assumere il controllo del progetto in futuro. ==Il team PrivacyTools ha contattato tramite diversi metodi di comunicazione nei mesi successivi, ma non ha ricevuto alcuna risposta.== + +## Domain Name Reliance + +All'inizio del 2021, il team di PrivacyTools si è preoccupato per il futuro del progetto, poiché il nome di dominio era destinato a scadere il 1° marzo 2021. Il dominio è stato infine rinnovato da BurungHantu senza alcun commento. + +Le preoccupazioni del team non sono state affrontate e ci siamo resi conto che questo sarebbe stato un problema ogni anno: con un dominio scaduto si rischiava che squatter o spammer rubassero il dominio, rovinando così la reputazione dell'organizzazione. Avremmo anche avuto delle difficoltà a raggiungere la community per informarli di ciò che è accaduto. + +Senza essere in contatto con BurungHantu, abbiamo deciso che la migliore linea d'azione sarebbe stata quella di passare a un nuovo nome di dominio mentre avevamo ancora il controllo garantito sul vecchio nome di dominio, prima di marzo 2022. In questo modo, avremmo potuto reindirizzare in modo pulito tutte le risorse PrivacyTools al nuovo sito senza alcuna interruzione del servizio. Questa decisione è stata presa con molti mesi di anticipo e comunicata a tutto il team nella speranza che BurungHantu si facesse sentire e assicurasse il suo sostegno continuo al progetto, perché con un brand riconoscibile e grandi community online, allontanarsi da "PrivacyTools" era il risultato meno desiderabile possibile. + +A metà del 2021 il team di PrivacyTools ha contattato Jonah, che ha accettato di rientrare nel team per dare una mano nella transizione. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Letture consigliate + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/about/services.md b/i18n/it/about/services.md new file mode 100644 index 00000000..ae974e5d --- /dev/null +++ b/i18n/it/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/about/statistics.md b/i18n/it/about/statistics.md new file mode 100644 index 00000000..47b483b9 --- /dev/null +++ b/i18n/it/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/advanced/communication-network-types.md b/i18n/it/advanced/communication-network-types.md new file mode 100644 index 00000000..4fcd5dfe --- /dev/null +++ b/i18n/it/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Tipi di reti di comunicazione" +icon: 'material/transit-connection-variant' +--- + +Esistono diverse architetture di rete comunemente usate per trasmettere messaggi tra le persone. Queste reti possono fornire garanzie di privacy diverse, motivo per cui vale la pena considerare il [modello di minaccia](../basics/threat-modeling.md) quando si decide quale app utilizzare. + +[Messaggistica istantanea consigliata](../real-time-communication.md ""){.md-button} + +## Reti centralizzate + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +I servizi di messaggistica centralizzati sono quelli in cui tutti i partecipanti si trovano sullo stesso server o rete di server controllati dalla stessa organizzazione. + +Alcuni servizi di messaggistica self-hosted consentono di configurare il proprio server. Il self-hosting può fornire ulteriori garanzie di privacy, come l'assenza di log o l'accesso limitato ai metadati (dati su chi parla con chi). I servizi centralizzati self-hosted sono isolati e tutti devono essere sullo stesso server per comunicare. + +**Vantaggi:** + +- Le nuove funzionalità e le modifiche possono essere implementate più rapidamente. +- È più facile iniziare e trovare contatti. +- Gli ecosistemi con le caratteristiche più mature e stabili sono più facili da programmare in un software centralizzato. +- I problemi di privacy possono essere ridotti quando ci si affida a un server in self-hosting. + +**Svantaggi:** + +- Possono includere [controllo o accesso limitato](https://drewdevault.com/2018/08/08/Signal.html). Questo può includere cose come: +- Il [divieto di connettere client di terze parti](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) alla rete centralizzata che potrebbero fornire una migliore personalizzazione o esperienza. Spesso definito nei Termini e condizioni d'uso. +- Documentazione scarsa o assente per gli sviluppatori di terze parti. +- La [proprietà](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), la politica sulla privacy e le operazioni del servizio possono cambiare facilmente quando un'unica entità lo controlla, compromettendo potenzialmente il servizio in un secondo momento. +- Il self-hosting richiede impegno e conoscenza di come impostare un servizio. + +## Reti federate + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Vantaggi:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Svantaggi:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Reti peer-to-peer + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Vantaggi:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Svantaggi:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Instradamento anonimo + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Vantaggi:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Svantaggi:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/advanced/dns-overview.md b/i18n/it/advanced/dns-overview.md new file mode 100644 index 00000000..459a048e --- /dev/null +++ b/i18n/it/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "Panoramica DNS" +icon: material/dns +--- + +Il [Domain Name System](https://it.wikipedia.org/wiki/Domain_Name_System) è 'l'elenco telefonico di Internet'. Il DNS traduce i nomi di dominio in indirizzi IP, in modo che i browser e altri servizi possano caricare le risorse internet mediante un network decentralizzato di server. + +## Che cos'è il DNS? + +Quando visiti un sito, viene restituito un indirizzo numerico. Per esempio, quando visiti `privacyguides.org`,viene restituito l'indirizzo `192.98.54.105`. + +Il DNS esiste dai [primi giorni](https://en.wikipedia.org/wiki/Domain_Name_System#History) di Internet. Le richieste DNS fatte da e verso i server DNS **non sono** crittografate generalmente. In un ambiente residenziale, un cliente riceve i server dall'ISP mediante [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Le richieste DNS non crittografate possono essere facilmente **sorvegliate** e **modificate** in transito. In alcune parti del mondo, agli ISP viene ordinato di eseguire un [filtraggio primitivo del DNS](https://en.wikipedia.org/wiki/DNS_blocking). Quando viene effettuata una richiesta dell'indirizzo IP di un dominio bloccato, il server potrebbe non rispondere o fornire un indirizzo IP differente. Dato che il protocollo DNS non è crittografato, l'ISP (o qualsiasi operatore di rete) può utilizzare la [DPI](https://it.wikipedia.org/wiki/Deep_packet_inspection) per monitorare le richieste. Gli ISP possono inoltre bloccare richieste aventi caratteristiche comuni, indipendentemente dal server DNS utilizzato. DNS non crittografato utilizza sempre la [porta](https://it.wikipedia.org/wiki/Porta_(reti)) 53 e l'UDP. + +Di seguito, discutiamo e foniamo un tutorial per dimostrare cosa un osservatore esterno potrebbe vedere in entrambi i casi di [DNS crittografato](#what-is-encrypted-dns) e non. + +### DNS non crittografato + +1. Utilizzando [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (parte del progetto [Wireshark](https://it.wikipedia.org/wiki/Wireshark)) possiamo monitorare e registrare il flusso di pacchetti Internet. Il comando registra pacchetti che soddisfano le regole specificate: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. Possiamo poi utilizzare il comando [`dig`](https://it.wikipedia.org/wiki/Domain_Information_Groper) (Linux, MacOS ecc.) o [`nslookup`](https://it.wikipedia.org/wiki/Nslookup) (Windows) per inviare la ricerca DNS ad entrambi i server. Software come i browser web effettuano queste ricerche automaticamente, a meno che non venga specificato di utilizzare DNS crittografato. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Successivamente vogliamo [analizzare](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) i risultati: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +Se esegui il comando Wireshark sopra citato, il pannello superiora mostra i "[frame](https://en.wikipedia.org/wiki/Ethernet_frame)", mentre quello inferiore mostra tutti i dati riguardanti il "frame" selezionato. Soluzioni di filtraggio e monitoraggio aziendali (come quelle acquistate dalle amministrazioni pubbliche) possono eseguire il processo automaticamente, senza interazione umana, e aggregare i "frame" per produrre dati statistici utili all'osservatore della rete. + +| No. | Tempo | Fonte | Destinazione | Protocollo | Lunghezza | Info | +| --- | -------- | --------- | ------------ | ---------- | --------- | --------------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Query standard 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Risposta standard alla query 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Query standard 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Risposta standard alla query 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +Un osservatore potrebbe modificare uno qualsiasi di questi pacchetti. + +## Che cos'è il "DNS crittografato"? + +Il DNS crittografato può riferirsi a uno dei diversi protocolli, i più comuni dei quali sono: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) fu uno dei primi metodi per la crittografia delle query DNS. DNSCrypt opera sulla porta 443 e funziona con entrambi i protocolli di trasporto TCP e UDP. DNSCrypt non è mai stato sottoposto alla [Internet Engineering Task Force (IETF)](https://it.wikipedia.org/wiki/Internet_Engineering_Task_Force), né è passato attraverso il processo di [Request for Comments (RFC, "richiesta di commenti")](https://it.wikipedia.org/wiki/Request_for_Comments); non è mai stato quindi ampiamente utilizzato al di fuori di alcune [implementazioni](https://dnscrypt.info/implementations). DI conseguenza, è stato largamente rimpiazzato dal più popolare [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) è un altro metodo per criptare le comunicazioni DNS, definito in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Il supporto è stato implementato per la prima volta in Android 9, iOS 14 e su Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) nella versione 237. Negli ultimi anni la preferenza del settore si è spostata da DoT a DoH, in quanto DoT è [protocollo complesso](https://dnscrypt.info/faq/) e presenta una conformità variabile all'RFC tra le implementazioni esistenti. DoT opera anche su una porta dedicata 853 che può essere facilmente bloccata da firewall restrittivi. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://it.wikipedia.org/wiki/DNS_over_HTTPS) come definito in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) pacchettizza le query nel protocollo [HTTP/2](https://it.wikipedia.org/wiki/HTTP/2) e fornisce sicurezza con HTTPS. Il supporto è stato aggiunto per la prima volta in browser web come Firefox 60 e Chrome 83. + +L'implementazione nativa di DoH è presente in iOS 14, macOS 11, Microsoft Windows e Android 13 (tuttavia, non sarà abilitata [per impostazione predefinita](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). Il supporto generale per i desktop Linux è in attesa dell'implementazione di systemd [](https://github.com/systemd/systemd/issues/8639) quindi [l'installazione di software di terze parti è ancora necessaria](../dns.md#linux). + +## Cosa può vedere un esterno? + +In questo esempio registreremo ciò che accade quando facciamo una richiesta al DoH: + +1. Per prima cosa, avviare `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. In secondo luogo, fare una richiesta con `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. Dopo aver effettuato la richiesta, possiamo interrompere la cattura dei pacchetti con CTRL + C. + +4. Analizzare i risultati con Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +Possiamo vedere l'[instaurazione della connessione](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) e l'[handshake TLS](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) che si verifica con qualsiasi connessione crittografata. Osservando i pacchetti "application data" che seguono, nessuno di essi contiene il dominio richiesto o l'indirizzo IP restituito. + +## Perché **non dovrei** utilizzare un DNS criptato? + +Nei luoghi in cui vige il filtraggio (o la censura) di Internet, la visita a risorse proibite può avere conseguenze che vanno considerate nel [modello di minaccia](../basics/threat-modeling.md). Noi **non** suggeriamo l'uso di DNS criptati per questo scopo. Utilizza [Tor](https://torproject.org) o una [VPN](../vpn.md). Se utilizzi una VPN, usufruisci dei server DNS della VPN. Quando si utilizza una VPN, ci si affida già a loro per tutte le attività di rete. + +Quando si effettua una ricerca DNS, in genere è perché si vuole accedere a una risorsa. Di seguito verranno illustrati alcuni dei metodi che possono rivelare le attività di navigazione dell'utente anche quando si utilizza un DNS crittografato: + +### Indirizzo IP + +Il modo più semplice per determinare l'attività di navigazione potrebbe essere quello di esaminare gli indirizzi IP a cui accedono i dispositivi. Ad esempio, se l'osservatore sa che `privacyguides.org` si trova all'indirizzo `198.98.54.105`, e il tuodispositivo sta richiedendo dati da `198.98.54.105`, è molto probabile che tu stia visitando Privacy Guides. + +Questo metodo è utile solo quando l'indirizzo IP appartiene a un server che ospita solo pochi siti web. Inoltre, non è molto utile se il sito è ospitato su una piattaforma condivisa (ad esempio, Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, ecc). Inoltre, non è molto utile se il server è ospitato dietro un reverse proxy [](https://it.wikipedia.org/wiki/Reverse_proxy), molto comune nella moderna Internet. + +### Indicazione del nome del server (Server Name Indication, SNI) + +L'indicazione del nome del server è tipicamente utilizzata quando un indirizzo IP ospita molti siti web. Potrebbe trattarsi di un servizio come Cloudflare o di un'altra protezione [attacco denial-of-service](https://it.wikipedia.org/wiki/Denial_of_service). + +1. Avviare nuovamente la cattura con `tshark`. Abbiamo aggiunto un filtro con il nostro indirizzo IP in modo da non catturare molti pacchetti: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Poi visitiamo [https://privacyguides.org](https://privacyguides.org). + +3. Dopo aver visitato il sito web, vogliamo interrompere la cattura dei pacchetti con CTRL + C. + +4. Poi vogliamo analizzare i risultati: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + Vedremo la creazione della connessione, seguita dall'handshake TLS per il sito web di Privacy Guides. Intorno al frame 5. vedrai "Client Hello". + +5. Espandi il triangolo ▸ accanto a ciascun campo: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. Possiamo vedere il valore SNI che rivela il sito web che stiamo visitando. Il comando `tshark` può fornire direttamente il valore per tutti i pacchetti contenenti un valore SNI: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +Ciò significa che anche se si utilizzano server "DNS criptati", il dominio sarà probabilmente divulgato tramite SNI. Il protocollo [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) porta con sé [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), che impedisce questo tipo di fuga d'informazioni. + +I governi, in particolare [Cina](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) e [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), hanno[già iniziato a bloccarlo](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) o hanno espresso il desiderio di farlo. Recentemente, la Russia ha [iniziato a bloccare i siti web](https://github.com/net4people/bbs/issues/108) stranieri che utilizzano lo standard [HTTP/3](https://it.wikipedia.org/wiki/HTTP/3). Questo perché il protocollo [QUIC](https://it.wikipedia.org/wiki/QUIC) che fa parte di HTTP/3 richiede che anche `ClientHello` sia criptato. + +### Online Certificate Status Protocol (OCSP) + +Un altro modo in cui il browser può rivelare le attività di navigazione è il protocollo [Online Certificate Status Protocol](https://it.wikipedia.org/wiki/Online_Certificate_Status_Protocol). Quando si visita un sito web HTTPS, il browser potrebbe verificare se il [certificato](https://it.wikipedia.org/wiki/Certificato_digitale) del sito web è stato revocato. Questo avviene generalmente tramite il protocollo HTTP, il che significa che è **non** crittografato. + +La richiesta OCSP contiene il certificato "[numero seriale](https://it.wikipedia.org/wiki/Certificato_digitale#Struttura_dei_Certificati)", che è unico. Viene inviato al "responder OCSP" per verificarne lo stato. + +Possiamo simulare quello che farebbe un browser usando il comando [`openssl`](https://it.wikipedia.org/wiki/OpenSSL). + +1. Ottenere il certificato del server e utilizzare [`sed`](https://it.wikipedia.org/wiki/Sed_(Unix)) per conservare solo la parte importante e scriverla in un file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Ottenere il certificato intermedio. [Autorità di certificazione (CA)](https://it.wikipedia.org/wiki/Certificate_authority) di solito non firmano direttamente un certificato, ma utilizzano un cosiddetto certificato "intermedio". + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. Il primo certificato in `pg_and_intermediate.cert` è in realtà il certificato del server dal passo 1. Possiamo usare di nuovo `sed` per cancellare fino alla prima istanza di END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Ottenere il responder OCSP per il certificato del server: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Il nostro certificato mostra il risponditore del certificato Lets Encrypt. Se si desidera visualizzare tutti i dettagli del certificato, è possibile utilizzare: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Avviare l'acquisizione dei pacchetti: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Effettuare la richiesta OCSP: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Aprire l'acquisizione: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + Il protocollo "OCSP" prevede due pacchetti: una "Richiesta" e una "Risposta". Per la "Richiesta" possiamo vedere il "numero seriale" espandendo il triangolo ▸ accanto a ciascun campo: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + Per la "Risposta" possiamo vedere anche il "numero seriale": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Oppure utilizzare `tshark` per filtrare i pacchetti per il numero seriale: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +Se l'osservatore della rete dispone del certificato pubblico, che è pubblicamente disponibile, può abbinare il numero seriale a quel certificato e quindi determinare il sito che stai visitando. Il processo può essere automatizzato e può associare gli indirizzi IP ai numeri seriali. È anche possibile controllare i log di [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) per il numero seriale. + +## Dovrei utilizzare un DNS criptato? + +Abbiamo creato questo diagramma di flusso per descrivere quando *dovresti* utilizzare il DNS criptato: + +``` mermaid +graph TB + Inizio[Inizio] --> anonymous{Cerchi di
essere anonimo?} + anonymous--> | Sì | tor(Usa Tor) + anonymous --> | No | censorship{Evitare
la censura?} + censorship --> | Sì | vpnOrTor(Usa
VPN o Tor) + censorship --> | No | privacy{Vuoi privacy
dall'ISP?} + privacy --> | Sì | vpnOrTor + privacy --> | No | obnoxious{ISP fa
reindirizzamenti
odiosi?} + obnoxious --> | Sì | encryptedDNS(Usa
DNS criptato
di terze parti) + obnoxious --> | No | ispDNS{L'ISP supporta
DNS criptato?} + ispDNS --> | Sì | useISP(Usa
DNS criptato
con l'ISP) + ispDNS --> | No | nothing(Non fare nulla) +``` + +Il DNS criptato con una terza parte dovrebbe essere usato solo per aggirare i reindirizzamenti e il [blocco DNS](https://en.wikipedia.org/wiki/DNS_blocking) basilare quando puoi essere sicuro che non ci saranno conseguenze o sei interessato a un provider che faccia qualche filtro rudimentale. + +[Elenco dei server DNS consigliati](../dns.md ""){.md-button} + +## Che cosa sono le DNSSEC? + +Le [Domain Name System Security Extensions](https://it.wikipedia.org/wiki/DNSSEC) (DNSSEC) sono una funzione del DNS che autentica le risposte alle ricerche di nomi di dominio. Non forniscono una protezione della privacy per tali ricerche, ma piuttosto impedisce agli aggressori di manipolare o avvelenare le risposte alle richieste DNS. + +In altre parole, le DNSSEC firmano digitalmente i dati per garantirne la validità. Per garantire una ricerca sicura, la firma avviene a ogni livello del processo di ricerca DNS. Di conseguenza, tutte le risposte del DNS sono affidabili. + +Il processo di firma delle DNSSEC è simile a quello di una persona che firma un documento legale con una penna; quella persona firma con una firma unica che nessun altro può creare e un esperto del tribunale può esaminare quella firma e verificare che il documento è stato firmato da quella persona. Queste firme digitali garantiscono che i dati non siano stati manomessi. + +Le DNSSEC implementano una politica di firma digitale gerarchica su tutti i livelli del DNS. Ad esempio, nel caso di una ricerca su `privacyguides.org`, un server DNS root firmerà una chiave per il server dei nomi `.org` e il server dei nomi `.org` firmerà una chiave per il server dei nomi autoritativo `privacyguides.org`. + +Adattato da [DNS Security Extensions (DNSSEC) overview (Panoramica delle DNS Security Extensions (DNSSEC))](https://cloud.google.com/dns/docs/dnssec) di Google e [DNSSEC: An Introduction (DNSSEC: una introduzione)](https://blog.cloudflare.com/dnssec-an-introduction/) di Cloudflare, entrambi con licenza [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## Che cos'è la minimizzazione del QNAME? + +Un QNAME è un "nome qualificato", ad esempio `privacyguides.org`. La minimizzazione del QNAME riduce la quantità di informazioni inviate dal server DNS al [server dei nomi autoritativi](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Invece di inviare l'intero dominio `privacyguides.org`, la minimizzazione del QNAME significa che il server DNS chiederà tutti i record che terminano in `.org`. Ulteriori descrizioni tecniche sono definite in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## Che cos'è la sottorete client EDNS (EDNS Client Subnet, ECS)? + +La [sottorete client EDNS](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) è un metodo che consente a un resolver DNS ricorsivo di specificare una [sottorete](https://it.wikipedia.org/wiki/Sottorete) per l'host o il [client](https://it.wikipedia.org/wiki/Client) che sta effettuando la query DNS. + +Ha lo scopo di "velocizzare" la consegna dei dati fornendo al client una risposta che appartiene a un server vicino, come ad esempio una rete di distribuzione di contenuti [](https://it.wikipedia.org/wiki/Content_Delivery_Network), spesso utilizzata per lo streaming video e per servire applicazioni web in JavaScript. + +Questa funzione ha un costo in termini di privacy, in quanto comunica al server DNS alcune informazioni sulla posizione del client. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/advanced/tor-overview.md b/i18n/it/advanced/tor-overview.md new file mode 100644 index 00000000..3fe43565 --- /dev/null +++ b/i18n/it/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Panoramica Tor" +icon: 'simple/torproject' +--- + +Tor è una rete decentralizzata e gratuita progettata per utilizzare Internet con la massima privacy possibile. Se utilizzata correttamente, la rete consente di navigare e comunicare in modo privato e anonimo. + +## Costruzione del percorso + +Tor funziona instradando il traffico attraverso una rete composta da migliaia di server gestiti da volontari e chiamati nodi (o relay). + +Ogni volta che ci si connette a Tor, questo sceglie tre nodi per costruire un percorso verso Internet: questo percorso è chiamato "circuito". Ciascuno di questi nodi ha una propria funzione: + +### Il nodo di ingresso + +Il nodo di ingresso, spesso chiamato nodo di guardia, è il primo nodo a cui si connette il client Tor. Il nodo di ingresso è in grado di vedere il tuo indirizzo IP, ma non è in grado di vedere a cosa ti stai connettendo. + +A differenza degli altri nodi, il client Tor seleziona casualmente un nodo di ingresso e vi rimane per due o tre mesi per proteggerti da alcuni attacchi.[^1] + +### Il nodo centrale + +Il nodo centrale è il secondo nodo a cui si connette il client Tor. Può vedere da quale nodo proviene il traffico, il nodo di ingresso, e a quale nodo va successivamente. Il nodo centrale non può vedere il tuo indirizzo IP o il dominio a cui ti stai connettendo. + +Per ogni nuovo circuito, il nodo centrale viene selezionato a caso tra tutti i nodi Tor disponibili. + +### Il nodo di uscita + +Il nodo di uscita è il punto in cui il traffico web lascia la rete Tor e viene inoltrato alla destinazione desiderata. Il nodo di uscita non è in grado di vedere l'indirizzo IP, ma sa a quale sito ti stai collegando. + +Il nodo di uscita sarà scelto a caso tra tutti i nodi Tor disponibili con un flag di uscita.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Percorso del circuito Tor
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Risorse aggiuntive + +- [Manuale d'uso del Tor browser](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.it.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/it/android.md b/i18n/it/android.md new file mode 100644 index 00000000..96d3b9c8 --- /dev/null +++ b/i18n/it/android.md @@ -0,0 +1,362 @@ +--- +title: "Android" +icon: 'fontawesome/brands/android' +--- + +![Logo di Android](assets/img/android/android.svg){ align=right } + +**Android Open Source Project** è un sistema operativo mobile open-source sviluppato da Google che viene utilizzato nella maggior parte dei dispositivi mobile del mondo. La maggior parte dei telefoni venduti con Android sono modificati per includere integrazioni e applicazioni invasive come Google Play Services, quindi è possibile migliorare significativamente la privacy sul proprio dispositivo mobile sostituendo l'installazione predefinita del telefono con una versione di Android priva di queste caratteristiche invasive. + +[:octicons-home-16:](https://source.android.com/){ .card-link title="Pagina princiapale" } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentazione} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Codice sorgente" } + +Questi sono i sistemi operativi, i dispositivi e le applicazioni Android che consigliamo per massimizzare la sicurezza e la privacy del proprio dispositivo mobile. Maggiori informazioni su Android: + +- [Panoramica generale di Android :material-arrow-right-drop-circle:](os/android-overview.md) +- [Perché consigliamo GrapheneOS rispetto a CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## Derivati di AOSP + +Consigliamo di installare sul dispositivo uno dei seguenti sistemi operativi basati su Android, elencati in ordine di preferenza, a seconda della compatibilità del proprio dispositivo con questi sistemi operativi. + +!!! note + + I dispositivi a fine vita (come i dispositivi a "supporto esteso" di GrapheneOS o CalyxOS) non hanno patch di sicurezza complete (aggiornamenti del firmware) a causa dell'interruzione del supporto da parte dell'OEM. Questi dispositivi non possono essere considerati completamente sicuri, indipendentemente dal software installato. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** è la scelta migliore quando si tratta di privacy e sicurezza. + + GrapheneOS offre miglioramenti aggiuntivi in termini di [hardening della sicurezza] (https://it.wikipedia.org/wiki/Hardening) e di privacy. Dispone di un [allocatore di memoria rafforzato](https://github.com/GrapheneOS/hardened_malloc), di autorizzazioni per la rete e per i sensori, di varie altre [caratteristiche di sicurezza](https://grapheneos.org/features). GrapheneOS viene inoltre fornito con aggiornamenti completi del firmware e build firmate, quindi il verified boot è pienamente supportato. + + [:octicons-home-16: Pagina principale](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://grapheneos.org/donate/){ .card-link title=Contribuisci } + +GrapheneOS supporta [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), che esegue [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) totalmente confinato in una sandbox come qualsiasi altra app normale. Ciò significa che è possibile sfruttare la maggior parte dei servizi di Google Play, come le [notifiche push](https://firebase.google.com/docs/cloud-messaging/), pur avendo il pieno controllo delle autorizzazioni e dell'accesso, mentre sono contenuti in un [profilo di lavoro](os/android-overview.md#work-profile) specifico o in un [profilo utente](os/android-overview.md#user-profiles) di propria scelta. + +I telefoni Google Pixel sono gli unici dispositivi che attualmente soddisfano i [requisiti di sicurezza hardware](https://grapheneos.org/faq#device-support) di GrapheneOS. + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** è una soft-fork di [LineageOS](https://lineageos.org/). + DivestOS eredita molti [dispositivi supportati] (https://divestos.org/index.php?page=devices&base=LineageOS) da LineageOS. Fornisce build firmate, che consentono di avere [verified boot](https://source.android.com/security/verifiedboot) su alcuni dispositivi non-Pixel. + + [:octicons-home-16: Pagnia principale](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title=Onion } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribuisci } + +DivestOS offre [patch](https://gitlab.com/divested-mobile/cve_checker) automatizzate per vulnerabilità del kernel ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)), meno blob proprietari e un file [hosts](https://divested.dev/index.php?page=dnsbl) modificato. Il suo WebView rafforzato, [Mulch](https://gitlab.com/divested-mobile/mulch), attiva [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) per tutte le architetture e [il partizionamento dello stato di rete](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), e riceve aggiornamenti fuori programma. DivestOS include anche le patch del kernel di GrapheneOS e abilita tutte le funzionalità di sicurezza del kernel disponibili tramite [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). Tutti i kernel più recenti della versione 3.4 includono una completa [sanificazione](https://lwn.net/Articles/334747/) delle pagine e tutti i ~22 kernel compilati con Clang hanno [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) abilitato. + +DivestOS implementa alcune patch di hardening del sistema originariamente sviluppate per GrapheneOS. DivestOS 16.0 e versioni successive imposrta da GrapheneOSl'attivazione delle autorizzazioni [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) e SENSORS, [l'allocatore di memoria rafforzato](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](android/grapheneos-vs-calyxos.md#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), e patch parziali di rafforzamento di [bionic](https://en.wikipedia.org/wiki/Bionic_(software)). Le versioni 17.1 e successive importano da GrapheneOS l'opzione di [randomizzazione MAC](https://en.wikipedia.org/wiki/MAC_address#Randomization) completa per-rete, il controllo [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) e [opzioni di timeout](https://grapheneos.org/features) per riavvio automatico/Wi-Fi/Bluetooth. + +DivestOS utilizza F-Droid come distributore di applicazioni predefinito. Normalmente, consigliamo di evitare F-Droid a causa dei suoi numerosi [problemi di sicurezza](#f-droid). Tuttavia, farlo su DivestOS non è fattibile; gli sviluppatori aggiornano le loro applicazioni tramite i propri repository F-Droid ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) e [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). Si consiglia di disabilitare l'applicazione ufficiale di F-Droid e di utilizzare [Neo Store](https://github.com/NeoApplications/Neo-Store/) con i repository DivestOS abilitati per mantenere aggiornati questi componenti. Segui gli altri metodi raccomandati per installare altre applicazioni. + +!!! warning "Avviso" + + Lo [stato](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) degli aggiornamenti del firmware di DivestOS e il controllo di qualità variano a seconda dei dispositivi supportati. Consigliamo ancora GrapheneOS a seconda della compatibilità del dispositivo. Per altri dispositivi, DivestOS è una buona alternativa. + + Non tutti i dispositivi supportati hanno il verified boot e alcuni lo eseguono meglio di altri. + +## Dispositivi Android + +Quando acquisti un dispositivo, si consiglia di prenderne uno il più recente possibile. Il software e il firmware dei dispositivi mobili sono supportati solo per un periodo di tempo limitato, quindi l'acquisto di un prodotto recente ne prolunga il più possibile la durata. + +Evita di acquistare telefoni dagli operatori di rete mobile. Spesso hanno il **bootloader bloccato** e non supportano [lo sblocco OEM](https://source.android.com/devices/bootloader/locking_unlocking). Queste varianti impediscono d'installare qualsiasi tipo di distribuzione Android alternativa sul dispositivo. + +Fai molta **attenzione** all'acquisto di telefoni di seconda mano dai mercati online. Controlla sempre la reputazione del venditore. Se il dispositivo è rubato, c'è la possibilità che [l'IMEI venga bloccato](https://www.gsma.com/security/resources/imei-blacklisting/). Il rischio è anche quello di essere associati all'attività del precedente proprietario. + +Altri suggerimenti sui dispositivi Android e sulla compatibilità del sistema operativo: + +- Non acquistare dispositivi che hanno raggiunto o sono prossimi alla fine del loro ciclo di vita, ulteriori aggiornamenti del firmware devono essere forniti dal produttore. +- Non acquistare telefoni con preinstallato LineageOS o /e/ OS o qualsiasi telefono Android senza il supporto a [Verified Boot](https://source.android.com/security/verifiedboot) e agli aggiornamenti firmware. Inoltre, questi dispositivi non ti consentono di verificare se sono stati manomessi. +- In breve, se un dispositivo o una distribuzione Android non sono elencati qui, probabilmente c'è una buona ragione. Visita il nostro [forum](https://discuss.privacyguides.org/) per ulteriori dettagli! + +### Google Pixel + +I telefoni Google Pixel sono gli **unici** dispositivi che consigliamo di acquistare. I telefoni Pixel hanno una sicurezza hardware migliore di qualsiasi altro dispositivo Android attualmente sul mercato, grazie ad un supporto AVB adeguato per i sistemi operativi di terze parti e ai chip di sicurezza [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) personalizzati di Google che fungono da Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + I dispositivi **Google Pixel** sono noti per avere una buona sicurezza e per supportare correttamente il [Verified Boot](https://source. ndroid.com/security/verifiedboot), anche quando si installano sistemi operativi personalizzati. + + A partire dal **Pixel 6** e dal **6 Pro**, i dispositivi Pixel ricevono un minimo di 5 anni di aggiornamenti di sicurezza garantiti, assicurando una durata di vita molto più lunga rispetto ai 2-4 anni offerti in genere dagli OEM concorrenti. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +I Secure Elements come il Titan M2 sono più limitati rispetto al Trusted Execution Environment del processore utilizzato dalla maggior parte degli altri telefoni, in quanto vengono utilizzati solo per la memorizzazione dei segreti, l'attestazione hardware e la limitazione della velocità, non per l'esecuzione di programmi "affidabili". I telefoni privi di un Secure Element devono utilizzare il TEE per *tutte* quelle funzioni, con una conseguente superficie di attacco più ampia. + +I telefoni Google Pixel utilizzano un sistema operativo TEE chiamato Trusty che è [open-source](https://source.android.com/security/trusty#whyTrusty), a differenza di molti altri telefoni. + +L'installazione di GrapheneOS su un telefono Pixel è facile grazie al [web installer](https://grapheneos.org/install/web). Se non ti senti a tuo agio a farlo da solo e sei disposto a spendere un po' di soldi in più, controlla il [NitroPhone](https://shop.nitrokey.com/shop) su cui viene preinstallato GrapheneOS dalla rispettabile società [Nitrokey](https://www.nitrokey.com/about). + +Altri suggerimenti per l'acquisto di un Google Pixel: + +- Se vuoi fare un affare con un dispositivo Pixel, ti consigliamo di acquistare un modello "**a**", subito dopo l'uscita del modello seguente. Gli sconti sono solitamente disponibili perché Google cercherà di smaltire le scorte. +- Considera gli sconti e le offerte speciali offerte nei negozi fisici. +- Consulta i siti di contrattazione di commercio online del proprio Paese. Questi possono segnalarti le vendite più convenienti. +- Google pubblica un elenco che mostra il [ciclo di supporto](https://support.google.com/nexus/answer/4457705) per ciascuno dei suoi dispositivi. Il prezzo giornaliero di un dispositivo può essere calcolato come: $\text{Prezzo} \over \text {Data EOL }-\text{ Data attuale}$, il che significa che più lungo è l'uso del dispositivo, minore è il costo giornaliero. + +## App Generali + +In questo sito raccomandiamo un'ampia gamma di applicazioni per Android. Le applicazioni qui elencate sono esclusive di Android e migliorano o sostituiscono in modo specifico le principali funzionalità del sistema. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** è un'app che ti aiuta a sfruttare la funzionalità Profilo di Lavoro di Android per isolare o duplicare le app sul tuo dispositivo. + + Shelter supporta il blocco della ricerca dei contatti tra i profili e la condivisione dei file tra i profili tramite il gestore file predefinito ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning "Avviso" + + Shelter è consigliato rispetto a [Insular](https://secure-system.gitlab.io/Insular/) e [Island](https://github.com/oasisfeng/island) perché supporta il [blocco della ricerca dei contatti] (https://secure-system.gitlab.io/Insular/faq.html). + + Utilizzando Shelter, l'utente si affida completamente al suo sviluppatore, in quanto Shelter agisce come [amministratore del dispositivo](https://developer.android.com/guide/topics/admin/device-admin) per creare il profilo di lavoro e ha ampio accesso ai dati memorizzati all'interno del profilo di lavoro. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark. vg#only-dark){ align=right } + + **Auditor** è un'app che sfrutta le funzionalità di sicurezza hardware per fornire il monitoraggio dell'integrità del dispositivo per [dispositivi supportati](https://attestation.app/about#device-support). Attualmente funziona solo con GrapheneOS e con il sistema operativo originale del dispositivo. + + [:octicons-home-16: Pagina principale](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentazione} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor esegue l'attestazione e il rilevamento delle intrusioni: + +- Utilizzando un [modello Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) tra un *revisore* e un *oggetto verificato*, la coppia stabilisce una chiave privata nel [keystore dell'hardware](https://source.android.com/security/keystore/) del *revisore*. +- Il *revisore* può essere un'altra istanza dell'applicazione Auditor o il [Remote Attestation Service](https://attestation.app). +- Il *revisore* registra lo stato attuale e la configurazione dell'*oggetto verificato*. +- In caso di manomissione del sistema operativo dell'*oggetto verificato* dopo il completamento dell'accoppiamento, il revisore sarà a conoscenza della modifica dello stato e delle configurazioni del dispositivo. +- Verrai avvisato della modifica. + +Al servizio di attestazione non vengono inviate informazioni d'identificazione personale. Ti consigliamo di registrarti con un account anonimo e di attivare l'attestazione remota per un monitoraggio continuo. + +Se il proprio [modello di minaccia](basics/threat-modeling.md) richiede privacy, potresti considerare l'utilizzo di [Orbot](tor.md#orbot) o di una VPN per nascondere il proprio indirizzo IP al servizio di attestazione. Per assicurarsi che l'hardware e il sistema operativo siano autentici, [esegui l'attestazione locale](https://grapheneos.org/install/web#verifying-installation) subito dopo l'installazione del dispositivo e prima di qualsiasi connessione a Internet. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark. vg#only-dark){ align=right } + + **Secure Camera** è un'app per fotocamera incentrata sulla privacy e sulla sicurezza che può catturare immagini, video e codici QR. Le estensioni del vendor CameraX (Ritratto, HDR, Visione Notturna, Ritocco del Viso e Auto) sono supportate su dispositivi disponibili. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Le principali funzionalità di privacy incluse: + +- Rimozione automatica dei metadati [Exif](https://it.wikipedia.org/wiki/Exchangeable_image_file_format) (attivata in modo predefinito) +- Utilizzo della nuova API [Media](https://developer.android.com/training/data-storage/shared/media), pertanto non è richiesta [l'autorizzazione per tutti i file](https://developer.android.com/training/data-storage) +- L'autorizzazione al microfono non è necessaria, a meno che non si voglia registrare l'audio + +!!! note + + Attualmente i metadati non vengono eliminati dai file video, ma la funzione è in sviluppo. + + I metadati sull'orientamento dell'immagine non vengono eliminati. Se attivi la posizione (in Secure Camera), anche questa **non** verrà rimossa. Se vuoi eliminarla in un secondo momento, dovrai usare un'app esterna come [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** è un visualizzatore di PDF basato su [pdf.js](https://it.wikipedia.org/wiki/PDF.js) che non richiede alcuna autorizzazione. Il PDF viene inserito in una [webview](https://developer.android.com/guide/webapps/webview) [sandboxed](https://it.wikipedia.org/wiki/Sandbox). Ciò significa che non richiede direttamente l'autorizzazione per accedere a contenuti o file. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) viene utilizzato per imporre che le proprietà JavaScript e di stile all'interno della WebView siano interamente di contenuto statico. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Ottenere le applicazioni + +### Apps di GrapheneOS + +L'app store di GrapheneOS è disponibile su [GitHub](https://github.com/GrapheneOS/Apps/releases). Supporta Android 12 e versioni successive ed è in grado di aggiornarsi da solo. L'app store contiene applicazioni standalone realizzate dal progetto GrapheneOS, come [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera) e [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). Se stai cercando queste applicazioni, ti consigliamo vivamente di scaricarle dal distributore di app di GrapheneOS invece che dal Play Store, in quanto le app presenti nel loro distributore sono firmate dal progetto GrapheneOS con una firma propria a cui Google non ha accesso. + +### Aurora Store + +Google Play Store richiede un account Google per l'accesso, il che non è un bene per la privacy. È possibile ovviare a questo problema utilizzando un client alternativo, come Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** è un client di Google Play Store che non richiede un account Google, Google Play Services o microG per scaricare le app. + + [:octicons-home-16: Pagina principale](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Codice sorgente" }. + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store non consente di scaricare applicazioni a pagamento con la funzione di account anonimo. Puoi facoltativamente accedere con il tuo account Google in Aurora Store per scaricare le app che hai acquistato, il che dà accesso a Google all'elenco delle app che hai installato, ma puoi comunque trarre vantaggio dal fatto di non richiedere il client Google Play completo e i servizi Google Play o microG sul tuo dispositivo. + +### Manualmente con le notifiche RSS + +Per le app pubblicate su piattaforme come GitHub e GitLab, potresti aggiungere un feed RSS al tuo [aggregatore di notizie](/news-aggregators) che ti aiuterà a tenere traccia delle nuove versioni. + +![APK da RSS](./assets/img/android/rss-apk-light.png#only-light) ![APK da RSS](./assets/img/android/rss-apk-dark.png#only-dark) ![Modifiche APK](./assets/img/android/rss-changes-light.png#only-light) ![Modifiche APK](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +Su GitHub, usando [Secure Camera](#secure-camera) come esempio, si dovrebbe navigare alla sua [pagina releases](https://github.com/GrapheneOS/Camera/releases) e aggiungere `.atom` all'URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +Su GitLab, usando [Aurora Store](#aurora-store) come esempio, si dovrebbe navigare al [repository del progetto](https://gitlab.com/AuroraOSS/AuroraStore) e aggiunge `/-/tags?format=atom` all'URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifica delle impronte digitali degli APK + +Se scarichi i file APK da installare manualmente, è possibile verificarne la firma con lo strumento [`apksigner`](https://developer.android.com/studio/command-line/apksigner), che fa parte dei [build-tools](https://developer.android.com/studio/releases/build-tools) di Android. + +1. Installa [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Scarica gli [strumenti da riga di comando di Android Studio](https://developer.android.com/studio#command-tools). + +3. Estrai l'archivio scaricato: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Esegui il comando di verifica della firma: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. Gli hash risultanti possono poi essere confrontati con un'altra fonte. Alcuni sviluppatori, come per Signal, [mostrano le impronte digitali](https://signal.org/android/apk/) sul loro sito web. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![Logo di F-Droid](assets/img/android/f-droid.svg){ align=right width=120px } + +==**Non** raccomandiamo attualmente F-Droid come metodo per ottenere applicazioni.== F-Droid è spesso raccomandato come alternativa a Google Play, in particolare nelle comunità della privacy. La possibilità di aggiungere repository di terze parti e di non essere confinati nel giardino recintato di Google ne ha determinato la popolarità. F-Droid ha inoltre [build riproducibili](https://f-droid.org/it/docs/Reproducible_Builds/) per alcune applicazioni ed è dedicato al software libero e open-source. Tuttavia, ci sono [problemi notevoli](https://wonderfall.dev/fdroid-issues/) con il client ufficiale F-Droid, il loro controllo di qualità e il modo in cui costruiscono, firmano e consegnano i pacchetti. + +A causa del processo di costruzione delle app, le applicazioni presenti nel repository ufficiale di F-Droid sono spesso in ritardo con gli aggiornamenti. Inoltre i manutentori di F-Droid riutilizzano gli ID dei pacchetti mentre firmano le applicazioni con le proprie chiavi, il che non è l'ideale perché conferisce al team di F-Droid la massima fiducia. + +Altri popolari repository di terze parti, come [IzzyOnDroid](https://apt.izzysoft.de/fdroid/), alleviano alcuni di questi problemi. Il repository IzzyOnDroid estrae le build direttamente da GitHub ed è la seconda scelta migliore dopo i repository degli sviluppatori. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. Sebbene ciò abbia senso (dato che l'obiettivo di questo particolare repository è ospitare le applicazioni prima che vengano accettate nel repository principale di F-Droid), ti può lasciare con le applicazioni installate senza ricevere più aggiornamenti. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. È importante tenere presente che alcune applicazioni presenti in questi repository non sono state aggiornate da anni e possono fare affidamento su librerie non supportate, costituendo un potenziale rischio per la sicurezza. Quando cerchi nuove applicazioni con questo metodo, è bene usare il proprio giudizio. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Sistemi operativi + +- Deve essere un software open-source. +- Deve supportare il blocco del bootloader con il supporto della chiave AVB personalizzata. +- Deve ricevere i principali aggiornamenti Android entro 0-1 mesi dal rilascio. +- Deve ricevere gli aggiornamenti delle funzionalità Android (versione minore) entro 0-14 giorni dal rilascio. +- Deve ricevere regolarmente le patch di sicurezza entro 0-5 giorni dal rilascio. +- **Non** deve essere preconfigurato con il "root". +- **Non** deve abilitare i Google Play Services per impostazione predefinita. +- **Non** deve richiedere la modifica del sistema per supportare i Google Play Services. + +### Dispositivi + +- Deve supportare almeno uno dei sistemi operativi personalizzati consigliati. +- Deve essere venduto nuovo nei negozi. +- Deve ricevere un minimo di 5 anni di aggiornamenti di sicurezza. +- Deve disporre di un hardware dedicato agli elementi sicuri. + +### Applicazioni + +- Le applicazioni presenti in questa pagina non devono essere applicabili a nessun'altra categoria di software presente sul sito. +- Le applicazioni generali devono estendere o sostituire le funzionalità di base del sistema. +- Le applicazioni devono ricevere aggiornamenti e manutenzione regolari. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/assets/img/account-deletion/exposed_passwords.png b/i18n/it/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/it/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/it/assets/img/android/rss-apk-dark.png b/i18n/it/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/it/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/it/assets/img/android/rss-apk-light.png b/i18n/it/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/it/assets/img/android/rss-apk-light.png differ diff --git a/i18n/it/assets/img/android/rss-changes-dark.png b/i18n/it/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/it/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/it/assets/img/android/rss-changes-light.png b/i18n/it/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/it/assets/img/android/rss-changes-light.png differ diff --git a/i18n/it/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/it/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/it/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/it/assets/img/how-tor-works/tor-encryption.svg b/i18n/it/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/it/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/it/assets/img/how-tor-works/tor-path-dark.svg b/i18n/it/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/it/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/it/assets/img/how-tor-works/tor-path.svg b/i18n/it/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/it/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/it/assets/img/multi-factor-authentication/fido.png b/i18n/it/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..07a2c0b1 Binary files /dev/null and b/i18n/it/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/it/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/it/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..1068ed05 Binary files /dev/null and b/i18n/it/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/it/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/it/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/it/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/it/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/it/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/it/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/it/basics/account-creation.md b/i18n/it/basics/account-creation.md new file mode 100644 index 00000000..e5a09f40 --- /dev/null +++ b/i18n/it/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Creazione account" +icon: 'material/account-plus' +--- + +Spesso le persone si iscrivono a servizi senza riflettere. Forse si tratta di un servizio di streaming per guardare la nuova serie di cui tutti parlano, o di un account che ti offre uno sconto per il tuo supermercato preferito. In ogni caso, dovresti considerare le implicazioni per i tuoi dati ora e in futuro. + +Ci sono rischi associati ad ogni nuovo servizio che utilizzi. Violazioni dei dati, divulgazione d'informazioni sui clienti a terzi, accesso ai dati da parte di dipendenti furfanti: sono tutte possibilità che devono essere prese in considerazione al momento in cui fornisci le tue informazioni. Devi essere sicuro di poterti fidare del servizio, motivo per cui non consigliamo di archiviare dati preziosi su nulla se non sui prodotti più maturi e testati. Ciò di solito significa servizi che forniscono E2EE e sono stati sottoposti a un ispezione crittografica. Un ispezione aumenta la garanzia che il prodotto sia stato progettato senza problemi di sicurezza evidenti causati da uno sviluppatore inesperto. + +Può anche essere difficile eliminare gli account su alcuni servizi. A volte [sovrascrivere i dati](account-deletion.en.md#overwriting-account-information) associati a un account può essere possibile, ma in altri casi il servizio manterrà un'intera cronologia delle modifiche apportate all'account. + +## Termini di servizio & Informativa sulla privacy + +I ToS sono le regole che accetti di seguire quando utilizzi il servizio. Nei servizi più grandi queste regole sono spesso applicate da sistemi automatici. A volte questi sistemi automatici possono commettere errori. Ad esempio, potresti essere bandito o bloccato dal tuo account di alcuni servizi per l'utilizzo di una VPN o un numero VOIP. Appellare l'espulsione è spesso difficile e comporta anche un processo automatizzato, che non sempre ha successo. Questo è uno dei motivi per cui non suggeriamo di usare Gmail per la posta elettronica ad esempio. L'email è fondamentale per l'accesso ad altri servizi a cui potresti esserti iscritto. + +L'informativa sulla privacy è il modo in cui il servizio dichiara di utilizzare i tuoi dati e vale la pena di leggerla per capire come verranno utilizzati. Un'azienda o un'organizzazione potrebbe non essere legalmente obbligata a seguire tutto ciò che è contenuto nell'informativa (dipende dalla giurisdizione). Ti consigliamo di avere un'idea di quali sono le leggi locali e cosa consentono a un fornitore di raccogliere. + +Consigliamo di cercare termini particolari come "raccolta dati", "analisi dei dati", "cookie", "annunci" o servizi "di terze parti". A volte potrai rifiutare la raccolta o la condivisione dei tuoi dati, ma è meglio scegliere un servizio che rispetti la tua privacy fin dall'inizio. + +Inoltre, riponi la tua fiducia nell'azienda o nell'organizzazione per rispettare effettivamente la loro informativa sulla privacy. + +## Metodi di autenticazione + +Di solito ci sono diversi modi per iscriversi ad un account, ognuno con i propri vantaggi e svantaggi. + +### Email e password + +Il modo più comune per creare un nuovo account è tramite un indirizzo e-mail e una password. Quando si utilizza questo metodo, è necessario utilizzare un gestore di password e seguire le [migliori pratiche](passwords-overview.md) per quanto riguarda le password. + +!!! important + + Puoi utilizzare il tuo gestore di password per organizzare anche altri metodi di autenticazione! Basta aggiungere la nuova voce e compilare i campi appropriati, è possibile aggiungere note per cose come domande di sicurezza o una chiave di backup. + +Sarai responsabile della gestione delle tue credenziali di accesso. Per una maggiore sicurezza, puoi impostare [MFA](multi-factor-authentication.md) sui tuoi account. + +[Gestori di password consigliati](../passwords.md ""){.md-button} + +#### Alias email + +Se non vuoi fornire il tuo vero indirizzo email ad un servizio, hai la possibilità di utilizzare un alias. Li abbiamo descritti in modo più dettagliato nella nostra pagina di raccomandazione dei servizi di posta elettronica. In sostanza, i servizi alias consentono di generare nuovi indirizzi email che inoltrano tutte le email al tuo indirizzo principale. Questo può aiutare a prevenire il tracciamento tra i vari servizi e a gestire le email di marketing che talvolta accompagnano il processo di iscrizione. Questi possono essere filtrati automaticamente in base all'alias a cui vengono inviati. + +Se un servizio viene violato, potresti iniziare a ricevere email di phishing o spam all'indirizzo che hai utilizzato per iscriverti. L'uso di alias unici per ogni servizio può aiutare a identificare esattamente quale servizio è stato violato. + +[Servizi di aliasing email consigliati](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + Stiamo parlando di Single sign-on per uso personale, non per utenti aziendali. + +Il single sign-on (SSO) è un metodo di autenticazione che consente di registrarsi a un servizio senza condividere molte informazioni, se non nessuna. Ogni volta che vedi qualcosa sulla falsariga di "Accedi con *nome gestore*" su un modulo di registrazione, è il SSO. + +Quando scegli il single sign-on in un sito web, viene mostrata la pagina di accesso del gestore SSO e successivamente l'account viene collegato. La tua password non verrà condivisa, ma alcune informazioni di base lo saranno (puoi rivederle durante la richiesta di accesso). Questo processo è necessario ogni volta che si desidera accedere allo stesso account. + +I principali vantaggi sono: + +- **Sicurezza**: nessun rischio di essere coinvolti in una [violazione dei dati](https://en.wikipedia.org/wiki/Data_breach) perché il sito non memorizza le tue credenziali. +- **Facilità d'uso**: gli account multipli sono gestiti da un unico accesso. + +Ma ci sono degli svantaggi: + +- **Privacy**: un gestore SSO conoscerà i servizi che utilizzi. +- **Centralizzazione**: se il tuo account SSO viene compromesso o non riesci ad accedervi, tutti gli altri account ad esso collegati sono interessati. + +Il SSO può essere particolarmente utile in quelle situazioni in potresti beneficiare di un integrazione più profonda tra i servizi. Ad esempio, uno di questi servizi potrebbe offrire il SSO per gli altri. La nostra raccomandazione è di limitare il SSO solo dove ne hai bisogno e proteggere l'account principale con [MFA](multi-factor-authentication.md). + +Tutti i servizi che utilizzano il SSO saranno sicuri come il tuo account SSO. Ad esempio, se desideri proteggere un account con una chiave hardware ma tale servizio non supporta le chiavi hardware, è possibile proteggere l'account SSO con una chiave hardware e ora disporrai essenzialmente di MFA hardware su tutti i tuoi account. Vale la pena notare, tuttavia, che un autenticazione debole sul tuo account SSO significa che qualsiasi account legato a quel accesso sarà a sua volta debole. + +### Numero di telefono + +Consigliamo di evitare i servizi che richiedono un numero di telefono per l'iscrizione. Un numero di telefono può identificarti su più servizi e, a seconda degli accordi di condivisione dei dati, ciò renderà più facile tenere traccia del tuo utilizzo, in particolare se uno di questi servizi viene violato poiché il numero di telefono è spesso **non** crittografato. + +Dovresti evitare di dare il tuo vero numero di telefono se puoi. Alcuni servizi consentono l'uso di numeri VOIP, ma spesso questi attivano i sistemi di rilevamento delle frodi, causando il blocco del account, quindi non li consigliamo per i account importanti. + +In molti casi dovrai fornire un numero da cui puoi ricevere SMS o chiamate, in particolare quando fai acquisti a livello internazionale, nel caso in cui ci sia un problema con il tuo ordine ai controlli doganali. È comune che i servizi utilizzino il tuo numero come metodo di verifica; non lasciarti bloccare un account importante perché volevi essere furbo e dare un numero falso! + +### Nome utente e password + +Alcuni servizi ti consentono di registrarti senza utilizzare un indirizzo email e richiedono solo d'impostare un nome utente e una password. Questi servizi possono fornire un maggiore anonimato se combinati con una VPN o Tor. Tieni presente che per questi account molto probabilmente non ci sarà **nessun modo per recuperare il tuo account** nel caso in cui dimentichi il tuo nome utente o password. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/basics/account-deletion.md b/i18n/it/basics/account-deletion.md new file mode 100644 index 00000000..a2f85d94 --- /dev/null +++ b/i18n/it/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Eliminazione account" +icon: 'material/account-remove' +--- + +Con il tempo, può essere facile accumulare una serie di profili online, molti dei quali potrebbero non essere più utilizzati. L'eliminazione di questi account inutilizzati è un passo importante per recuperare la propria privacy, poiché gli account inattivi sono vulnerabili alle violazioni dei dati. Una violazione dei dati (anche detta data breach) avviene quando la sicurezza di un servizio è compromessa e le informazioni protette vengono visualizzate, trasmesse o rubate da soggetti non autorizzati. Le violazioni dei dati sono purtroppo [troppo comuni](https://haveibeenpwned.com/PwnedWebsites) al giorno d'oggi e quindi praticare una buona igiene digitale è il modo migliore per ridurre al minimo l'impatto che hanno sulla propria vita. L'obiettivo di questa guida è quindi quello di aiutarvi a superare il fastidioso processo di cancellazione dell'account, spesso reso difficile da un [design ingannevole](https://www.deceptive.design/), per migliorare la propria presenza online. + +## Trovare i vecchi account + +### Gestore di password + +Se hai un gestore di password che hai usato per tutta la tua vita digitale, questa parte sarà molto semplice. Spesso includono funzionalità integrate per rilevare se le vostre credenziali sono state esposte in una violazione dei dati, come ad esempio [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/) di Bitwarden. + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/basics/common-misconceptions.md b/i18n/it/basics/common-misconceptions.md new file mode 100644 index 00000000..14ff7559 --- /dev/null +++ b/i18n/it/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "I malintesi più comuni" +icon: 'material/robot-confused' +--- + +## "Il software open-source è sempre sicuro" o "il software proprietario è più sicuro" + +Questi miti derivano da una serie di pregiudizi, ma la disponibilità del codice sorgente e le modalità di licenza del software non influiscono in alcun modo sulla sua sicurezza. ==Il software open-source ha il *potenziale* di essere più sicuro del software proprietario, ma non c'è alcuna garanzia che sia così.== Quando si valuta il software, è necessario esaminare la reputazione e la sicurezza di ogni strumento su base individuale. + +Il software open-source *può* essere ispezionato da terzi e spesso è più trasparente sulle potenziali vulnerabilità rispetto alle controparti proprietarie. Permette inoltre di esaminare il codice e di disabilitare qualsiasi funzionalità sospetta. Tuttavia, *a meno che non lo si faccia*, non c'è alcuna garanzia che il codice sia mai stato valutato, soprattutto nei progetti software più piccoli. Il processo di sviluppo aperto è stato talvolta sfruttato per introdurre nuove vulnerabilità anche in progetti di grandi dimensioni.[^1] + +D'altra parte, il software proprietario è meno trasparente, ma ciò non significa che non sia sicuro. I grandi progetti di software proprietario possono essere controllati internamente e da agenzie di terze parti, e i ricercatori di sicurezza indipendenti possono ancora trovare vulnerabilità con tecniche come il reverse engineering. + +Per evitare decisioni distorte, è *fondamentale* valutare gli standard di privacy e sicurezza del software che utilizzi. + +## "Spostare la fiducia può aumentare la privacy" + +Si parla spesso di "spostamento della fiducia" quando si parla di soluzioni come le VPN (che spostano la fiducia riposta nel proprio ISP al fornitore di VPN). Sebbene queste proteggano i vostri dati di navigazione dal vostro ISP *in particolare*, il fornitore di VPN che scegli ha comunque accesso ai tuoi dati di navigazione: i tuoi dati non sono completamente protetti da tutte le parti. Ciò implica che + +1. è necessario prestare attenzione quando si sceglie un fornitore a cui affidarsi; +2. è comunque necessario utilizzare altre tecniche, come E2EE, per proteggere completamente i dati. Diffidare di un fornitore per affidarsi a un altro non significa mettere al sicuro i propri dati. + +## "Le soluzioni incentrate sulla privacy sono intrinsecamente affidabili" + +Concentrarsi esclusivamente sulle politiche sulla privacy e sul marketing di uno strumento o di un fornitore può indurti a ignorare i suoi punti deboli. Quando si cerca una soluzione più privata, è necessario determinare il problema di fondo e trovare soluzioni tecniche per risolverlo. Ad esempio, è meglio evitare Google Drive, che dà a Google accesso a tutti i tuoi dati. Il problema di fondo in questo caso è la mancanza di E2EE, quindi è necessario assicurarsi che il fornitore a cui si passa implementi effettivamente l'E2EE, oppure utilizzare uno strumento (come [Cryptomator](../encryption.md#cryptomator-cloud)) che fornisce l'E2EE a qualsiasi fornitore di archiviazione in cloud. Passare a un fornitore "finalizzato alla privacy" (che non implementa l'E2EE) non risolve il problema: sposta solo la fiducia da Google a quel fornitore. + +Le politiche sulla privacy e le pratiche commerciali dei fornitori scelti sono molto importanti, ma devono essere considerate secondarie rispetto alle garanzie tecniche della tua privacy: non si dovrebbe trasferire la fiducia a un altro fornitore quando la fiducia in un fornitore non è affatto un requisito. + +## "Complicato è meglio" + +Spesso si vedono descrivere modelli di minaccia per la privacy eccessivamente complessi. Spesso queste soluzioni includono problemi come l'uso di molteplici account di posta elettronica o di configurazioni complicate con molte parti mobili e condizioni. Le risposte sono solitamente risposte a "qual è il modo migliore per fare *X*?" + +Trovare la soluzione "migliore" per te non significa necessariamente cercare una soluzione infallibile con decine di condizioni: queste soluzioni sono spesso difficili da gestire in modo realistico. Come abbiamo detto in precedenza, la sicurezza spesso va a scapito della comodità. Di seguito vi forniamo alcuni suggerimenti: + +1. ==le azioni devono servire a uno scopo particolare:== pensa a come fare ciò che desideri con il minor numero di azioni; +2. ==eliminare i punti di fallimento umani:== Falliamo, ci stanchiamo e dimentichiamo le cose. Per mantenere la sicurezza, evita di affidarti a condizioni e processi manuali che dovi ricordare; +3. ==utilizza il giusto livello di protezione per ciò che intendi fare.== Spesso vediamo consigliate le cosiddette soluzioni a prova di forze dell'ordine o di citazione in giudizio. Spesso richiedono conoscenze specialistiche e in genere non sono ciò che la gente vuole. Non ha senso costruire un intricato modello di minaccia per l'anonimato se si può essere facilmente de-anonimizzati da una semplice svista. + +Quindi, come potrebbe apparire? + +Uno dei modelli di minaccia più chiari è quello in cui le persone *sanno chi sei* e quello in cui non lo sanno. Ci saranno sempre situazioni in cui dovrai dichiara il tuo nome legale e altre in cui non sarà necessario. + +1. **Identità nota** - L'identità nota viene utilizzata per le situazioni in cui è necessario dichiarare il proprio nome. Sono molti i documenti legali e i contratti per i quali è richiesta un'identità legale. Si può trattare dell'apertura di un conto bancario, della firma di un contratto di locazione immobiliare, dell'ottenimento di un passaporto, delle dichiarazioni doganali per l'importazione di articoli o di altri rapporti con il governo. Queste cose di solito portano a credenziali come carte di credito, controlli del rating, numeri di conto ed eventuali indirizzi fisici. + + Non suggeriamo di utilizzare una VPN o Tor per queste cose, poiché la vostra identità è già nota attraverso altri mezzi. + + !!! important + + Quando si fanno acquisti online, l'uso di un [punto pacchi automatico](https://it.wikipedia.org/wiki/Paccomat) può aiutare a mantenere privato il proprio indirizzo fisico. + +2. **Identità sconosciuta** - Un'identità sconosciuta potrebbe essere uno pseudonimo stabile che si usa regolarmente. Non è anonimo perché non cambia. Se fate parte di una comunità online, potreste voler mantenere un'identità che gli altri conoscono. Questo pseudonimo non è anonimo perché, se monitorato abbastanza a lungo, i dettagli sul proprietario possono rivelare ulteriori informazioni, come il modo in cui scrive, la sua conoscenza generale degli argomenti di interesse, ecc. + + A tal fine è possibile utilizzare una VPN per mascherare il proprio indirizzo IP. Le transazioni finanziarie sono più difficili da mascherare: si può prendere in considerazione l'utilizzo di criptovalute anonime, come [Monero](https://www.getmonero.org/). L'utilizzo del cambio di altcoin può anche aiutare a nascondere l'origine della valuta. In genere, le borse richiedono il completamento del KYC (know your customer) prima di consentire lo scambio di valuta fiat in qualsiasi tipo di criptovaluta. Anche le opzioni di incontro locali possono essere una soluzione; tuttavia, spesso sono più costose e talvolta richiedono anche il KYC. + +3. **Identità anonima** - Anche con l'esperienza, le identità anonime sono difficili da mantenere per lunghi periodi di tempo. Dovrebbero essere identità a breve termine e di breve durata che vengono ruotate regolarmente. + + L'uso di Tor può aiutare in questo caso. Vale anche la pena di notare che un maggiore anonimato è possibile attraverso la comunicazione asincrona: la comunicazione in tempo reale è vulnerabile all'analisi dei modelli di digitazione (ad esempio, più di un paragrafo di testo, distribuito su un forum, via e-mail, ecc.) + +--8<-- "includes/abbreviations.it.txt" + +[^1]: Un esempio notevole è [l'incidente del 2021 in cui i ricercatori dell'Università del Minnesota hanno introdotto tre vulnerabilità nel progetto di sviluppo del kernel Linux](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/it/basics/common-threats.md b/i18n/it/basics/common-threats.md new file mode 100644 index 00000000..33c64e21 --- /dev/null +++ b/i18n/it/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Minacce comuni" +icon: 'material/eye-outline' +--- + +In linea di massima, le nostre raccomandazioni sono suddivise in [minacce](threat-modeling.md) o obiettivi che si applicano alla maggior parte delle persone. ==Potete essere interessati a nessuna, una, alcune o tutte queste possibilità== e gli strumenti e i servizi che utilizzate dipendono dai vostri obiettivi. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! important + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! important + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! important + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.it.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/it/basics/email-security.md b/i18n/it/basics/email-security.md new file mode 100644 index 00000000..bffa7567 --- /dev/null +++ b/i18n/it/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/basics/multi-factor-authentication.md b/i18n/it/basics/multi-factor-authentication.md new file mode 100644 index 00000000..6997741d --- /dev/null +++ b/i18n/it/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Autenticazione a più fattori" +icon: 'material/two-factor-authentication' +--- + +**L'autenticazione a più fattori** (**MFA**) è un meccanismo di sicurezza che richiede ulteriori passaggi oltre all'inserimento del nome utente (o email) e della password. Il metodo più comune è quello dei codici a tempo limitato che si possono ricevere via SMS o tramite un'applicazione. + +Solitamente, se un hacker (o un avversario) è in grado di scoprire una password, ha la possibilità di accedere all'account a cui la password appartiene. Un account con MFA costringe l'hacker ad avere sia la password (qualcosa che *conosci*) sia un dispositivo di tua proprietà (qualcosa che *hai*), come un cellulare. + +I metodi MFA variano in termini di sicurezza, ma si basano sulla premessa che più è difficile per un attaccante accedere al tuo metodo MFA, meglio è. Esempi di metodi MFA (dal più debole al più forte) sono: SMS, codici email, notifiche push delle app, TOTP, Yubico OTP e FIDO. + +## Confrontra tra i metodi MFA + +### MFA tramite SMS o email + +Ricevere codici OTP via SMS o email è uno dei modi più deboli per proteggere i tuoi account con MFA. Ottenere un codice via email o SMS elimina l'idea di "qualcosa che *possiedi*", perchè ci sono svariati modi con cui un hacker potrebbe [impossessarsi del tuo numero di telefono](https://en.wikipedia.org/wiki/SIM_swap_scam) o accedere alla tua mail senza avere accesso fisico a un tuo dispositivo. Se una persona non autorizzata accedesse alla tua email, sarebbe in grado di resettare la tua password e ricevere il codice di autenticazione, ottenendo così il pieno controllo del'account. + +### Notifiche push + +L'MFA con notifica push si presenta come un messaggio inviato a un'applicazione sul tuo telefono, chiedendo di confermare nuovi accessi a un account. Questo metodo è molto migliore degli SMS o delle mail, in quanto un attaccante tipicamente non è in grado di ricevere questi notifiche push senza avere un dispositivo già connesso, il che significa che dovrebbe prima compromettere uno dei tuoi altri dispositivi. + +Facciamo tutti degli errori, e c'è il rischio che tu possa accettare il tentativo di accesso per errore. Le notifiche push per le autorizzazioni di accesso sono tipicamente inviate a *tutti* i tuoi dispositivi in una volta, ampliando la disponibilità del codice MFA se si possiedono molti device. + +La sicurezza delle notifiche push MFA dipende sia dalla qualità dell'app, sia dalla componente server, sia dalla fiducia verso lo sviluppatore che la produce. Un'applicazione installata può anche richiedere di accettare privilegi invasivi che garantiscono l'accesso ad altri dati sul tuo dispositivo. Una singola app può anche richiedere un'applicazione specifica per ogni servizio che non richiede una password per essere aperta, a differenza di una buona app generatrice di TOTP. + +### Time-based One-time Password (TOTP) + +Il TOTP è una delle forme più comuni di MFA disponibili. Quando imposti il TOTP, è generalmente necessario eseguire la scansione di un [codice QR](https://it.wikipedia.org/wiki/Codice_QR) che stabilisce un "[segreto condiviso](https://en.wikipedia.org/wiki/Shared_secret)" con il servizio che si intende utilizzare. Il segreto condiviso è protetto tra i dati dell'app di autenticazione e talvolta è protetto da password. + +Il codice a tempo limitato è quindi derivato dal segreto condiviso e l'ora corrente. Poiché il codice è valido solo per un breve periodo di tempo, senza l'accesso al segreto condiviso, un avversario non può generare nuovi codici. + +Se si possiede una chiave di sicurezza hardware che supporta TOTP (come ad esempio YubiKey con [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), consigliamo di memorizzare i "segreti condivisi" nell'hardware. Hardware come YubiKey sono stati sviluppati con l'intenzione di rendere il segreto condiviso difficile da estrarre e copiare. Anche una YubiKey non è connessa a Internet, a differenza di un telefono con un'app TOTP. + +A differenza di [WebAuthn](#fido-fast-identity-online), TOTP non offre alcuna protezione contro [il phishing](https://en.wikipedia.org/wiki/Phishing) o gli attacchi di riutilizzo. Se un malintenzionato ottiene un codice valido da te, può usarlo tutte le volte che vuole fino alla scadenza (generalmente 60 secondi). + +Un avversario potrebbe creare un sito web per imitare un servizio ufficiale nel tentativo di indurti a fornire nome utente, password e codice TOTP corrente. Se l'avversario utilizza le credenziali registrate, può essere in grado di accedere al servizio reale e dirottare l'account. + +Sebbene non sia perfetto, il TOTP è abbastanza sicuro per la maggior parte delle persone e quando le [chiavi di sicurezza hardware](../multi-factor-authentication.md#hardware-security-keys) non sono supportate le [app di autenticazione](../multi-factor-authentication.md#authenticator-apps) sono ancora una buona opzione. + +### Chiavi di sicurezza hardware + +La YubiKey memorizza i dati su un chip a stato solido resistente alle manomissioni che è [impossibile da accedere](https://security.stackexchange.com/a/245772) in modo non distruttivo senza un processo costoso e un laboratorio forense. + +Queste chiavi sono generalmente multifunzione e forniscono una serie di metodi per l'autenticazione. Di seguito sono riportati i più comuni. + +#### Yubico OTP + +Yubico OTP è un protocollo di autenticazione tipicamente implementato nelle chiavi di sicurezza hardware. Quando si decide di utilizzare Yubico OTP, la chiave genererà un ID pubblico, un ID privato e una chiave segreta che viene quindi caricata sul server OTP Yubico. + +Quando si accede a un sito web, è sufficiente toccare fisicamente la chiave di sicurezza. La chiave di sicurezza emulerà una tastiera e stamperà una password una tantum nel campo password. + +Il servizio inoltrerà quindi la one-time password al server OTP di Yubico per la convalida. Un contatore viene incrementato sia sulla chiave che sul server di convalida di Yubico. L'OTP può essere utilizzato una sola volta e, quando l'autenticazione ha esito positivo, il contatore viene incrementato per impedire il riutilizzo dell'OTP. Yubico fornisce un documento dettagliato [](https://developers.yubico.com/OTP/OTPs_Explained.html) sul processo. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +L'utilizzo di Yubico OTP presenta alcuni vantaggi e svantaggi rispetto a TOTP. + +Il server di convalida di Yubico è un servizio basato su cloud e l'utente si affida a Yubico per la conservazione dei dati in modo sicuro e senza profilazione. L'ID pubblico associato a Yubico OTP viene riutilizzato su ogni sito web e potrebbe essere un'altra strada per terze parti di profilarti. Come TOTP, Yubico OTP non offre resistenza al phishing. + +Se il modello di minaccia richiede di avere identità diverse su siti web diversi, **non** utilizzare Yubico OTP con la stessa chiave di sicurezza hardware su tutti i siti web, poiché l'ID pubblico è unico per ogni chiave di sicurezza. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) include una serie di standard, prima c'era U2F e poi [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) che include lo standard web [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F e FIDO2 fanno riferimento al protocollo da [Client a Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), che è il protocollo tra la chiave di sicurezza e il computer, ad esempio un laptop o un telefono. È complementare a WebAuthn, che è il componente utilizzato per l'autenticazione con il sito web (la "Relying Party") a cui si sta cercando di accedere. + +WebAuthn è la forma più sicura e privata di autenticazione a due fattori. Sebbene l'esperienza di autenticazione sia simile a Yubico OTP, la chiave non stampa una password unica e non viene convalidata da un server di terze parti. Invece, utilizza la [crittografia a chiave pubblica](https://it.wikipedia.org/wiki/Crittografia_asimmetrica) per l'autenticazione. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +Quando crei un account, la chiave pubblica viene inviata al servizio, quindi quando accedi, il servizio ti richiederà di "firmare" alcuni dati con la tua chiave privata. Il vantaggio di questo è che nessun dato della password viene mai memorizzato dal servizio, quindi non c'è nulla che un malintenzionato possa rubare. + +Questa presentazione illustra la storia dell'autenticazione tramite password, le insidie (come il riutilizzo delle password) e discute gli standard FIDO2 e [WebAuthn](https://webauthn.guide). + +
+ +
+ +FIDO2 e WebAuthn hanno proprietà di sicurezza e privacy superiori rispetto a qualsiasi altro metodo MFA. + +In genere per i servizi web viene utilizzato con WebAuthn, che fa parte delle raccomandazioni del W3C [](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). Utilizza l'autenticazione a chiave pubblica ed è più sicura dei segreti condivisi utilizzati nei metodi OTP e TOTP di Yubico, poiché include il nome di origine (di solito, il nome del dominio) durante l'autenticazione. L'attestazione viene fornita per proteggerti dagli attacchi di phishing, in quanto ti aiuta a determinare che stai utilizzando il servizio autentico e non una copia falsa. + +A differenza di Yubico OTP, WebAuthn non utilizza alcun ID pubblico, quindi la chiave **non** è identificabile tra diversi siti web. Inoltre, non utilizza alcun server cloud di terze parti per l'autenticazione. Tutte le comunicazioni avvengono tra la chiave e il sito web a cui si accede. FIDO utilizza anche un contatore che viene incrementato al momento dell'uso al fine di prevenire il riutilizzo della sessione e delle chiavi clonate. + +Se un sito web o un servizio supporta WebAuthn per l'autenticazione, si consiglia vivamente di utilizzarlo rispetto a qualsiasi altra forma di MFA. + +## Consigli generali + +Abbiamo queste raccomandazioni generali: + +### Quale metodo dovrei usare? + +Quando configurate il vostro metodo MFA, tenete presente che è sicuro solo quanto il metodo di autenticazione più debole che utilizzate. Ciò significa che è importante utilizzare solo il miglior metodo MFA disponibile. Ad esempio, se si utilizza già il TOTP, è necessario disattivare l'MFA via e-mail e SMS. Se stai già utilizzando FIDO2/WebAuthn, non dovresti utilizzare Yubico OTP o TOTP sul tuo account. + +### Backups + +Dovresti sempre avere dei backup per il tuo metodo MFA. Le chiavi di sicurezza hardware possono essere perse, rubate o semplicemente smettere di funzionare nel tempo. Si consiglia di avere una coppia delle chiavi di sicurezza hardware con lo stesso accesso agli account, anziché una sola. + +Quando utilizzi il TOTP con un'app di autenticazione, assicurati di eseguire il backup delle chiavi di ripristino o dell'app stessa o di copiare i "segreti condivisi" in un'altra istanza dell'app su un telefono diverso o in un contenitore crittografato (ad esempio [VeraCrypt](../encryption.md#veracrypt)). + +### Configurazione iniziale + +Quando si acquista una chiave di sicurezza, è importante modificare le credenziali predefinite, impostare una password di protezione per la chiave e abilitare la conferma tattile, se supportata. Prodotti come YubiKey dispongono di più interfacce con credenziali separate per ciascuna di esse, pertanto è necessario esaminare ogni interfaccia e impostare la protezione. + +### Email e SMS + +Se dovete usare l'e-mail per l'MFA, assicuratevi che l'account e-mail stesso sia protetto con un metodo MFA adeguato. + +Se si utilizza l'MFA via SMS, è necessario scegliere un operatore che non cambierà il numero di telefono con una nuova carta SIM senza accesso all'account, oppure utilizzare un numero VoIP dedicato di un provider con una sicurezza simile per evitare un attacco [SIM swap](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[Strumenti MFA che consigliamo](../multi-factor-authentication.md ""){.md-button} + +## Altri posti in cui configurare l'MFA + +Oltre a proteggere gli accessi al sito web, l'autenticazione a più fattori può essere utilizzata anche per proteggere gli accessi locali, le chiavi SSH o persino i database delle password. + +### Windows + +Yubico ha un provider di credenziali [dedicato](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) che aggiunge l'autenticazione Challenge-Response al flusso di login con nome utente e password per gli account Windows locali. Se si dispone di una YubiKey con supporto per l'autenticazione Challenge-Response, consultare la guida alla configurazione di [Yubico Login for Windows](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), che consente di impostare l'MFA sul computer Windows. + +### macOS + +macOS ha un [supporto nativo](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) per l'autenticazione con smart card (PIV). Se si dispone di una smartcard o di una chiave di sicurezza hardware che supporta l'interfaccia PIV, come YubiKey, si consiglia di seguire la documentazione del fornitore della smartcard o della chiave di sicurezza hardware e di impostare l'autenticazione a due fattori per il computer macOS. + +Yubico ha una guida [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) che può aiutare a configurare la YubiKey su macOS. + +Dopo aver configurato la smart card o la chiave di sicurezza, si consiglia di eseguire questo comando nel terminale: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +Il comando impedirà a un malintenzionato di aggirare l'MFA all'avvio del computer. + +### Linux + +!!! warning "Avviso" + + Se il nome dell'host del sistema cambia (ad esempio a causa del DHCP), non sarà possibile effettuare il login. È fondamentale impostare un hostname corretto per il computer prima di seguire questa guida. + +Il modulo `pam_u2f` su Linux può fornire l'autenticazione a due fattori per l'accesso alle distribuzioni Linux più popolari. Se si dispone di una chiave di sicurezza hardware che supporta U2F, è possibile impostare l'autenticazione MFA per il login. Yubico ha una guida [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) che dovrebbe funzionare su qualsiasi distribuzione. I comandi del gestore di pacchetti, come `apt-get`, e i nomi dei pacchetti possono tuttavia differire. Questa guida **non si applica** al sistema operativo Qubes. + +### Qubes OS + +Qubes OS supporta l'autenticazione Challenge-Response con YubiKeys. Se si dispone di una YubiKey con supporto per l'autenticazione Challenge-Response, consultare la documentazione di Qubes OS [YubiKey](https://www.qubes-os.org/doc/yubikey/) se si desidera impostare l'MFA su Qubes OS. + +### SSH + +#### Chiavi di sicurezza fisiche + +SSH MFA può essere impostato utilizzando diversi metodi di autenticazione che sono molto diffusi con le chiavi di sicurezza hardware. Ti consigliamo di consultare [la documentazione](https://developers.yubico.com/SSH/) di Yubico su come configurarla. + +#### Time-based One-time Password (TOTP) + +SSH MFA può anche essere impostato utilizzando TOTP. DigitalOcean ha fornito un tutorial [Come impostare l'autenticazione a più fattori per SSH su Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). La maggior parte delle cose dovrebbe essere uguale a prescindere dalla distribuzione, tuttavia i comandi del gestore dei pacchetti - come `apt-get`- e i nomi dei pacchetti possono differire. + +### KeePass (e KeePassXC) + +I database KeePass e KeePassXC possono essere protetti utilizzando Challenge-Response o HOTP come autenticazione di secondo fattore. Yubico ha fornito un documento per KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) e ne esiste uno anche sul sito [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa). + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/basics/passwords-overview.md b/i18n/it/basics/passwords-overview.md new file mode 100644 index 00000000..5348121e --- /dev/null +++ b/i18n/it/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Gestori di password + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/basics/threat-modeling.md b/i18n/it/basics/threat-modeling.md new file mode 100644 index 00000000..a2311a63 --- /dev/null +++ b/i18n/it/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Modelli di minaccia" +icon: 'material/target-account' +--- + +Bilanciare sicurezza, privacy e usabilità è il primo e il più difficile compito che incontrerai durante il tuo viaggio nella privacy. Tutto è un compromesso: più qualcosa è sicuro, più è restrittivo o scomodo in generale, ecc. Spesso, le persone scoprono che il problema con gli strumenti che vedono raccomandati è che sono troppo difficili da iniziare a usare! + +Se si vogliono utilizzare gli strumenti **più** sicuri a disposizione, è necessario sacrificare *molto* in termini di usabilità. E, anche allora, ==nulla è mai completamente sicuro.== C'è un alta **sicurezza**, ma mai una completa **sicurezza**. È per questo che i modelli di minaccia sono importanti. + +**Ma quindi, quali sono questi modelli di minaccia?** + +==Un modello di minaccia è un elenco delle minacce più probabili ai tuoi sforzi per la sicurezza e privacy.== Dal momento che è impossibile proteggersi da **ogni** attacco/attaccante, dovresti concentrarti sulle **minacce più probabili**. Nella sicurezza informatica, una minaccia è un evento che potrebbe minare i tuoi sforzi per mantenere la riservatezza e la sicurezza. + +Concentrarsi sulle minacce che contano per te restringe il tuo pensiero sulla protezione di cui hai bisogno, in modo da poter scegliere gli strumenti giusti per il lavoro. + +## Creare il Tuo Modello di Minaccia + +Per identificare cosa potrebbe accadere alle cose che valorizzi e determinare da chi devi proteggerle, dovresti rispondere a queste cinque domande: + +1. Quali sono le cose che voglio proteggere? +2. Da chi le voglio proteggere? +3. Quanto è probabile che io abbia bisogno di proteggerle? +4. Quanto sono catastrofiche le conseguenze se fallisco? +5. Quanti problemi sono disposto ad affrontare per tentare di prevenire le potenziali conseguenze? + +### Quali sono le cose che voglio proteggere? + +Un "asset" (risorsa) è qualcosa a cui si dà valore e che si vuole proteggere. Nel contesto della sicurezza digitale, ==un asset è di solito una sorta di informazione.== Ad esempio, le email, gli elenchi di contatti, i messaggi istantanei, la posizione e i file sono tutti asset possibili. Anche gli stessi dispositivi posso essere degli asset. + +*Stila una lista dei tuoi asset: i dati che conservi, dove li tieni, chi ne ha accesso, e che cosa impedisce agli altri di accedervi.* + +### Da chi le voglio proteggere? + +Per rispondere a questa domanda, è importante identificare chi potrebbe voler prendere di mira te o le tue informazioni. ==Una persona o entità che rappresenta una minaccia per i tuoi beni è un "avversario".== Esempi di potenziali avversari sono il tuo capo, il tuo ex partner, la tua concorrenza commerciale, il tuo governo o un hacker su una rete pubblica. + +*Fai un elenco dei tuoi avversari o di coloro che potrebbero voler entrare in possesso dei tuoi asset. Il tuo elenco può comprendere individui, agenzie governative o società.* + +A seconda di chi sono i tuoi avversari, in alcune circostanze, questo elenco potrebbe essere qualcosa che vuoi distruggere dopo aver completato la pianificazione della sicurezza. + +### Quanto è probabile che io abbia bisogno di proteggerle? + +== Il rischio è la probabilità che una particolare minaccia contro un determinato asset si verifichi effettivamente.== Va di pari passo con la capacità. Nonostante il tuo provider telefonico sia in grado di accedere a tutti i tuoi dati, il rischio che li pubblichi online per danneggiare la tua reputazione è basso. + +È importante distinguere ciò che potrebbe accadere e la probabilità che accada. Per esempio, c'è il rischio che il tuo edificio crolli, ma è molto più probabile che ciò accada a San Francisco (dove i terremoti sono frequenti) rispetto che a Stoccolma (dove non lo sono). + +La valutazione dei rischi è un processo personale e soggettivo. Molte persone trovano alcune minacce inaccettabili, non importa la probabilità che si verifichino, perché la semplice presenza della minaccia non vale il costo. In altri casi, le persone ignorano rischi elevati perché non considerano la minaccia un problema. + +*Scrivi quali minacce prenderai sul serio, e quali sono troppo rare o innocue (o troppo difficili da contrastare) per preoccuparsene.* + +### Quanto sono catastrofiche le conseguenze se fallisco? + +Ci sono molti modi in cui un avversario può accedere ai tuoi dati. Per esempio, un avversario può leggere le tue comunicazioni private mentre attraversano la rete, o può eliminare o corrompere i tuoi dati. + +== Le motivazioni degli avversari sono molto diverse, così come le loro tattiche.== Un governo che cerca di impedire la diffusione di un video che mostra la violenza della polizia può accontentarsi di cancellare o ridurre la disponibilità di quel video. Al contrario, un avversario politico può desiderare di accedere a contenuti segreti e pubblicarli all'insaputa dell'interessato. + +La pianificazione della sicurezza comporta la comprensione di quanto catastrofiche possono essere le conseguenze se un avversario riesce a impossessarsi di uno dei tuoi asset. Per determinare ciò, dovresti prendere in considerazione la capacità del tuo avversario. Ad esempio, il tuo operatore di telefonia mobile ha accesso a tutti i tuoi record telefonici. Un hacker su una rete Wi-Fi aperta può accedere alle tue comunicazioni non criptate. Il tuo governo potrebbe avere capacità maggiori. + +*Scrivi cosa il tuo avversario potrebbe voler fare con i tuoi dati privati.* + +### Quanti problemi sono disposto ad affrontare per tentare di prevenire le potenziali conseguenze? + +== Non esiste un'opzione perfetta per la sicurezza.== Non tutti hanno le stesse priorità, preoccupazioni o accesso alle risorse. La valutazione dei rischi consentirà di pianificare la giusta strategia per te, bilanciando convenienza, costi e privacy. + +Per esempio, un avvocato che rappresenta un cliente in un caso di sicurezza nazionale potrebbe essere disposto a prendere più provvedimenti per proteggere le comunicazioni relative al caso, come ad esempio usando mail criptate, rispetto ad una madre che manda regolarmente email alla figlia con video divertenti di gattini. + +*Scrivi quali opzioni ti sono disponibili per mitigare le tue minacce specifiche. Annota se hai qualche vincolo finanziario, tecnico o sociale.* + +### Prova tu stesso: Proteggere i propri beni + +Queste domande possono essere applicate ad un'ampia varietà di situazioni, online e offline. Come dimostrazione generica di come funzionano queste domande, costruiamo un piano per mantenere la tua casa e i tuoi beni al sicuro. + +**Quali sono le cose che voglio proteggere? (Oppure, *che cosa possiedo che vale la pena di proteggere?*)** +: + +I tuoi beni personali possono includere gioielli, dispositivi elettronici, documenti importanti, o fotografie. + +**Da chi le voglio proteggere?** +: + +I tuoi potenziali avversari possono essere ladri, coinquilini oppure ospiti. + +**Quanto è probabile che io abbia bisogno di proteggerle?** +: + +Nel tuo vicinato ci sono precedenti di furto? Quanto sono affidabili i tuoi coinquilini o ospiti? Quali sono le capacità dei tuoi avversari? Quali sono i rischi che dovresti considerare? + +**Quanto sono catastrofiche le conseguenze se fallisci?** +: + +C'è qualcosa nella tua casa che non puoi sostituire? Hai il tempo o i soldi per rimpiazzare queste cose? Hai un'assicurazione che copre i beni rubati dalla tua casa? + +**Quanti problemi sei disposto ad affrontare per prevenire le conseguenze?** +: + +Sei disposto ad acquistare una cassaforte per i tuoi documenti sensibili? Puoi permetterti di comprare una buona serratura? Hai il tempo di aprire una cassetta di sicurezza presso la tua banca e tenere lì i tuoi oggetti di valore? + +Solo una volta che ti sarai fatto queste domande sarai nella posizione di valutare quali misure adottare. Se i tuoi possedimenti sono di valore, ma la probabilità di un'irruzione è bassa, potresti non voler investire troppo denaro in una serratura. Ma se la probabilità di effrazione è alta, è meglio dotarsi della migliore serratura sul mercato e considerare l'aggiunta di un sistema di sicurezza. + +La stesura di un piano di sicurezza ti aiuterà a comprendere le minacce per te più rilevanti e a valutare le tue risorse, i tuoi avversari e le loro capacità, oltre alla probabilità dei rischi a cui vai incontro. + +## Letture consigliate + +Per le persone che cercano di aumentare la loro privacy e sicurezza online, abbiamo compilato un elenco di minacce comuni che i nostri visitatori affrontano o obiettivi che i nostri visitatori hanno, per darti qualche ispirazione e dimostrare la base dei nostri consigli. + +- [Obiettivi e minacce comuni :material-arrow-right-drop-circle:](common-threats.md) + +## Fonti + +- [EFF Surveillance Self Defense: Your Security Plan (EFF Autodifesa da sorveglianza: il tuo piano di sicurezza)](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/basics/vpn-overview.md b/i18n/it/basics/vpn-overview.md new file mode 100644 index 00000000..8edfef60 --- /dev/null +++ b/i18n/it/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: Panoramica VPN +icon: material/vpn +--- + +Le reti private virtuali sono un modo per estendere l'estremità della vostra rete all'uscita di un'altra parte del mondo. Un ISP può vedere il flusso del traffico Internet che entra ed esce dal dispositivo di terminazione della rete (ad esempio, il modem). + +I protocolli di crittografia come l'HTTPS sono comunemente utilizzati su Internet, quindi potrebbero non essere in grado di vedere esattamente ciò che state postando o leggendo, ma possono farsi un'idea dei [domini richiesti](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +Una VPN può essere d'aiuto in quanto può spostare la fiducia su un server in un'altra parte del mondo. Di conseguenza, l'ISP vede solo che sei connesso a una VPN e non vede nulla dell'attività che stai trasmettendo. + +## Dovrei utilizzare una VPN? + +**Sì**, a meno che tu non stia già utilizzando Tor. Una VPN svolge due funzioni: spostare i rischi dall'Internet Service Provider a se stesso e nascondere l'IP da un servizio di terze parti. + +Le VPN non possono criptare i dati al di fuori della connessione tra il dispositivo e il server VPN. I fornitori di VPN possono vedere e modificare il traffico proprio come l'ISP. E non c'è modo di verificare in alcun modo le politiche di "no logging" di un provider VPN. + +Tuttavia, nascondono l'IP reale da un servizio di terze parti, a condizione che non ci siano fughe dell'IP. Aiutano a confonderti con gli altri e ad attenuare il tracciamento basato sull'IP. + +## Quando non dovrei usare una VPN? + +È improbabile che l'uso di una VPN nei casi in cui si utilizza la propria [identità nota](../basics/common-threats.en.md#common-misconceptions) sia utile. + +In questo modo si possono attivare sistemi di spam e di rilevamento delle frodi, come nel caso in cui si acceda al sito web della propria banca. + +## E la crittografia? + +La crittografia offerta dai fornitori di VPN avviene tra i propri dispositivi e i loro server. Garantisce che questo specifico collegamento è sicuro. Si tratta di un passo avanti rispetto all'uso di proxy non criptati, dove un avversario sulla rete può intercettare le comunicazioni tra i propri dispositivi e tali proxy e modificarle. Tuttavia, la crittografia tra le app o i browser e i fornitori di servizi non è gestita da questa crittografia. + +Per garantire la riservatezza e la sicurezza di ciò che si fa sui siti web visitati, è necessario utilizzare il protocollo HTTPS. In questo modo le password, i token di sessione e le query saranno al sicuro dal provider VPN. Considera di abilitare "HTTPS ovunque" nel browser per mitigare gli attacchi di downgrade come [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Dovrei utilizzare un DNS criptato con una VPN? + +A meno che il provider VPN non ospiti i server DNS criptati, **no**. L'utilizzo di DOH/DOT (o di qualsiasi altra forma di DNS crittografato) con server di terze parti aggiungerà semplicemente altre entità di cui fidarsi e non farà **assolutamente nulla** per migliorare la privacy o la sicurezza. Il provider VPN può comunque vedere quali siti web visiti in base agli indirizzi IP e ad altri metodi. Invece di fidarti solo del provider VPN, ora ti fidi sia del provider VPN che del provider DNS. + +Un motivo comune per raccomandare il DNS crittografato è che aiuta a contrastare lo spoofing DNS. Tuttavia, il browser dovrebbe già verificare la presenza di [certificati TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) con **HTTPS** e avvisare l'utente. Se non si utilizza **HTTPS**, un avversario può comunque modificare qualsiasi cosa oltre alle query DNS e il risultato finale sarà poco diverso. + +Inutile dire che **non si dovrebbero usare DNS criptati con Tor**. Questo indirizzerebbe tutte le vostre richieste DNS attraverso un unico circuito e permetterebbe al provider DNS criptato di deanonimizzarvi. + +## Dovrei usare Tor *e* una VPN? + +Utilizzando una VPN con Tor, si crea essenzialmente un nodo di ingresso permanente, spesso con una traccia di denaro. Questo non fornisce alcun vantaggio aggiuntivo all'utente, mentre aumenta drasticamente la superficie di attacco della connessione. Se desideri nascondere l'utilizzo di Tor all'ISP o al governo, Tor ha una soluzione integrata per questo: i Tor bridges. [Per saperne di più sui Tor bridges e sul perché non è necessario utilizzare una VPN](../advanced/tor-overview.md). + +## E se ho bisogno di anonimato? + +Le VPN non possono garantire l'anonimato. Il provider VPN vedrà comunque il vero indirizzo IP e spesso ha una traccia di denaro che può essere collegata direttamente a te. Non si può fare affidamento sulle politiche di "no logging" per proteggere i dati. In tal caso utilizza [Tor](https://www.torproject.org/). + +## E i fornitori di VPN che forniscono nodi Tor? + +Non utilizzare questa funzione. Il punto di forza dell'utilizzo di Tor è che non ti fidt del provider VPN. Attualmente Tor supporta solo il protocollo [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol). [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (utilizzato in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) per la condivisione di voce e video, il nuovo [protocollo HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3), ecc.), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) e altri pacchetti saranno eliminati. Per compensare questa situazione, i fornitori di VPN di solito instradano tutti i pacchetti non-TCP attraverso il loro server VPN (il primo hop). Questo è il caso di [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Inoltre, quando si utilizza questa configurazione di Tor su VPN, non si ha il controllo su altre importanti funzionalità di Tor come [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (utilizzo di un circuito Tor diverso per ogni dominio visitato). + +La funzione deve essere vista come un modo comodo per accedere alla rete Tor, non per rimanere anonimi. Per un corretto anonimato, utilizza Tor Browser, TorSocks o un gateway Tor. + +## Quando sono utili le VPN? + +Una VPN può comunque essere utile in diversi scenari, ad esempio: + +1. Nascondere il proprio traffico **solo** al proprio Internet Service Provider. +1. Nascondere i propri download (come i torrent) al proprio ISP e alle organizzazioni antipirateria. +1. Nascondere il proprio IP da siti e servizi di terze parti, impedendone il tracciamento. + +Per situazioni come queste, o se hai un altro motivo valido, i provider VPN che abbiamo elencato sopra sono quelli che riteniamo più affidabili. Tuttavia, utilizzare un provider VPN significa comunque *fidarsi* del provider. In quasi tutti gli altri scenari si dovrebbe utilizzare uno strumento progettato con la **sicurezza come obiettivo** come Tor. + +## Fonti e approfondimenti + +1. [VPN - a Very Precarious Narrative (VPN - una narrazione molto precaria)](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) di Dennis Schubert +1. [Panoramica della rete Tor](../advanced/tor-overview.md) +1. [Guide alla privacy di IVPN](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?" ("Ho bisogno di una VPN?")](https://www.doineedavpn.com), uno strumento sviluppato da IVPN per sfidare il marketing aggressivo delle VPN, aiutando le persone a decidere se una VPN è adatta a loro. + +## Informazioni correlate + +- [The Trouble with VPN and Privacy Review Sites (Il problema dei siti di recensioni di VPN e privacy)](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation (Indagine sulle app di VPN gratuite)](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies (Svelati i proprietari segreti delle VPN: 101 prodotti per VPN gestiti da sole 23 aziende)](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions (Questa azienda cinese è segretamente dietro 24 app popolari che cercano autorizzazioni pericolose)](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/calendar.md b/i18n/it/calendar.md new file mode 100644 index 00000000..3fa4081b --- /dev/null +++ b/i18n/it/calendar.md @@ -0,0 +1,80 @@ +--- +title: "Sincronizzazione di calendario e contatti" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Le caratteristiche includono: E2EE automatico di tutti i dati, funzionalità di condivisione, importazione/esportazione, autenticazione a più fattori e [altre funzionalità](https://tutanota.com/calendar-app-comparison/). + + Calendari multipli e funzionalità di condivisione estese sono limitate agli abbonati a pagamento. + + [:octicons-home-16: Pagina principale](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Le caratteristiche includono: E2EE automatico di tutti i dati, funzioni di condivisione, funzionalità di importazione/esportazione e [altre funzionalità](https://proton.me/support/proton-calendar-guide). Gli utenti gratuiti hanno accesso ad un singolo calendario, mentre gli abbonati a pagamento possono crearne fino a venti. Anche la funzionalità di condivisione estesa è limitata agli abbonati a pagamento. + + [:octicons-home-16: Pagina principale](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="informativa sulla privacy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/cloud.md b/i18n/it/cloud.md new file mode 100644 index 00000000..49baeb5e --- /dev/null +++ b/i18n/it/cloud.md @@ -0,0 +1,71 @@ +--- +title: "Archiviazione in cloud" +icon: material/file-cloud +--- + +Molti fornitori di spazio di archiviazione cloud richiedono la tua totale fiducia sul fatto che non guarderanno nei tuoi file. Le alternative elencate di seguito eliminano la necessità di fiducia mettendo l'utente in controllo dei propri dati o implementando E2EE. + +Se queste alternative non soddisfano le tue esigenze, ti suggeriamo di esaminare la sezione sui [software di crittografia](encryption.md). + +??? recommendation + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Cryptee + +!!! recommendation + + ![Logo Proton Drive](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** è un servizio di archiviazione generale di file E2EE del popolare provider di posta elettronica criptata [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Pagina principale](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. recommendation Proton Drive desktop clients are still in development. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Requisiti minimi + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/data-redaction.md b/i18n/it/data-redaction.md new file mode 100644 index 00000000..6ba8fe98 --- /dev/null +++ b/i18n/it/data-redaction.md @@ -0,0 +1,155 @@ +--- +title: "Rimozione di dati e metadati" +icon: material/tag-remove +--- + +Quando vengono condivisi file, è importante rimuovere i relativi metadata. I file immagine includono comunemente dati [Exif](https://it.wikipedia.org/wiki/Exif). I metadata delle foto, a volte, includono anche le coordinate GPS. + +## Desktop + +### MAT2 + +!!! recommendation + + ![Logo MAT2](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** è un software gratuito che consente di rimuovere i metadati da file immagine, audio, torrent e documenti. Fornisce sia uno strumento a riga di comando che un'interfaccia utente grafica tramite un [estensione per Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), il file manager predefinito di [GNOME](https://www.gnome.org) e [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), il file manager predefinito di [KDE](https://kde.org). + + Su Linux, esiste uno strumento grafico di terze parti [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) basato su MAT2 ed è [disponibile su Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentazione} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![Logo ExifEraser](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** è un'applicazione moderna e senza permessi per la cancellazione dei metadati delle immagini per Android. + + Attualmente supporta file JPEG, PNG e WebP. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +I metadati cancellati dipendono dal tipo di file dell'immagine: + +* **JPEG**: i metadati del profilo ICC, Exif, Photoshop Image Resources e XMP/ExtendedXMP verranno cancellati se esistenti. +* **PNG**: i metadati del profilo ICC, Exif e XMP saranno cancellati se esistenti. +* **WebP**: i metadati del profilo ICC, Exif e XMP verranno cancellati se esistenti. + +Dopo l'elaborazione delle immagini, ExifEraser fornisce un rapporto completo su cosa è stato rimosso esattamente da ogni immagine. + +L'applicazione offre diversi modi per cancellare i metadati dalle immagini. Vale a dire: + +* È possibile condividere un'immagine da un'altra applicazione con ExifEraser. +* Attraverso l'applicazione stessa, è possibile selezionare una singola immagine, più immagini contemporaneamente o persino un'intera directory. +* È dotata di un'opzione "Fotocamera" che utilizza l'app fotocamera del sistema operativo per scattare una foto e poi ne rimuove i metadati. +* Consente di trascinare le foto da un'altra applicazione in ExifEraser quando entrambe sono aperte in modalità split-screen. +* Infine, consente di incollare un'immagine dagli appunti. + +### Metapho (iOS) + +!!! recommendation + + ![Logo Metapho](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** è un visualizzatore semplice e pulito per i metadati delle foto, come data, nome del file, dimensioni, modello di fotocamera, velocità dell'otturatore e posizione. + + [:octicons-home-16: Pagina principale](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Informativa sulla privacy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** è un'applicazione gratuita che consente di sfocare le parti sensibili delle immagini prima di condividerle online. + + [:octicons-home-16: Pagina principale](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning "Avviso" + + Non si deve **mai** usare la sfocatura per nascondere [il testo nelle immagini] (https://bishopfox.com/blog/unredacter-tool-never-pixelation). Se desideri eliminare il testo di un'immagine, disegna un riquadro sopra il testo. A questo scopo, suggeriamo applicazioni come [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Linea di comando + +### ExifTool + +!!! recommendation + + ![Logo ExifTool](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** è l'originale libreria perl e applicazione a riga di comando per leggere, scrivere e modificare i metadati (Exif, IPTC, XMP e altro) in un'ampia varietà di formati di file (JPEG, TIFF, PNG, PDF, RAW e altro). + + Spesso è usato come un componente di altre applicazioni di rimozione Exif ed è presente nei repository della maggior parte delle distribuzioni Linux. + + [:octicons-home-16: Pagina principale](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Rimozione di metadati dai file di una cartella" + + ```bash + exiftool -all= *.file_extension + ``` + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Le applicazioni sviluppate per sistemi operativi open-source devono essere open-source. +- Le applicazioni devono essere gratuite e non devono includere pubblicità o altre limitazioni. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/desktop-browsers.md b/i18n/it/desktop-browsers.md new file mode 100644 index 00000000..47ebb328 --- /dev/null +++ b/i18n/it/desktop-browsers.md @@ -0,0 +1,272 @@ +--- +title: "Browser desktop" +icon: material/laptop +--- + +Questi sono i browser e le configurazioni per desktop attualmente consigliati per la navigazione standard/non anonima. Se hai bisogno di navigare in Internet in modo anonimo, dovresti invece utilizzare [Tor](tor.md). In generale, si consiglia di ridurre al minimo le estensioni del browser; hanno un accesso privilegiato all'interno del browser, richiedono fiducia nello sviluppatore, possono farti [risaltare](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint)e [indebolire l'isolamento del sito](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ). + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** offre robuste impostazioni di privacy, come la [protezione antitracciamento avanzata](https://support.mozilla.org/it/kb/protezione-antitracciamento-avanzata-firefox-desktop), che aiuta a bloccare varie [tipologie di tracciamento](https://support.mozilla.org/it/kb/protezione-antitracciamento-avanzata-firefox-desktop#w_che-cosa-viene-bloccato-con-la-protezione-antitracciamento-avanzata). + + [:octicons-home-16: Pagina principale](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentazione} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox include un [token di download](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) univoco nella sezione dei download del sito di Mozilla e utilizza la telemetria in Firefox per inviarlo. Il token **non** è incluso nelle versioni rilasciate dall'[FTP di Mozilla](https://ftp.mozilla.org/pub/firefox/releases/). + +### Firefox + +Il Tor Browser è l'unico che veramente permette di navigare Internet anonimamente. Quando utilizzi Firefox, si consiglia di modificare le seguenti impostazioni per proteggere la privacy da alcune parti, ma tutti i browser diversi da [Tor Browser](tor.md#tor-browser) saranno tracciabili da *qualcuno* in un modo o nell'altro. + +Queste opzioni si trovano in :material-menu: → **Impostazioni** → **Privacy e sicurezza**. + +##### Protezione antitracciamento avanzata + +- [x] Seleziona Protezione antitracciamento avanzata **Restrittiva** + +Essa ti protegge bloccando i tracker dei social, script di fingerprinting (nota che questo non ti protegge da *tutte* le forme di fingerprinting), minatori di criptovalute, cookie di tracciamento cross-site e altri contenuti di tracciamento. La Protezione antitracciamento avanzata protegge da molte minacce comuni, ma non blocca tutte le vie di tracciamente, perché progettata per avere minimo o nessun impatto sull'usabilità dei siti. + +##### Sanitizzazione alla chiusura + +Se vuoi mantenere l'accesso per alcuni siti in particolare, puoi consentire le eccezioni in **Cookie e dati dei siti web** → **Gestisci eccezioni...** + +- [x] Seleziona **Elimina cookie e dati dei siti web alla chiusura di Firefox** + +Ciò ti protegge dai cookie persistenti, ma non da quelli acquisiti durante ogni sessione di navigazione. Con questa opzione attiva, è possibile eliminare facilmente i cookie del browser riavviando Firefox. È possibile impostare le eccezioni per ogni sito, ad esempio se desideri mantenere l'accesso ad un sito particolare che frequenti spesso. + +##### Suggerimenti di ricerca + +- [ ] Disabilita **Visualizza suggerimenti di ricerca** + +I suggerimenti di ricerca potrebbero non essere disponibili nella tua zona. + +I suggerimento di ricerca inviano tutto quello che viene scritto nella barra di ricerca al motore di ricerca predefinito, indipendentemente se le stringe vengono inviate o meno. Disabilitare i suggerimenti di ricerca ti permette di controllare più precisamente quali dati invii al motore di ricerca che utilizzi. + +##### Telemetria + +- [ ] Disabilita **Consenti a Firefox di inviare a Mozilla dati tecnici e relativi all’interazione con il browser** +- [ ] Disabilita **Consenti a Firefox di installare e condurre studi** +- [ ] Disabilita **Consenti a Firefox di inviare segnalazioni di arresto anomalo in sospeso** + +> Firefox invia dati relativi alla versione e alla lingua di Firefox, al sistema operativo del dispositivo, alla configurazione hardware, memoria, informazioni basiche sugli arresti anomali ed errori, ai risultati dei processi automatici come gli aggiornamenti, Safebrowsing e l'attivazione a noi. Quando Firefox ci invia dati, il tuo indirizzo IP viene temporaneamente raccolto da parte dei nostri server. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### Modalità solo HTTPS + +- [x] Seleziona **Attiva in tutte le finestre** + +Questo ti aiuta a prevenire il collegamento non intenzionale ad un sito web in HTTP. Siti web senza l'HTTPS sono piuttosto rari il giorno d'oggi, quindi questa opzione non dovrebbe avere un grosso impatto sulla tua navigazione quotidiana. + +### Firefox Sync + +La [sincronizzazione via Firefox](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) permette ai tuoi dati di navigazione (cronologia, segnalibri, etc.) di essere accessibili su tutti i tuoi dispositivi; i dati vengono protetti mediante E2EE. + +### Arkenfox (avanzato) + +Il progetto [Arkenfox](https://github.com/arkenfox/user.js) fornisce un insieme di opzioni attentamente selezionate per Firefox. Se [decidi](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) di utilizzare Arkenfox, [alcune opzioni](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) sono più stringenti di altri e/o potrebbero causare il malfunzionamento di alcuni siti web - [opzioni che possono essere cambiate facilmente](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) per aderire alle tue necessità. **Consigliamo caldamente** di leggere tutto il loro [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox inoltre abilita il supporto per le [schede contenitore](https://support.mozilla.org/it/kb/containers-schede-contenitore-firefox#per-utenti-avanzati). + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** include un content blocker integrato e [funzionalità di privacy](https://brave.com/privacy-features/), molte delle quali attive in modo predefinito. + + Brave è sviluppato a partire dal progetto del browser web Chromium, quindi dovrebbe risultare familiare e avere problemi minimi di compatibilità con i siti web. + + [:octicons-home-16: Pagina principale](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Servizio Onion" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Codice sorgente" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. Sconsigliamo l'utilizzo della versione Flatpack di Brave, in quanto rimpiazza il sandbox di Chromium con quello di Flatpak, il quale è meno efficace. Inoltre, il pacchetto non è gestito da Brave Software, Inc. + +### Firefox + +Il Tor Browser è l'unico che veramente permette di navigare Internet anonimamente. Quando utilizzi Brave, consigliamo di cambiare le seguenti impostazioni per proteggere la tua privay da alcune parti, ma tutti i browser eccetto il [Tor Browser](tor.md#tor-browser) sono tracciabili da *qualcuno* in qualche modo. + +Queste opzioni possono essere trovare in :material-menu: → **Impostazioni**. + +##### Shields + +Brave include alcune misure contro il fingerprinting nella sua funzionalità [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Consigliamo di configurare queste opzioni [globalmente](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) applicate a tutti i siti che visiti. + +Le funzionalità di Shields possono essere ridotte per ogni sito se necessario; ciò nonostante, raccomandiamo le seguenti impostazioni: + +
+ +- [x] Seleziona **Impedisci il fingerprinting tramite le impostazioni della lingua** +- [x] Seleziona il Blocco di tracker e annunci come **Aggressivo** + + ??? warning "Usa gli elenchi di filtri predefiniti" + Brave ti consente di selezionare ulteriori filtri di contenuti mediante la pagina interna `brave://adblock`. Si consiglia di non utilizzare questa funzione e di mantenere gli elenchi di filtri predefiniti. il loro utilizzo ti distingue dagli altri utenti Brave, e potrebbe inoltre aumentare la superficie di attacco se esiste un exploit nel browser sfruttabile da codice malizioso presente nelle liste stesse. + +- [x] (Opzionale) Seleziona **Blocco degli script** (1) +- [x] Sleziona Blocca il fingerprinting come **Rigido, potrebbe non far funzionare alcuni siti** + +
+ +1. Questa opzione fornisce una funzionalità simile alle [modalità di blocco](https://github.com/gorhill/uBlock/wiki/Blocking-mode) avanzate di uBlock Origin o dell'estensione [NoScript](https://noscript.net/). + +##### Blocco dei social + +- [ ] Deseleziona tutte le opzioni legate ai social + +##### Privacy e sicurezza + +
+ +- [x] Seleziona **Disabilita UDP senza proxy** in [Gestione politica IP WebRTC IP](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Disabilita **Utilizza i servizzi Google per la messaggistica push** +- [ ] Disabilita **Acconsenti all'analisi dei prodotti di tutel della privacy (P3A)** +- [ ] Disabilita **Invia automaticamente un ping di utilizzo giornaliero a Brave** +- [ ] Disabilita **Invia automaticamente i rapporti di diagnostica** +- [x] Seleziona **Utilizza sempre connessioni sicure** nel menu **Sicurezza** +- [ ] Disabilita **Finestra in Incognito con Tor** (1) + + !!! important "Sanitizzazione alla chiusura" + - [x] Seleziona **Cancella cookie e dati dei siti alla chiusura di tutte le finestre** nel menu *Cookie e altri dati dei siti* + + Se desideri rimanere connesso a un particolare sito che si visita spesso, è possibile impostare eccezioni su base individuale nella sezione *Comportamenti personalizzati*. + +
+ +1. Brave **non è** resistente al fingerprinting come il Tor Browser e molte meno persone utilizzano Brave con Tor, facendoti quindi distinguere. Quando [è necessario un forte anonimato](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) utilizzare il [Tor Browser](tor.md#tor-browser). + +##### Estensioni + +Disabilita le estensioni integrate che non utilizzi in **Estensioni** + +- [ ] Disabilita **Hangouts** +- [ ] Disabilita **WebTorrent** + +##### IPFS + +L'InterPlanetary File System (IPFS) è una rete peer-to-peer e decentralizzata, utilizzata per archiviare e condividere dati mediante un filesystem distribuito. Se non utilizzi questa funzione, disabilitala. + +- [x] Seleziona **Disabilitato** in Metodo per risolvere le risorse IPFS + +##### Impostazioni aggiuntive + +Sotto il menù *Sistema* + +
+ +- [ ] Disabilita **Continua a eseguire applicazioni in background dopo la chiusura di Brave** per disabilitare le applicazioni in background (1) + +
+ +1. Questa opzione non è presente su tutte le piattaforme. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) permette ai dati di navigazione (cronologia, segnalibri, ecc.) di essere accessibili su tutti i dispositivi senza richiedere un account e li protegge con E2EE. + +## Risorse aggiuntive + +In genere non consigliamo l'installazione di estensioni, poiché aumentano la superficie di attacco. Tuttavia, uBlock Origin può rivelarsi utile se si apprezza la funzionalità di blocco dei contenuti. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** è un popolare blocker di contenuti che aiuta a bloccare pubblicità, tracker e script di fingerprinting. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +Consigliamo di seguire la [documentazione dello sviluppatore](https://github.com/gorhill/uBlock/wiki/Blocking-mode) e di scegliere una delle "modalità". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Requisiti minimi + +- Deve essere un software open-source. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.it.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/it/desktop.md b/i18n/it/desktop.md new file mode 100644 index 00000000..e621853b --- /dev/null +++ b/i18n/it/desktop.md @@ -0,0 +1,191 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Le distribuzioni Linux sono comunemente consigliate per la protezione della privacy e la libertà del software. Se non utilizzi già Linux, di seguito ti suggeriamo alcune distribuzioni da provare, oltre ad alcuni consigli generali per migliorare la privacy e la sicurezza applicabili a molte distribuzioni Linux. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Distribuzioni tradizionali + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](/assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** è la distribuzione che raccomandiamo per utenti nuovi a Linux. Fedora generalmente adotta tecnologie più recenti prima di altre distribuzioni, ad esempio [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), e presto, [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). Queste nuove tecnologie spesso comportano miglioramenti alla sicurezza, privacy e usabilità in generale. + + [:octicons-home-16: Pagina principale](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentazione} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribuisci } + +Fedora has a semi-rolling release cycle. Mentre alcuni pacchetti come [GNOME](https://www.gnome.org) sono congelati fino alla prossima versione di Fedora, la maggior parte dei pacchetti (incluso il kernel) sono aggiornati frequentemente durante il ciclo di vita della versione. Ogni versione di Fedora è supportata per un anno, con una nuova versione rilasciata ogni 6 mesi. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](/assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** è una distribuzione [a rilascio continuo](https://it.wikipedia.org/wiki/Rolling_release) stabile. + + openSUSE Tumbleweed ha un sistema di [aggiornamenti "transazionali"](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) che usa [Btrfs](https://it.wikipedia.org/wiki/Btrfs) e [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) per assicurare che le istantanee possano essere ripristinate in caso di problemi. + + [:octicons-home-16: Pagina principale](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentazione} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribuisci } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. Quando l'utente aggiorna il suo sistema, viene scaricata una nuova istantanea. Ogni istantanea viene sottoposta a una serie di test automatizzati da [openQA](https://openqa.opensuse.org) per garantirne la qualità. + +### Arch Linux + +!!! recommendation + + ![Arch logo](/assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** è una distribuzione leggera, fai-da-te (DIY) che significa che ottieni solo ciò che installi. Per maggiori informazioni visita le loro [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Pagina principale](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentazione} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribuisci } + +Arch Linux ha un ciclo di rilascio continuo. Non c'è un programma di rilascio fisso e i pacchetti vengono aggiornati molto frequentemente. + +Essendo una distribuzione DIY, ci si aspetta che l'utente [imposti e mantenga](#arch-based-distributions) il proprio sistema. Arch ha un [installatore ufficiale](https://wiki.archlinux.org/title/Archinstall) per rendere il processo di installazione un po' più facile. + +Gran parte dei [pacchetti di Arch Linux](https://reproducible.archlinux.org) sono [riproducibili](https://reproducible-builds.org). + +## Distribuzioni immutabili + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](/assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** e **Fedora Kinoite** sono varianti immutabili di Fedora con una forte attenzione al flussi di lavoro basato su contenitori. Silverblue viene fornito con l'ambiente desktop [GNOME](https://www.gnome.org/) mentre Kinoite viene fornito con [KDE](https://kde.org/). Silverblue e Kinoite seguono lo stesso programma di rilascio di Fedora Workstation, beneficiando degli stessi aggiornamenti veloci e rimanendo molto vicini all'upstream. + + [Visita silverblue.fedoraproject.org](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + +Silverblue (e Kinoite) differiscono da Fedora Workstation perché sostituiscono il gestore di pacchetti [DNF](https://fedoraproject.org/wiki/DNF) con un'alternativa molto più avanzata chiamata [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). Il gestore di pacchetti `rpm-ostree` funziona scaricando un'immagine di base per il sistema, quindi sovrapponendo i pacchetti in un albero di commit simile a [git](https://en.wikipedia.org/wiki/Git). Quando il sistema viene aggiornato, viene scaricata una nuova immagine di base e le sovrapposizioni vengono applicate a questa nuova immagine. + +Al termine dell'aggiornamento, il sistema verrà riavviato nella nuova distribuzione. `rpm-ostree` mantiene due distribuzioni del sistema in modo da poter effettuare facilmente il rollback se qualcosa si rompe nella nuova distribuzione. È inoltre possibile aggiungere altre distribuzioni in base alle necessità. + +[Flatpak](https://www.flatpak.org) è il metodo principale di installazione dei pacchetti su queste distribuzioni, in quanto `rpm-ostree` è pensato solo per sovrapporre all'immagine di base i pacchetti che non possono stare all'interno di un contenitore. + +Come alternativa a Flatpaks, c'è l'opzione di [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) per creare contenitori [Podman](https://podman.io) con una cartella home condivisa con il sistema operativo host e imitare un ambiente Fedora tradizionale, che è una [caratteristica utile](https://containertoolbx.org) per lo sviluppatore esigente. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS è una distribuzione indipendente basata sul gestore di pacchetti Nix con una particolare attenzione alla riproducibilità e all'affidabilità. + + [:octicons-home-16: Pagina principale](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentazione} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribuisci } + +Il gestore di pacchetti di NixOS conserva ogni versione di ogni pacchetto in una cartella diversa del **negozio Nix**. Per questo motivo è possibile avere diverse versioni dello stesso pacchetto installate sul sistema. Dopo che il contenuto del pacchetto è stato scritto nella cartella, questa viene resa di sola lettura. + +NixOS fornisce anche aggiornamenti atomici; prima scarica (o costruisce) i pacchetti e i file per la nuova generazione di sistema e poi passa ad essi. Ci sono diversi modi per passare a una nuova generazione: si può dire a NixOS di attivarla dopo il riavvio o si può passare ad essa in fase di esecuzione. È anche possibile *testare* la nuova generazione passando ad essa in fase di esecuzione, ma senza impostarla come generazione corrente del sistema. Se qualcosa nel processo di aggiornamento si interrompe, è possibile riavviare automaticamente e tornare a una versione funzionante del sistema. + +Nix, il gestore di pacchetti, utilizza un linguaggio puramente funzionale, chiamato anch'esso Nix, per definire i pacchetti. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (la fonte principale dei pacchetti) è contenuto in un unico repository GitHub. È anche possibile definire i propri pacchetti nella stesso linguaggio e quindi includerli facilmente nella configurazione. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. Costruisce ogni pacchetto in un ambiente sandbox *puro* , che è il più indipendente possibile dal sistema ospite, rendendo così i binari riproducibili. + +## Distribuzioni incentrate sull'anonimato + +### Whonix + +!!! recommendation + + ![Logo Whonix](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** è basato su [Kicksecure](https://www.whonix.org/wiki/Kicksecure), un fork di Debian focalizzato sulla sicurezza. Mira a fornire privacy, sicurezza e anonimato su internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Pagina principale](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Servizio onion" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentazione} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribuisci } + +Whonix è pensato per essere eseguito come due macchine virtuali: una "Workstation" e un "Gateway" Tor. Tutte le comunicazioni dalla Workstation devono passare attraverso il gateway Tor, e saranno instradate attraverso la rete Tor. Ciò significa che anche se la Workstation venisse compromessa da un malware di qualche tipo, il vero indirizzo IP rimarrebbe nascosto. + +Alcune delle sue caratteristiche includono Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [swap crittografato](https://github.com/Whonix/swap-file-creator), e un allocatore di memoria rinforzato. + +Le versioni future di Whonix probabilmente includeranno [criteri AppArmor di sistema completi](https://github.com/Whonix/apparmor-profile-everything) e un [lanciatore di app sandbox](https://www.whonix.org/wiki/Sandbox-app-launcher) per confinare completamente tutti i processi sul sistema. + +Whonix è utilizzato al meglio [in combinazione con Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers). + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** è un sistema operativo live basato su Debian che instrada tutte le comunicazioni attraverso Tor, che può essere avviato su quasi tutti i computer da un'installazione su DVD, chiavetta USB o scheda SD. Utilizza [Tor](tor.md) per preservare la privacy e l'anonimato aggirando la censura e non lascia traccia di sé sul computer su cui viene utilizzato una volta spento. + + [:octicons-home-16: Pagina principale](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentazione} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribuisci } + +Tails è ottimo per la contro-analisi forense grazie all'amnesia (il che significa che non viene scritto nulla sul disco); tuttavia, non è una distribuzione rafforzata come Whonix. Manca di molte funzioni di anonimato e sicurezza che Whonix possiede e viene aggiornato molto meno spesso (solo una volta ogni sei settimane). Un sistema Tails compromesso da malware può potenzialmente aggirare il proxy trasparente, consentendo all'utente di essere deanonimizzato. + +Tails include [uBlock Origin](desktop-browsers.md#ublock-origin) nel Tor Browser per impostazione predefinita, il che può potenzialmente rendere più facile per gli avversari effettuare il fingerprinting degli utenti di Tails. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +Da progettazione, Tails è previsto che si ripristini completamente dopo ogni riavvio. L'archiviazione [cifrata persistente](https://tails.boum.org/doc/first_steps/persistence/index.en.html) può essere configurata per memorizzare alcuni dati tra un ravvio e l'altro. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** è un sistema operativo open-source progettato per fornire una forte sicurezza per i computer desktop. È basato su Xen, sul sistema X Window e su Linux, e può eseguire/utilizzare la maggior parte delle applicazioni/driver di Linux. + + [:octicons-home-16: Pagina principale](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Panoramica](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Servizio Onion" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentazione } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribuisci } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +Il sistema operativo Qubes OS protegge il computer isolando i sottosistemi (ad esempio, rete, USB, ecc.) e le applicazioni in macchine virtuali separate. Se una parte del sistema viene compromessa, è probabile che l'isolamento supplementare protegga il resto del sistema. Per ulteriori dettagli, consulta le [FAQ](https://www.qubes-os.org/faq/) di Qubes. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/dns.md b/i18n/it/dns.md new file mode 100644 index 00000000..e9c9be0e --- /dev/null +++ b/i18n/it/dns.md @@ -0,0 +1,155 @@ +--- +title: "Resolver DNS" +icon: material/dns +--- + +!!! faq "Quando utilizzare il DNS crittografato?" + + I DNS crittografati con server di terze parti dovrebbero essere utilizzati solo per aggirare forme di [blocco del DNS](https://en.wikipedia.org/wiki/DNS_blocking) basilari, quando sei sicuro che ciò non causi alcuna conseguenza. Il DNS crittografato non aiuta a nascondere la tua attività di navigazione. + + [Per saperne di più sul DNS](basics/dns-overview.md){ .md-button } + +## Provider consigliati + +| Fornitore DNS | Informativa sulla privacy | Protocolli | Logging | ECS | Filtraggio | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------- | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | In parte[^1] | No | In base alla scelta del server. L'elenco dei filtri utilizzati è disponibile qui. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | In parte[^2] | No | In base alla scelta del server. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Opzionale[^3] | No | In base alla scelta del server. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | In base alla scelta del server. L'elenco dei filtri utilizzati è disponibile qui. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Opzionale | In base alla scelta del server. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | In parte[^6] | Opzionale | In base alla scelta del server, blocco dei malware di default. | + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Deve supportare le [DNSSEC](advanced/dns-overview.md#what-is-dnssec) +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Consente di disabilitare la [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) +- Preferire il supporto di [anycast](https://it.wikipedia.org/wiki/Anycast) o il supporto di geo-steering + +## Proxy DNS crittografati + +### Android + +Le utlime versioni di iOS, iPadOS, tvOS e macOS supportano sia DoT, che DoH. Entrambi i protocolli sono supportati nativamente mediante i [profili di configurazione](https://support.apple.com/it-it/guide/iphone/iph6c493b19/ios) o tramite l'[API DNS Settings](https://developer.apple.com/documentation/networkextension/dns_settings). + +### Dispositivi Apple + +Dopo l'installazione di un profilo di configurazione o di un'applicazione che utilizza la DNS Settings API, è possibile selezionare la configurazione DNS. Se una VPN è attiva, la risoluzione all'interno del tunnel VPN utilizzerà le impostazioni DNS della VPN, e non quelle del sistema. + +Apple non fornisce un'interfaccia nativa per la creazione di profili DNS criptati. Il '[Secure DNS profile creator](https://dns.notjakob.com/tool.html)' è uno strumento non ufficiale per creare i tuoi profili DNS crittografati, che tuttavia non saranno firmati. + +#### Profili firmati + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + ![Logo RethinkDNS](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** è un client Android open-source che supporta [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) e DNS Proxy oltre a memorizzare nella cache le risposte DNS, registrare localmente le query DNS e può essere usato anche come firewall. [:octicons-home-16: Pagina principale](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Codice sorgente" } + + ??? + +## Self-hosting + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![logo dnscrypt-proxy](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** è un proxy DNS con supporto per [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh) e [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? warning "La funzione DNS anonimizzato [**non**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonimizza il resto del traffico di rete." + +### dnscrypt-proxy + +!!! recommendation + + ![Logo AdGuard Home](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** è un programma open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) che utilizza il [filtraggio DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) per bloccare i contenuti web indesiderati, come la pubblicità. + + !!! [:octicons-home-16: Pagina principale](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Codice sorgente" } + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![Logo Pi-hole](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** è un sito open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) che utilizza il [filtraggio DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) per bloccare contenuti web indesiderati, come la pubblicità. + + Pi-hole è stato progettato per essere ospitato su un Raspberry Pi, ma non è limitato a tale hardware. + + Il software dispone di un'interfaccia web intuitiva per visualizzare gli approfondimenti e gestire i contenuti bloccati. + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.it.txt" + +[^1]: AdGuard memorizza le statistiche aggregate delle prestazioni dei propri server DNS, ovvero il numero di richieste dirette a un particolare server, il numero di richieste bloccate e la velocità di elaborazione di esse. Inoltre, conservano e memorizzano i domini richiesti nelle ultime 24 ore. "Abbiamo bisogno di queste informazioni per identificare e bloccare nuovi tracker e minacce" "Registriamo anche quante volte un tracker viene bloccato. Abbiamo bisogno di queste informazioni per rimuovere le regole obsolete dai nostri filtri" [https://adguard.com/it/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare raccoglie e memorizza solo dati limitati delle stringhe DNS che vengono inviate al resolver 1.1.1.1. Il resolver 1.1.1.1 non registra dati personali, e la maggior parte dei dati di identificazione personali limitati nelle stringhe DNS viene archiviata per solo 25 ore. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D registra solo i resolver Premium con profili DNS personalizzati. I resolver gratuiti non registrano dati. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Il servizio di DNS di Mullvad è disponibile per tutti, abbonati a Mullvad VPN e non. La loro informativa sulla privacy dichiara che non registrano in alcun modo le richieste DNS. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS fornisce funzioni opzionali di approfondimento e di logging. Puoi decidere il tempo di retenzione e la posizione dell'archivio per tutti i dati che decidi di registrare. A meno che non venga specificatamente richiesto, nessun dato viene registrato. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 raccoglie alcuni dati con l'intenzione di monitorare e rispondere a eventuali minacce. Tali dati potrebbero essere poi rimescolati e condivisi, ad esempio ai fini della ricerca sulla sicurezza. Quad9 non colleziona o registra gli indirizzi IP, o qualsiasi altro dato ritenuto d'identificazione personale. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/it/email-clients.md b/i18n/it/email-clients.md new file mode 100644 index 00000000..c4af31f7 --- /dev/null +++ b/i18n/it/email-clients.md @@ -0,0 +1,244 @@ +--- +title: "Condivisione di file" +icon: material/email-open +--- + +Il nostro elenco di raccomandazioni contiene client di posta elettronica che supportano sia [OpenPGP](encryption.md#openpgp) che l'autenticazione forte come [Open Authorization (OAuth)](https://it.wikipedia.org/wiki/OAuth). OAuth consente di utilizzare l'[autenticazione a più fattori](basics/multi-factor-authentication.md) e di prevenire il furto di account. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Multipiattaforma + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** è un client di posta elettronica, newsgroup, news feed e chat (XMPP, IRC, Twitter) gratuito, open-source e multipiattaforma, sviluppato dalla comunità Thunderbird e precedentemente dalla Mozilla Foundation. + + [:octicons-home-16: Pagina principale](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentazione} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Firefox + +Si consiglia di modificare alcune di queste impostazioni per rendere Thunderbird un po' più privato. + +Queste opzioni si trovano in :material-menu: → **Impostazioni** → **Privacy e sicurezza**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetria + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (avanzato) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), è un insieme di opzioni di configurazione che mira a disabilitare il maggior numero possibile di funzioni di navigazione web all'interno di Thunderbird, al fine di ridurre la superficie e mantenere la privacy. Alcune modifiche sono state prese dal [progetto Arkenfox](https://github.com/arkenfox/user.js). + +## Specifiche alla piattaforma + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** è incluso in macOS e può essere esteso per avere il supporto OpenPGP con [GPG Suite](encryption.md#gpg-suite), che aggiunge la possibilità di inviare e-mail crittografate. + + [:octicons-home-16: Pagina principale](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentazione} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** è un client di posta elettronica a pagamento progettato per rendere perfetta la crittografia end-to-end con funzioni di sicurezza come il blocco biometrico dell'app. + + [:octicons-home-16: Pagina principale](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentazione} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning "Avviso" + + Canary Mail ha rilasciato solo di recente un client per Windows e Android, anche se non crediamo che siano stabili come le loro controparti per iOS e Mac. + +Canary Mail è closed-source. Lo consigliamo a causa della scarsa scelta di client di posta elettronica su iOS che supportano la E2EE PGP. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** è un'applicazione di posta elettronica minimale e open-source, che utilizza standard aperti (IMAP, SMTP, OpenPGP) con un basso consumo di dati e batteria. + + [:octicons-home-16: Pagina principale](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** è un'applicazione per la gestione delle informazioni personali che fornisce funzionalità integrate di posta, calendario e rubrica. Evolution dispone di un'ampia [documentazione](https://help.gnome.org/users/evolution/stable/) per aiutarti a iniziare. + + [:octicons-home-16: Pagina principale](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentazione} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** è un'applicazione di posta elettronica indipendente che supporta sia le caselle POP3 che IMAP, ma supporta solo la posta push per IMAP. + + In futuro, K-9 Mail sarà il client [ufficiale](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) di Thunderbird per Android. + + [:octicons-home-16: Pagina principale](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning "Avviso" + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** è un'applicazione di gestione delle informazioni personali (PIM, personal information manager) del progetto [KDE](https://kde.org). Offre un client di posta, una rubrica, un'agenda e un client RSS. + +### Kontact (KDE) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** è un'estensione del browser che consente di scambiare e-mail crittografate secondo lo standard di crittografia OpenPGP. [:octicons-home-16: Pagina principale](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Codice sorgente" } + + ??? + + downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** è un lettore di posta elettronica a riga di comando (o MUA) open-source per Linux e BSD. + + È un fork di [Mutt](https://it.wikipedia.org/wiki/Mutt) con funzioni aggiuntive. NeoMutt è un client basato sul testo che ha una curva di apprendimento molto ripida. + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Minimum Qualifications + +- Le applicazioni sviluppate per sistemi operativi open-source devono essere open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/email.md b/i18n/it/email.md new file mode 100644 index 00000000..685caba4 --- /dev/null +++ b/i18n/it/email.md @@ -0,0 +1,476 @@ +--- +title: "Servizi di posta elettronica" +icon: material/email +--- + +La posta elettronica (e-mail) è una necessità per utilizzare un qualsiasi servizio online; nonostante ciò, la sconsigliamo per le conversazioni personali e private. Piuttosto di utilizzare una e-mail per contattare altre persona, considera un mezzo di messaggistica istantanea che supporti la \['forward secrecy'\](https://it. wikipedia. org/wiki/Forward_secrecy). + +[Messaggistica istantanea consigliata](real-time-communication.md ""){.md-button} + +Per tutto il resto, consigliamo una varietà di provider di posta eletronnica basati su modelli di business sostenibile e funzioni di sicurezza integrate. + +## Fornitori di posta elettronica consigliati + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. warning + +!!! warning "Avviso" + + Quando si utilizza tecnologia E2EE, come OpenPGP, alcuni metadata nell'intestazione dei messaggi non vengono crittografati. Per saperne di più sui metadata della [posta elettronica](basics/email-security.md#email-metadata-overview). + + Open PGP non supporta la 'forward secrecy': se le chiave privata tua o del ricevente viene rubata, allora anche tutti i messaggi precedenti possono essere esposti. [Come proteggo le mie chavi private?](email.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** è un servizio di posta elettronica incentrato su privacy, crittografia, sicurezza e facilità d'uso. Operando dal 2013, Proton AG ha sede a Ginevra, Svizzera. Gli account partono da 500MB di spazio di archiviazione con il piano gratuito. + + Gli account gratuiti hanno alcune limitazioni, come l'impossibilità di effettuare ricerche del testo nelle mail e non poter accedere al [Proton Mail Bridge](https://proton.me/it/mail/bridge), il quale è necessario se si vuole utilizzare uno dei [client e-mail per desktop consigliati](email-clients.md) (es. Thunderbird). Gli account a pagamento sono disponibili a partire da **48€ all'anno**, ed includono funzionalità come il Proton Mail Bridge e il supporto per domini personalizzati. + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). check "Metodi di pagamento privati" A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. check "Sicurezza dei dati" + +??? check "Crittografia e-mail" + + Gli abbonati a Proton Mail possono scegliere un dominio personalizzato con il servizio o un indirizzo [catch-all](https://proton.me/it/support/catch-all). Inoltre è presente il supporto per il [subaddressing](https://proton.me/it/support/creating-aliases), utile per chi non vuole acquistare un dominio. + +??? warning "Eredità digitale" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin è contanti via mail, oltre ai pagamenti standard con carta di credito/debito e PayPal. + +??? info "Chiusura dell'account" + + Proton Mail supporta solo [l'autenticazione a due fattori](https://proton.me/it/support/two-factor-authentication-2fa) TOTP. Il supporto per le chiavi di sicurezza U2F non è ancora presente. Proton Mail ha in programma, però, di integrarlo al completamento del loro codice [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/). + +??? success "Data Security" + + La crittografia usata fa sì che Proton Mail [non può accedere](https://proton.me/it/blog/zero-access-encryption) alle vostre e-mail e [calendari](https://proton.me/it/news/protoncalendar-security-model) a riposo. I dati protetti in questo modo sono accessibili solo da te. + + Alcune informazioni memorizzate nei [Proton Contacts (Contatti Proton)](https://proton.me/it/support/proton-contacts), come i nomi visualizzati e gli indirizzi e-mail, non sono protette dalla crittografia "ad accesso zero". I campi dei contatti che supportano questa crittografia, come i numeri di telefono, sono contrassegnati da un'icona di un lucchetto. + +??? recommendation + + Proton mail ha [integrato la crittografia di OpenPGP](https://proton.me/it/support/how-to-use-pgp) nella loro webmail. Le e-mail inviate ad altri account Proton Mail vengono crittografate automaticamente, e la crittografia verso indirizzi non Proton Mail con una chiave OpenPGP può essere abilitata nelle impostazioni dell'account. Permettono inoltre di [crittografare messaggi verso indirizzi non Proton Mail](https://proton.me/it/support/password-protected-emails) senza il bisogno che il ricevente acceda ad un account Proton Mail o utilizzi software come OpenPGP. + + Proton Mail consente anche il reperimento di chiavi pubbliche via HTTP dalla loro [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Questo permette alle persone che non utilizzano Proton Mail di trovare facilmente le chiavi OpenPGP degli account Proton Mail, per un E2EE cross-provider. + +??? check "Sicurezza dei dati" + + Proton Mail non offre una funzione di eredità digitale. + +??? info "Metodi di pagamento privati" + + Se avete un account a pagamento e la vostra [bolletta non è pagata](https://proton.me/support/delinquency) dopo 14 giorni, non potrete accedere ai vostri dati. Dopo 30 giorni, l'account diventerà delinguente e non riceverà più la posta in arrivo. Durante questo periodo la fattura continuerà ad essere addebitata. + +??? info "Funzionalità aggiuntive" + + Proton Mail offre un account "Unlimited" a 9,99 euro/mese, che consente anche l'accesso a Proton VPN oltre a fornire account multipli, domini, alias e 500 GB di spazio di archiviazione. + +### Mailbox.org + +!!! recommendation + + ![Logo Mailbox.org](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** è un servizio di posta elettronica che si concentra sull'essere sicuro, privo di pubblicità e alimentato privatamente da energia ecologica al 100%. Mailbox.org è opera dal 2014 e ha sede a Berlino, in Germania. Gli account iniziano con 2 GB di spazio di archiviazione, che possono essere aumentati in base alle esigenze. + + [:octicons-home-16: Pagina principale](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentazione} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? check "Crittografia e-mail" + + Mailbox.org consente di utilizzare il proprio dominio e supporta gli indirizzi [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain). Mailbox.org supporta anche [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), utile se non si vuole acquistare un dominio. + +??? check "Eredità digitale" + + Mailbox.org non accetta Bitcoin o altre criptovalute a causa della sospensione delle attività del processore di pagamento BitPay in Germania. Tuttavia, accettano contanti per posta, pagamento in contanti su conto corrente, bonifico bancario, carta di credito, PayPal e un paio di processori specifici per la Germania: paydirekt e Sofortüberweisung. + +??? info "Chiusura dell'account" + + Mailbox.org supporta l'[autenticazione a due fattori](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) solo per la sua webmail. È possibile utilizzare il TOTP o un [Yubikey](https://it.wikipedia.org/wiki/YubiKey) tramite il [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Gli standard web come [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) non sono ancora supportati. + +??? info "Data Security" + + Mailbox.org consente la crittografia della posta in arrivo utilizzando la sua [casella di posta crittografata] (https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). I nuovi messaggi ricevuti saranno immediatamente crittografati con la tua chiave pubblica. + + Tuttavia, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), la piattaforma software utilizzata da Mailbox.org, [non supporta](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) la crittografia della rubrica e del calendario. Un'[opzione autonoma] (calendario-contatti.md) potrebbe essere più appropriata per queste informazioni. + +??? recommendation + + Mailbox.org ha [integrato la crittografia] (https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) nella sua webmail, che semplifica l'invio di messaggi a persone con chiavi OpenPGP pubbliche. Consentono inoltre [ai destinatari remoti di decriptare un'e-mail](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) sui server di Mailbox.org. Questa funzione è utile quando il destinatario remoto non dispone di OpenPGP e non può decifrare una copia dell'e-mail nella propria casella di posta elettronica. + + Mailbox.org supporta anche il reperimento di chiavi pubbliche via HTTP dalla sua [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Questo permette a persone esterne a Mailbox.org di trovare facilmente le chiavi OpenPGP degli account di Mailbox.org, per un E2EE fra provider diversi. + +??? check "Domini e alias personalizzati" + + Mailbox.org dispone di una funzione di eredità digitale per tutti i piani. Puoi scegliere se vuoi che i dati siano trasmessi agli eredi, a condizione che ne facciano richiesta e forniscano il testamento. In alternativa, è possibile nominare una persona per nome e indirizzo. + +??? info "Metodi di pagamento privati" + + L'account sarà impostato come account utente limitato alla scadenza del contratto, dopo [30 giorni sarà irrevocabilmente cancellato](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Funzionalità aggiuntive" + + È possibile accedere al proprio account Mailbox.org tramite IMAP/SMTP utilizzando il loro [servizio .onion] (https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). Tuttavia, l'interfaccia webmail non è accessibile tramite il servizio .onion e si possono verificare errori di certificato TLS. + + Tutti gli account sono dotati di uno spazio di archiviazione cloud limitato che [può essere crittografato] (https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org offre anche l'alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), che applica la crittografia TLS alla connessione tra i server di posta, altrimenti il messaggio non verrà inviato affatto. Mailbox.org supporta anche [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) oltre ai protocolli di accesso standard come IMAP e POP3. + +### StartMail + +!!! recommendation + + ![Logo StartMail](assets/img/email/startmail.svg#only-light){ align=right } + ![Logo StartMail](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** è un servizio di posta elettronica incentrato sulla sicurezza e sulla privacy grazie all'uso della crittografia standard OpenPGP. StartMail è attiva dal 2014 e ha sede in Boulevard 11, Zeist, Paesi Bassi. Gli account partono da 10 GB. Viene offerto un periodo di prova di 30 giorni. + + [:octicons-home-16: Pagina principale](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentazione} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? check "Crittografia e-mail" + + Gli account personali possono utilizzare alias [Personalizzati o rapidi](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases). Sono disponibili anche [domini personalizzati](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain). + +??? warning "Eredità digitale" + + StartMail accetta Visa, MasterCard, American Express e Paypal. StartMail ha anche altre [opzioni di pagamento](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) come Bitcoin (attualmente solo per gli account personali) e l'addebito diretto SEPA per gli account più vecchi di un anno. + +??? info "Chiusura dell'account" + + StartMail supporta l'autenticazione a due fattori TOTP [solo per la webmail] (https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). Non consentono l'autenticazione con chiave di sicurezza U2F. + +??? info "Data Security" + + StartMail dispone di [zero accesso ai dati crittografati a riposo](https://www.startmail.com/en/whitepaper/#_Toc458527835), utilizzando il sistema "user vault". Quando accedi, la cassaforte viene aperta e l'e-mail viene spostata dalla coda e inserita, dove viene decifrata dalla corrispondente chiave privata. + + StartMail supporta l'importazione dei [contatti](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts), ma sono accessibili solo nella webmail e non attraverso protocolli come [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Inoltre, i contatti non vengono memorizzati utilizzando la crittografia a "conoscenza zero", quindi potrebbe essere più appropriata un'opzione [autonoma](calendar-contacts.md). + +??? recommendation + + Startmail ha [integrato la crittografia] (https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) nella sua webmail, che semplifica l'invio di messaggi a utenti con chiavi OpenPGP pubbliche. + +??? check "Sicurezza dei dati" + + StartMail non offre una funzione di eredità digitale. + +??? info "Metodi di pagamento privati" + + Alla scadenza dell'account, StartMail eliminerà definitivamente l'account dopo [6 mesi in 3 fasi](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Funzionalità aggiuntive" + + StartMail consente il proxy delle immagini all'interno dei messaggi di posta elettronica. Se consenti il caricamento dell'immagine remota, il mittente non saprà quale sia il tuo indirizzo IP. + +## Servizi per alias email + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. Gli alias di posta elettronica generati vengono poi inoltrati a un indirizzo e-mail di vostra scelta, nascondendo sia il vostro indirizzo e-mail "principale", sia l'identità del vostro provider di posta elettronica. + +### Tutanota + +!!! recommendation + + ![Logo Tutanota](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** è un servizio di posta elettronica incentrato sulla sicurezza e sulla privacy attraverso l'uso della crittografia. Tutanota è operativa dal **2011** e ha sede ad Hannover, in Germania. Gli account iniziano con 1 GB di spazio di archiviazione con il piano gratuito. + + [:octicons-home-16: Pagina principale](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? check "Crittografia e-mail" + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **[AnonAddy](https://anonaddy.com)** consente di creare gratuitamente 20 alias di dominio su un dominio condiviso, oppure alias "standard" illimitati, i quali sono meno anonimi. Offre due piani premium a 12$ USD e 36$ USD all'anno, i quali forniscono funzionalità aggiuntive. + +??? warning "Eredità digitale" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? info "Chiusura dell'account" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** è un script di configurazione automatica per la distribuzione di un server di posta elettronica su Ubuntu. L'obbiettivo è quello di rendere più semplice la creazione di un servizio personale. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? check "Sicurezza dei dati" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Metodi di pagamento privati" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Funzionalità aggiuntive" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email installabili in locale + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Gli alias possono essere attivati e disattivati singolarmente quando se ne ha bisogno, evitando che i siti web inviino e-mail a caso. +- Le risposte vengono inviate dall'indirizzo alias, nascondendo il vostro vero indirizzo e-mail. + +They also have a number of benefits over "temporary email" services: + +- Gli alias sono permanenti e possono essere riattivati nel caso in cui sia necessario ricevere qualcosa come la reimpostazione della password. +- Le e-mail vengono inviate alla vostra casella di posta elettronica di fiducia, anziché essere archiviate dal provider di alias. +- I servizi di posta elettronica temporanea hanno in genere caselle di posta pubbliche a cui può accedere chiunque conosca l'indirizzo, mentre gli alias sono privati. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 alias condivisi +- [x] Alias standard illimitati +- [ ] Non sono possibili le risposte in uscita +- [x] 2 caselle postali del destinatario +- [x] Crittografia automatica PGP + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 15 alias condivisi +- [x] Risposte illimitate +- [x] 1 casella postale del destinatario + +## I nostri criteri + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Soluzioni software combinate + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Impostare un server di posta elettronica con OpenSMTPD, Dovecot e Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [Come gestire il propio server di posta elettronica](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## CryptPad + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Tecnologia + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Requisiti minimi:** + +- Crittografia dei dati degli account email a riposo con crittografia ad "accesso zero". +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Crittografia di tutti i dati dell'account (contatti, calendari ecc.) a riposo con crittografia ad "accesso zero". +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Supporto per [WKD](https://wiki.gnupg.org/WKD) per permettere una migliore individuazione delle chiavi OpenPGP pubbliche via HTTP. Gli utenti di GnuPGP possono ottenere una chiave digitando: `gpg --locate-key example_user@example.com` These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- Disponibilità dei servizi del provider e-mail mediante un [servizio onion](https://en.wikipedia.org/wiki/.onion). +- Supporto del [subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing). +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Requisiti minimi:** + +- Protezione dell'indirizzo IP del mittente. Filtrarne la visualizzazione nell'header d'intestazione `ricevuto`. +- Non richiedere informazioni d'identificazione personale, oltre a un nome utente e una password. +- Un'informativa sulla privacy che soddisfa i requisiti definiti dal GDPR +- Non deve essere hostato negli Stati Uniti a causa del [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism), il quale dev'essere [ancora riformato](https://epic.org/ecpa/). + +**Best Case:** + +- Accetta Bitcoin, contanti e altre forme di criptovaluta e/o opzioni di pagamento anonime (carte regalo, ecc.) + +### Sicurezza + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Requisiti minimi:** + +- Protezione della webmail con 2FA, ad esempio TOTP. +- Crittografia ad "accesso zero", basata sulla crittografia a riposo. Il provider non deve disporre delle chiavi di decrittazione dei dati in loro possesso. Questo previene che dipendenti disonesti possano trapelare i dati sensibili, o che un avversario remoto possa rilasciarli, dopo averli rubati, ottenendo un accesso non autorizzato al server. +- Supporto [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). +- Nessun [errore o vulnerabilità del TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) quando profilato da strumenti come [Hardenize](https://www.hardenize.com), [testssl.sh](https://testssl.sh) o [Qualys SSL Labs](https://www.ssllabs.com/ssltest); questi includono errori relativi ai certificati, suite di cifrari scarse o deboli, parametri DH deboli come quelli che portarono al [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- Una policy [MTA-STS](https://tools.ietf.org/html/rfc8461) e [TLS-RPT](https://tools.ietf.org/html/rfc8460) valida. +- Record [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) validi. +- Record [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) e [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) validi. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- Invio [SMTPS](https://en.wikipedia.org/wiki/SMTPS), supponendo che venga utilizzato SMTP. +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Standard di sicurezza del sito web come: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Supporto per l'autenticazione hardware, come U2F e [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F e WebAuthn sono più sicuri, in quanto utilizzano una chiave privata memorizzata nel client su un dispositivo hardware per autenticare le persone, rispetto a un segreto condiviso che viene memorizzato sul server web e sul client quando si utilizza TOTP. Inoltre, U2F e WebAuthn sono più resistenti al phishing in quanto la loro risposta di autenticazione si basa sul [nome di dominio](https://en.wikipedia.org/wiki/Domain_name) autenticato. Inoltre, U2F e WebAuthn sono più resistenti al phishing in quanto la loro risposta di autenticazione si basa sul [nome di dominio](https://en.wikipedia.org/wiki/Domain_name) autenticato. +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844), oltre al supporto DANE. +- Implementazione della [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), utile per chi posta su liste [RFC8617](https://tools.ietf.org/html/rfc8617) di mailing. +- Programmi di bug-bounty e/o un processo coordinato di divulgazione delle vulnerabilità. +- Standard di sicurezza del sito web come: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Fiducia + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Requisiti minimi:** + +- Dirigenza o proprietà pubblica. + +**Best Case:** + +- Dirigenza pubblica. +- Rapporti di trasparenza frequenti. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Requisiti minimi:** + +- Deve ospitare localmente i sistemi di analitica (no Google Analytics, Adobe Analytics, ecc.). Il sito del fornitore deve inoltre rispettare il [No not track (DNT)](https://it.wikipedia.org/wiki/Do_Not_Track) per chi desidera rinunciare. + +Must not have any marketing which is irresponsible: + +- Dichiarazioni di "crittografia infrangibile". La crittografia deve essere utilizzata con l'intenzione che nel futuro esisterà la tecnologia per decifrarla. +- Garantire al 100% la protezione dell'anonimato. Quando qualcuno afferma che qualcosa è al 100% significa che non esiste fallimento. Sappiamo che le persone possono deanonimizzarsi facilmente in vari modi, ad es.: + +- Riutilizzare informazioni personali (p.e., account e-mail, pseudonimi unici ecc.) con cui hanno eseguito accessi senza software di anonimizzazione (Tor, VPN, ecc.) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Documentazione chiara e di facile lettura. Questo include cose come l'impostazione di 2FA, dei client di posta elettronica, di OpenPGP, ecc. + +### Funzionalità aggiuntive + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/encryption.md b/i18n/it/encryption.md new file mode 100644 index 00000000..8fdda992 --- /dev/null +++ b/i18n/it/encryption.md @@ -0,0 +1,367 @@ +--- +title: "Software di crittografia" +icon: material/file-lock +--- + +La crittografia dei dati è l'unico modo per controllare chi può accedervi. Se al momento non stai utilizzando software per la crittografia del tuo hard disk, delle email, o dei file, dovresti scegliere una delle seguenti opzioni. + +## Multipiattaforma + +Le opzioni qui elencate sono multipiattaforma e ottime per la creazione di backup crittografati dei tuoi dati. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** è una soluzione per la crittografia progettata per salvare privatamente i file di qualsiasi provider cloud. Ti permette di creare cassaforti che sono memorizzate su un'unità di archiviazione virtuale, il cui contenuto è crittografato e sincronizzato con i tuoi provider di cloud storage. + + [:octicons-home-16: Pagina principale](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator utilizza la crittografia AES-256 per criptare sia i file che i nomi dei file. Cryptomator non è in grado di criptare metadati come i timestamp di accesso, modifica e creazione, né il numero e la dimensione di file e cartelle. + +Alcune librerie crittografiche di Cryptomator sono state [revisionate](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) da Cure53. Alcune delle librerie sottoposte a verifica sono: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) e [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). Non è stata controllata [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), che è una libreria usata da Cryptomator per iOS. + +La documentazione di Cryptomator descrive più nel dettaglio [i suoi obiettivi di sicurezza](https://docs.cryptomator.org/en/latest/security/security-target/), [l'architettura di sicurezza](https://docs.cryptomator.org/en/latest/security/architecture/), e [le migliori pratiche](https://docs.cryptomator.org/en/latest/security/best-practices/) per l'utilizzo. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** è un strumento semplice e di piccole dimensioni che fornisce tecniche di crittografia moderna. Utilizza il cifrario sicuro XChaCha20 e la funzione di derivazione delle chiavi Argon2id per garantire un alto livello di sicurezza. Utilizza inoltre i moduli standard x/crypto di Go per le sue funzionalità di crittografia. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disco) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** è un software di utilità gratuito, disponibile in formato sorgente, utilizzato per crittografare al volo. Permette di creare un disco virtuale crittografato all'interno di un file, crittografare una partizione o interi dispositivi di archiviazione con autenticazione pre-avvio. + + [:octicons-home-16: Pagina principale](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt è un fork del progetto abbandonato TrueCrypt. A detta degli sviluppatori, sono stati implementati miglioramenti sulla sicurezza e i problemi sollevati dalla inziale verifica di TrueCrypt sono stati affrontati. + +Quando utilizzi la crittografia di VeraCrypt, hai la possibilità di scegliere tra diverse [funzioni di hash](https://it.wikipedia.org/wiki/Funzione_di_hash). Suggeriamo di selezionare **unicamente** [SHA-512](https://it.wikipedia.org/wiki/Secure_Hash_Algorithm) e il cifrario a blocchi [AES](https://it.wikipedia.org/wiki/Advanced_Encryption_Standard). + +TrueCrypt è stato [sottoposto ad audit un certo numero di volte](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits); anche VeraCrypt è stato [verificato separatamente](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## Crittografia dell'intero disco del sistema operativo + +I sistemi operativi moderni includono la [FDE](https://en.wikipedia.org/wiki/Disk_encryption) e utilizzeranno un [cryptoprocessor sicuro](https://it.wikipedia.org/wiki/Cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** è il programma di crittografia completa del volume integrato a Microsoft Windows. Il principale motivo per cui lo consigliamo è il suo [uso del TPM Trusted Platform Module)](https://docs.microsoft.com/it-it/windows/security/information-protection/tpm/how-windows-uses-the-tpm). La società di analisi forense [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft) ne ha scritto al riguardo in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentazione} + +BitLocker è [supportato solo](https://support.microsoft.com/it-it/windows/abilitare-la-crittografia-dei-dispositivi-0c453637-bc88-5f74-5105-741561aae838) sulle edizioni Pro, Enterprise ed Education di Windows. Può essere attivato sulle edizioni Home, a condizione che soddisfino i prerequisiti. + +??? example "Attivare BitLocker su Windows Home" + + Per abilitare BitLocker sull'edizione "Home" di Windows è necessario che le partizioni siano formattate con una [Tabella di Partizione GUID](https://en.wikipedia.org/wiki/GUID_Partition_Table) e che abbiano un modulo TPM (v1.2, 2.0+) dedicato. + + 1. Aprire un prompt dei comandi e verificare il formato della tabella delle partizioni dell'unità con il seguente comando. Dovreste vedere "**GPT**" elencato sotto "Stile partizione": + + ``` + powershell Get-Disk + ``` + + 2. Esegui questo comando (in un prompt dei comandi di amministrazione) per verificare la versione del TPM. Dovresti vedere `2.0` o `1.2` elencati accanto a `SpecVersion`: + + ``` + powershell Get-Disk 0 | findstr GPT && echo This is a GPT system disk! + ``` + + 3. Accedi alle [Opzioni di Avvio Avanzate](https://support.microsoft.com/it-it/windows/opzioni-di-avvio-avanzate-inclusa-la-modalit%C3%A0-provvisoria-b90e7808-80b5-a291-d4b8-1a1af602b617). È necessario riavviare il sistema premendo il tasto F8 prima dell'avvio di Windows ed entrare nel *prompt dei comandi* in **Risoluzione dei problemi** → **Opzioni avanzate** → **Prompt dei comandi**. + + 4. Accedi con il tuo account admin e digita questo nel prompt dei comandi per avviare la cifratura: + + ``` + manage-bde -on c: -used + ``` + + 5. Chiudi il prompt dei comandi e continua l'avvio di Windows normalmente. + + 6. Apri il prompt dei comandi con privilegio di amministratore ed esegui i seguenti comandi: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! important + + Esegui il backup di `BitLocker-Recovery-Key.txt` sul desktop in un dispositivo di archiviazione separato. La perdita di questo codice di recupero può comportare la perdita dei dati. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** è la soluzione per la crittografia di volumi on-the-fly integrata in macOS. FileVault è consigliata perché [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) le funzionalità di sicurezza hardware presenti su un SoC in silicio o un T2 Security Chip di Apple. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentazione} + +Consigliamo di memorizzare una chiave di ripristino locale in un luogo sicuro, anziché utilizzare l'account iCloud per il ripristino. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** è il metodo di FDE (full-disk encryption) predefinito per Linux. Può essere usato per cifrare volumi completi, partizioni o creare container crittografati. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentazione} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Codice Sorgente" } + +??? example "Creazione e apertura di container criptati" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Apertura di contenitori criptati + Consigliamo di aprire container e volumi con `udisksctl` poiché utilizza [Polkit](https://it.wikipedia.org/wiki/PolicyKit). La maggior parte dei file manager, tra cui quelli inclusi negli ambienti desktop maggiormente diffusi, posso sbloccare file crittografati. Strumenti come [udiskie](https://github.com/coldfix/udiskie) possono essere eseguiti nella barra delle applicazioni e forniscono un'utile interfaccia utente. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Ricorda di eseguire il backup delle intestazioni dei volumi" + + Consigliamo di eseguire sempre il [back up delle intestazioni LUKS](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in caso di guasto parziale dell'unità. Ciò può essere fatto con: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Basati sul browser + +La crittografia browser-based può essere utile quando è necessario cifrare un file ma non è possibile installare un software o delle applicazioni sul dispositivo. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** è una web application che fornisce una crittografia dei file lato client nel browser. Può anche essere self-hosted ed è utile se è necessario crittografare un file ma non è possibile installare un software sul dispositivo a causa delle politiche organizzative. + + [:octicons-globe-16: Sito web](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Codice Sorgente" } + :octicons-heart-16:{ .card-link title="Le modalità per le donazioni possono essere trovate al fondo del sito" } + +## Linea di comando + +Gli strumenti con interfacce a riga di comando sono utili per integrare [script di shells](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** è uno strumenti gratuito e open-source per la crittografia e la firma dei file che utilizza algoritmi di cifratura moderni e sicuri. Punta a essere una versione migliorata di[age](https://github.com/FiloSottile/age) e [Minisign](https://jedisct1.github.io/minisign/) per fornire un'alternativa semplice a GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** è un wrapper di shell a riga di comando per LUKS. Supporta la steganografia tramite [strumenti di terze parti](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Pagina principale](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribuisci } + +## OpenPGP + +OpenPGP è talvolta necessario per compiti specifici, come la firma digitale e la crittografia delle e-mail. PGP ha molte funzionalità ed è [complesso](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html)visto che è in circolazione da molto tempo. Per task come firmare o criptare i file, suggeriamo le opzioni di cui sopra. + +Quando cripti con PGP, puoi configurare diverse opzioni nel file `gpg.conf`. Raccomandiamo di attenersi alle opzioni standard specificate nella [FAQ per utenti di GnuPG](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Utilizzare future-default quando si genera una chiave" + + Quando si [generano le chiavi](https://www.gnupg.org/gph/en/manual/c14.html) suggeriamo di usare il comando 'future-default', che indica a GnuPG di usare metodi di crittografia moderna come [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) e [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** è un'alternativa con licenza GPL alla suite PGP per software crittografici. GnuPG è compliant a [RFC 4880](https://tools.ietf.org/html/rfc4880), che è l'attuale specifica IETF di OpenPGP. Il progetto GnuPG ha lavorato a una [bozza aggiornata](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) nel tentativo di modernizzare OpenPGP. GnuPG fa parte del progetto software Free Software Foundation di GNU ed ha ricevuto un'importante [finanziamento](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) dal governo tedesco. + + [:octicons-home-16: Pagina principale](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** è un pacchetto per Windows di [Intevation e g10 Code](https://gpg4win.org/impressum.html). Comprende [diversi strumenti](https://gpg4win.org/about.html) che possono aiutare nell'utilizzo di GPG su Microsoft Windows. Il progetto è stato avviato e in origine [finanziato dal](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Federal Office per l'Information Security (BSI) tedesco nel 2005. + + [:octicons-home-16: Pagina principale](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + Suggeriamo [Canary Mail](email-clients.md#canary-mail) per utilizzare PGP con le email su dispositivi iOS. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** fornisce il supporto OpenPGP per [Apple Mail](email-clients.md#apple-mail) e macOS. + + Si consiglia di dare un'occhiata ai [primi passi](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) e alle [conoscenze di base](https://gpgtools.tenderapp.com/kb) come supporto. + + [:octicons-home-16: Pagina principale](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** è un'implementazione Android di GnuPG. È comunementa richiesta da client mail come [K-9 Mail](email-clients.md#k-9-mail) e [FairEmail](email-clients.md#fairemail) e da alltre applicazioni Android per fornire supporto alla crittografia. Cure53 ha completato un'[ispezione di sicurezza](https://www.openkeychain.org/openkeychain-3-6) di OpenKeychain 3.6 nell'ottobre 2015. Dettagli tecnici riguardo all'audit e alle soluzioni di OpenKeychain possono essere trovate [qui](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Pagina principale](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Codice Sorgente" } + :octicons-heart-16:{ .card-link title="Le donazioni possono essere fatte nell'app" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Minimum Qualifications + +- Le applicazioni di crittografia multipiattaforma devono essere open-source. +- Le app di crittografia dei file devono supportare la decodifica su Linux, macOS e Windows. +- Le applicazioni per la crittografia dei dischi esterni devono supportare la decodifica su Linux, macOS e Windows. +- Le applicazioni di crittografia del disco interno (OS) devono essere multipiattaforma o integrate nel sistema operativo in modo nativo. + +### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Le applicazioni di crittografia del sistema operativo (FDE) dovrebbero utilizzare una protezione hardware come TPM o Secure Enclave. +- Le applicazioni per la crittografia dei file devono avere un supporto di primo o terzo livello per le piattaforme mobili. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/file-sharing.md b/i18n/it/file-sharing.md new file mode 100644 index 00000000..719170d5 --- /dev/null +++ b/i18n/it/file-sharing.md @@ -0,0 +1,165 @@ +--- +title: "Condivisione e sincronizzazione dei file" +icon: material/share-variant +--- + +Scopri come condividere privatamente i tuoi file tra i tuoi dispositivi, con i tuoi amici e familirai, o in modo anonimo online. + +## Condivisione di file + +### Send + +!!! recommendation + + ![Logo Send](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** è un fork del servizio Firefox Send di Mozilla, ormai dismesso, che consente di inviare file ad altri con un link. I file vengono crittografati sul dispositivo in modo da non poter essere letti dal server e possono essere protetti da password. Il manutentore di Send ospita una [istanza pubblica](https://send.vis.ee/). È possibile utilizzare altre istanze pubbliche o ospitare Send autonomamente. + + [:octicons-home-16: Pagina principale](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Istanze pubbliche"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribuisci } + +Send può essere utilizzato tramite la sua interfaccia web o tramite la CLI [ffsend](https://github.com/timvisee/ffsend). Se hai familiarità con la riga di comando e invii spesso file, consigliamo di utilizzare il client CLI per evitare la crittografia basata su JavaScript. È possibile specificare il flag `--host` per utilizzare un server specifico: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![Logo di OnionShare](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** è uno strumento open-source che consente di condividere in modo sicuro e anonimo file di qualsiasi dimensione. Funziona avviando un server web accessibile come servizio Tor onion, con un URL inesplicabile che si può condividere con i destinatari per scaricare o inviare file. + + [:octicons-home-16: Pagina principale](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Servizio Onion" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Must not store decrypted data on a remote server. +- Deve essere un software open-source. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![Logo Syncthing](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** è un'utility open-source di sincronizzazione continua dei file peer-to-peer. Viene utilizzato per sincronizzare i file tra due o più dispositivi sulla rete locale o su Internet. + + Syncthing non utilizza un server centralizzato, ma il [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) per trasferire i dati tra i dispositivi. + +## Sincronizzazione dei file + +### Nextcloud (Client-Server) + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** è una suite per ufficio gratis, open-source e ricca di funzionalità. + + [:octicons-home-16: Pagina principale](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentazione} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +!!! danger "Pericolo" + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** è una suite di ufficio basata sul cloud gratuita, open-source e ricca di funzionalità, come l'integrazione con Nextcloud. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +#### Requisiti minimi + +- Must not require a third-party remote/cloud server. +- Deve essere un software open-source. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/frontends.md b/i18n/it/frontends.md new file mode 100644 index 00000000..5abff0c6 --- /dev/null +++ b/i18n/it/frontends.md @@ -0,0 +1,277 @@ +--- +title: "Frontend" +icon: material/flip-to-front +--- + +A volte i servizi tentano di costringerti ad iscriverti ad un account bloccando l'accesso ai contenuti con fastidiosi popup. Potrebbero anche cessare di funzionare correttamente senza l'abilitazione di JavaScript. Questi frontend possono consentire di aggirare queste restrizioni. + +## Client + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** è un frontend gratuito e open-source per [Odysee](https://odysee.com/) (LBRY) che permette anche il self-hosting. + + Esistono diverse istanze pubbliche, alcune delle quali supportano i servizi onion di [Tor](https://www.torproject.org). + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Istanze pubbliche"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Codice sorgente" } + +!!! warning "Avviso" + + Librarian non fa da proxy dei video in modo predefinito. I video guardati attraverso Librarian continueranno a collegarsi direttamente ai server di Odysee (ad esempio, `odycdn.com`); tuttavia, alcune istanze possono abilitare il proxying, che sarà descritto in dettaglio nell'informativa sulla privacy dell'istanza. + +!!! important + + Librarian è utile se si desidera guardare contenuti LBRY sul cellulare senza telemetria obbligatoria e se si desidera disabilitare JavaScript nel browser, come nel caso di [Tor Browser](https://www.torproject.org/) sul livello di sicurezza Molto Sicuro. + +In caso di self-hosting, è importante che anche altre persone utilizzino la tua istanza per poterti confondere tra di loro. È necessario prestare attenzione a dove e come si ospita Librarian, poiché l'utilizzo da parte di altre persone sarà collegato al tuo hosting. + +Quando si utilizza un'istanza di Librarian, assicurati di leggere l'informativa sulla privacy di quella specifica istanza. Le istanze di Librarian possono essere modificate dai loro proprietari e quindi potrebbero non rispecchiare la politica predefinita. Le istanze di Librarian presentano una "etichetta nutrizionale sulla privacy" per fornire una panoramica della loro politica. Alcune istanze hanno indirizzi Tor .onion che possono garantire una certa privacy, a patto che le stringhe di ricerca non contengano PII (Personally Identifiable Information, Informazioni di Identificazione Personale). + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** è un frontend gratuito e open-source per [Twitter](https://twitter.com) che permette anche il self-hosting. + + Esistono diverse istanze pubbliche, alcune delle quali supportano i servizi onion di [Tor](https://www.torproject.org). + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="istanze pubbliche"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribuisci} + +!!! important + + Nitter è utile se si desidera navigare tra i contenuti di Twitter senza dover effettuare il login e se si desidera disabilitare JavaScript nel browser, come nel caso di [Tor Browser](https://www.torproject.org/) al livello di sicurezza Molto Sicuro. Permette anche di [creare feed RSS per Twitter] (news-aggregators.md#twitter). + +In caso di self-hosting, è importante che anche altre persone utilizzino la tua istanza per poterti confondere tra di loro. È necessario prestare attenzione a dove e come si ospita Nitter, poiché l'utilizzo da parte di altre persone sarà collegato al tuo hosting. + +Quando utilizzi un'istanza di Nitter, assicurati di leggere l'informativa sulla privacy di quella specifica istanza. Le istanze Nitter possono essere modificate dai loro proprietari e quindi potrebbero non riflettere la politica predefinita. Alcune istanze hanno indirizzi Tor .onion che possono garantire una certa privacy, a patto che le stringhe di ricerca non contengano PII (Personally Identifiable Information, Informazioni di Identificazione Personale). + +## TikTok + +### ProxiTok + +!!! recommendation + + ![Logo ProxiTok](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** è un frontend open source per il sito web [TikTok](https://www.tiktok.com) che permette il self-hosting. + + Esistono diverse istanze pubbliche, alcune delle quali supportano i servizi onion di [Tor](https://www.torproject.org). + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Istanze pubbliche"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Codice sorgente" } + +!!! important + + ProxiTok è utile se desideri disabilitare JavaScript nel browser, come ad esempio con [Tor Browser](https://www.torproject.org/) sul livello di sicurezza Molto Sicuro. + +In caso di self-hosting, è importante che anche altre persone utilizzino la tua istanza per poterti confondere tra di loro. È necessario prestare attenzione a dove e come ospiti ProxiTok, poiché l'utilizzo da parte di altre persone sarà collegato al proprio hosting. + +Quando utilizza un'istanza di ProxiTok, assicurati di leggere l'informativa sulla privacy di quella specifica istanza. Le istanze di ProxiTok possono essere modificate dai loro proprietari e pertanto potrebbero non riflettere l'informativa sulla privacy associata. Alcune istanze hanno indirizzi Tor .onion che possono garantire una certa privacy, a patto che le stringhe di ricerca non contengano PII (Personally Identifiable Information, Informazioni di Identificazione Personale). + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** è un'applicazione desktop gratuita e open-source per [YouTube](https://youtube.com). Quando si utilizza FreeTube, l'elenco delle iscrizioni e le playlist vengono salvate localmente sul dispositivo. + + Per impostazione predefinita, FreeTube blocca tutti gli annunci pubblicitari di YouTube. Inoltre, è possibile integrare [SponsorBlock](https://sponsor.ajay.app) per saltare i segmenti sponsorizzati dei video. + + [:octicons-home-16: Pagina principale](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning "Avviso" + + Quando utilizzi FreeTube, l'indirizzo IP potrebbe essere ancora noto a YouTube, [Invidious](https://instances.invidious.io) o [SponsorBlock](https://sponsor.ajay.app/) a seconda della configurazione. Considera l'uso di [VPN](vpn.md) o [Tor](https://www.torproject.org) se il [modello di minaccia](basics/threat-modeling.md) richiede di nascondere l'indirizzo IP. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning "Avviso" + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Considera l'uso di [VPN](vpn.md) o [Tor](https://www.torproject.org) se il [modello di minaccia](basics/threat-modeling.md) richiede di nascondere l'indirizzo IP. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning "Avviso" + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Considera l'uso di [VPN](vpn.md) o [Tor](https://www.torproject.org) se il [modello di minaccia](basics/threat-modeling.md) richiede di nascondere l'indirizzo IP. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** è un'applicazione Android gratuita e open-source per [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com) e [PeerTube](https://joinpeertube.org/) (1). + + L'elenco delle iscrizioni e delle playlist viene salvato localmente sul dispositivo Android. + + [:octicons-home-16: Pagina principale](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. L'istanza predefinita è [FramaTube](https://framatube.org/), ma se ne possono aggiungere altre tramite **Impostazioni** → **Contenuti** → **Istanze di PeerTube** + +!!! Warning + + Quando utilizzi NewPipe, il tuo indirizzo IP sarà visibile ai fornitori di video utilizzati. Considera l'uso di [VPN](vpn.md) o [Tor](https://www.torproject.org) se il [modello di minaccia](basics/threat-modeling.md) richiede di nascondere l'indirizzo IP. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** è un frontend gratuito e open-source per [YouTube](https://youtube.com) che permette anche il self-hosting. + + Esistono diverse istanze pubbliche, alcune delle quali supportano i servizi onion di [Tor](https://www.torproject.org). + + [:octicons-home-16: Pagina principale](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Istanze pubbliche"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribuisci } + +!!! warning "Avviso" + + Invidious non esegue il proxy dei video in modo predefinito. I video guardati attraverso Invidious continueranno a collegarsi direttamente ai server di Google (ad esempio, `googlevideo.com`); tuttavia, alcune istanze supportano il proxy video: è sufficiente attivare *Proxy video* nelle impostazioni dell'istanza o aggiungere `&local=true` all'URL. + +!!! important + + Invidious è utile se si desidera disabilitare JavaScript nel browser, ad esempio [Tor Browser](https://www.torproject.org/) al livello di sicurezza Molto Sicuro. Non garantisce di per sé la privacy e non consigliamo di accedere ad alcun account. + +In caso di self-hosting, è importante che anche altre persone utilizzino la tua istanza per poterti confondere tra di loro. È necessario prestare attenzione a dove e come si ospita Invidious, poiché l'utilizzo da parte di altre persone sarà collegato al proprio hosting. + +Quando si utilizza un'istanza di Invidious, assicurarsi di leggere l'informativa sulla privacy di quella specifica istanza. Le istanze di Invidious possono essere modificate dai loro proprietari e pertanto potrebbero non riflettere la politica sulla privacy ad esse associata. Alcune istanze hanno indirizzi Tor .onion che possono garantire una certa privacy, a patto che le stringhe di ricerca non contengano PII (Personally Identifiable Information, Informazioni di Identificazione Personale). + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** è un frontend gratuito e open-source per [YouTube](https://youtube.com) che permette anche il self-hosting. + + Piped richiede JavaScript per funzionare e ci sono diverse istanze pubbliche. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Istanze pubbliche"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribuisci } + +!!! important + + Piped è utile se si vuole utilizzare [SponsorBlock](https://sponsor.ajay.app) senza installare un'estensione o se si vuole accedere a contenuti con limiti d'età senza un account. Non garantisce di per sé la privacy e non consigliamo di accedere ad alcun account. + +In caso di self-hosting, è importante che anche altre persone utilizzino la tua istanza per poterti confondere tra di loro. È necessario prestare attenzione a dove e come si ospita Piped, poiché l'utilizzo da parte di altre persone sarà collegato al tuo hosting. + +Quando si utilizza un'istanza Piped, assicurarsi di leggere l'informativa sulla privacy di quella specifica istanza. Le istanze Piped possono essere modificate dai loro proprietari e pertanto potrebbero non riflettere l'informativa sulla privacy ad esse associata. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +Recommended frontends... + +- Deve essere un software open-source. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/index.md b/i18n/it/index.md new file mode 100644 index 00000000..a9e46078 --- /dev/null +++ b/i18n/it/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.it.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/kb-archive.md b/i18n/it/kb-archive.md new file mode 100644 index 00000000..98458cd7 --- /dev/null +++ b/i18n/it/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: Archivio conoscenze di base +icon: material/archive +--- + +# Pagine spostate nel blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Hardening di Signal](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - Hardening del sistema](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Sandboxing delle applicazioni](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Cancellazione sicura dei dati](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrazione della rimozioni di metadata](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [Guida alla configurazione di iOS](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/meta/brand.md b/i18n/it/meta/brand.md new file mode 100644 index 00000000..f7d7f014 --- /dev/null +++ b/i18n/it/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/meta/git-recommendations.md b/i18n/it/meta/git-recommendations.md new file mode 100644 index 00000000..78884777 --- /dev/null +++ b/i18n/it/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/meta/uploading-images.md b/i18n/it/meta/uploading-images.md new file mode 100644 index 00000000..812fa6a5 --- /dev/null +++ b/i18n/it/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/meta/writing-style.md b/i18n/it/meta/writing-style.md new file mode 100644 index 00000000..40932ea5 --- /dev/null +++ b/i18n/it/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/mobile-browsers.md b/i18n/it/mobile-browsers.md new file mode 100644 index 00000000..5e2beb2f --- /dev/null +++ b/i18n/it/mobile-browsers.md @@ -0,0 +1,202 @@ +--- +title: "Browser mobile" +icon: octicons/device-mobile-16 +--- + +Questi sono i browser e le configurazioni attualmente consigliati per la navigazione standard e non anonima. Se hai bisogno di navigare in Internet in modo anonimo, dovresti invece utilizzare [Tor](tor.md). In generale, raccomandiamo di tenere il numero di estensioni al minimo: hanno accesso privilegiato all'interno del browser, richiedono di fidarsi dello sviluppatore, possono farti [risaltare](https://it.wikipedia.org/wiki/Device_fingerprint) e [indeboliscono](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) l'isolamento dei siti. + +## Android + +Per Android, Firefox è meno sicuro delle alternative basate su Chromium: il motore di Mozilla, [GeckoView](https://mozilla.github.io/geckoview/), non supporta ancora [l'isolamento dei siti](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) e non ha abilitato [l'isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** include un content blocker integrato e [funzionalità di privacy](https://brave.com/privacy-features/), molte delle quali attive in modo predefinito. + + Brave è sviluppato a partire dal progetto del browser web Chromium, quindi dovrebbe risultare familiare e avere problemi minimi di compatibilità con i siti web. + + [:octicons-home-16: Pagina principale](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Servizio Onion" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Codice sorgente" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Firefox + +Il Tor Browser è l'unico che veramente permette di navigare Internet anonimamente. Quando utilizzi Brave, consigliamo di cambiare le seguenti impostazioni per proteggere la tua privay da alcune parti, ma tutti i browser eccetto il [Tor Browser](tor.md#tor-browser) sono tracciabili da *qualcuno* in qualche modo. + +Queste opzioni si trovano in :material-menu: → **Impostazioni** → **Brave Shields & privacy** + +##### Shields + +Brave include alcune misure contro il fingerprinting nella sua funzionalità [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Consigliamo di configurare queste opzioni [globalmente](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) applicate a tutti i siti che visiti. + +##### Brave shields global defaults + +Le funzionalità di Shields possono essere ridotte per ogni sito se necessario; ciò nonostante, raccomandiamo le seguenti impostazioni: + +
+ +- [x] Seleziona **Aggressivo** sotto Blocca tracker & pubblicità + +???? warning "Usa gli elenchi di filtri predefiniti" + Brave ti consente di selezionare ulteriori filtri di contenuti mediante la pagina interna `brave://adblock`. Si consiglia di non utilizzare questa funzione e di mantenere gli elenchi di filtri predefiniti. il loro utilizzo ti distingue dagli altri utenti Brave, e potrebbe inoltre aumentare la superficie di attacco se esiste un exploit nel browser sfruttabile da codice malizioso presente nelle liste stesse. + +- [x] Seleziona **Aggiorna le connessioni a HTTPS** +- [x] (Opzionale) Seleziona **Blocco degli script** (1) +- [x] Sleziona **Rigido, potrebbe non far funzionare alcuni siti** in **Blocca il fingerprinting** + +
+ +1. Questa opzione fornisce una funzionalità simile alle [modalità di blocco](https://github.com/gorhill/uBlock/wiki/Blocking-mode) avanzate di uBlock Origin o dell'estensione [NoScript](https://noscript.net/). + +##### Clear browsing data + +- [x] Seleziona **Cancellare i dati all'uscita** + +##### Blocco dei social media + +- [ ] Deseleziona tutte le opzioni legate ai social + +##### Altre impostazioni sulla privacy + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. L'InterPlanetary File System (IPFS) è una rete peer-to-peer e decentralizzata, utilizzata per archiviare e condividere dati mediante un filesystem distribuito. Se non utilizzi questa funzione, disabilitala. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) permette ai dati di navigazione (cronologia, segnalibri, ecc.) di essere accessibili su tutti i dispositivi senza richiedere un account e li protegge con E2EE. + +## iOS + +Per iOS, ogni applicazione che può navigare il web è [ristretta](https://developer.apple.com/app-store/review/guidelines) ad utilizzare il framework di Apple [WebKit](https://developer.apple.com/documentation/webkit); non ci sono molte ragioni, quindi, per utilizzare un browser web di terzi. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** è il browser web predefinito di iOS. Include [funzionalità di privacy](https://support.apple.com/it-it/guide/iphone/iphb01fc3c85/15.0/ios/15.0) come l'anti-tracciamento intelligente, il resoconto sulla privacy, l'isolamento dei pannelli in navigazione privata, Relay privato di iCloud e aggiornamenti automatici all'HTTPS. + + [:octicons-home-16: Pagina principale](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentazione} + +#### Firefox + +Queste opzioni si trovano in :gear: **Impostazioni** → **Safari** → **Privacy e sicurezza**. + +##### Prevenzione del cross-site tracking + +- [x] Seleziona **Blocca cross-site tracking** + +Questa opzione abilita [l'anti-tracciamento intelligente](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp) fornito da WebKit. La funzione aiuta a proteggere dal tracciamento indesiderato utilizzando l'apprendimento automatico sul dispositivo per bloccare i tracker. L'anti-tracciamento intelligente protegge dalla maggior parte dei pericoli comuni, ma non blocca tutte le vie di tracciamento, essendo progettato per non interferire con l'usabilità dei siti web. + +##### Resoconto sulla privacy + +Il resoconto sulla privacy fornisce un'istantanea dei tracker cross-site attualmente bloccati, impedendo loro di creare un tuo profilo sul sito web che stai visitando. Inoltre, fornisce un resoconto settimanale che mostra quali tracker sono stati bloccati. + +Il rapporto sulla privacy è accessibile dal menu impostazioni pagina. + +##### Misurazione pubblicità che tutela la privacy + +- [ ] Disabilita **Misurazione pubblicità che tutela la privacy** + +Tradizionalmente, la misurazione dei click pubblicitari usa tecnologia di tracciamento che viola la privacy dell'utente. La [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) è una funzionalità di WebKit che propone uno standard web mirato, che consenta agli inserzionisti di misurare l'efficacia delle campagne web senza compromettere la privacy dell'utente. + +Questa funzionalità non è molto preoccupante dal punto di vista della privacy di per sè, ma consideriamo che è automaticamente disabilitata duarante la navigazione privata come segnale per non utilizzarla. + +##### Navigazione privata sempre attiva + +La sincronizzazione della cronologia di Safari, dei gruppi di pannelli, dei pannelli di iCloud e delle password salvate è E2EE. Poi espandi la lista dei gruppi di schede. + +- [x] Seleziona **privata** + +La modalità di navigazione privata di Safari offre ulteriori protezioni sulla privacy. La navigazione privata utilizza una nuova sessione [effimera](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) per ogni scheda, isolandole una dall'altra. La navigazione privata offre anche altri piccoli vantaggi in termini di privacy, come la possibilità di non inviare l'indirizzo di una pagina web ad Apple quando si usa la funzione di traduzione di Safari. + +Non consigliamo generalmente di installare alcuna estensione, visto che incrementano la tua superficie di attacco. Ciò può essere sconveniente. + +##### Sincronizzazione iCloud + +La sincronizzazione della cronologia di Safari, dei gruppi di schede, delle schede iCloud e delle password salvate è E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple può decifrarli e accedervi in conformità con la sua [politica sulla privacy](https://www.apple.com/legal/privacy/it/). + +Se usi iCloud, consigliamo anche di controllare che la posizione di download predefinita di Safari sia impostata localmente sul tuo dispositivo. Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. Questa opzione si trova in :gear: **Impostazioni** → **Safari** → **Generale** → **Download**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** è un'estensione per il blocco dei contenuti gratuita ed open-source per Safari che utilizza la [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker) integrata. + + AdGuard per iOS ha alcune funzionalità premium, ma il blocco di contenuti standard di Safari è gratuito. + + [:octicons-home-16: Pagina principale](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Liste di filtri aggiuntive possono intaccare le prestazioni ed aumentare la superficie di attacco, quindi utilizza solo il necessario. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Requisiti minimi + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/multi-factor-authentication.md b/i18n/it/multi-factor-authentication.md new file mode 100644 index 00000000..584947ef --- /dev/null +++ b/i18n/it/multi-factor-authentication.md @@ -0,0 +1,162 @@ +--- +title: "Autenticatori a più fattori" +icon: 'material/two-factor-authentication' +--- + +## Chiavi di sicurezza fisiche + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + Le **YubiKey** sono tra le chiavi di sicurezza più diffuse. Alcuni modelli di YubiKey dispongono di un'ampia gamma di funzionalità come: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 e WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP e HOTP](https://developers.yubico.com/OATH). + + Uno dei vantaggi di YubiKey è che una chiave può fare quasi tutto ciò che ci si aspetta da una chiave di sicurezza fisica (YubiKey 5). Invitiamo a svolgere il [quiz](https://www.yubico.com/quiz/) per essere sicuri di fare il giusto acquisto. + + [:octicons-home-16: Pagina principale](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentazione} + +La [tabella di confronto](https://www.yubico.com/store/compare/) mostra le caratteristiche e le differenze tra le YubiKey. Consigliamo vivamente di scegliere le chiavi della Serie 5. + +Le YubiKey possono essere programmate utilizzando [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) o [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). Per la gestione dei codici TOTP, è possibile utilizzare il [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). Tutti i client di Yubico sono open source. + +Per i modelli che supportano HOTP e TOTP, ci sono 2 slot nell'interfaccia OTP che possono essere utilizzati per HOTP e 32 slot per memorizzare i segreti TOTP. Questi segreti vengono memorizzati in modo criptato sulla chiave e non vengono mai esposti ai dispositivi a cui sono collegati. Una volta fornito un seme (segreto condiviso) al Yubico Authenticator, questo fornirà solo codici a sei cifre, ma mai il seme. Questo modello di sicurezza contribuisce a limitare le possibilità di un aggressore che comprometta uno dei dispositivi che eseguono il Yubico Authenticatore, rendendo la YubiKey resistente a un aggressione fisica. + +!!! warning + Il firmware delle YubiKeys non è open-source, né aggiornabile. Se desideri avere le funzionalità presenti in versioni più nuove del firmware, o se è presente una vulnerabilità nella tua versione corrente, è necessario comprare una nuova chiavetta. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** ha una chiave di sicurezza che supporta [FIDO2 e WebAuthn] (basics/multi-factor-authentication.md#fido-fast-identity-online), chiamata **Nitrokey FIDO2**. Per il supporto PGP, è necessario un'altra delle loro chiavi, come la **Nitrokey Start**, la **Nitrokey Pro 2** o la **Nitrokey Storage 2**. + + [:octicons-home-16: Pagina principale](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentazione} + +La [tabella di confronto](https://www.nitrokey.com/#comparison) mostra le caratteristiche e le differenze tra le chiavette Nitrokey. La **Nitrokey 3** elencata ha un insieme di funzioni combinate. + +I modelli Nitrokey possono essere configurati utilizzando l'applicazione [Nitrokey](https://www.nitrokey.com/download). + +Per i modelli che supportano HOTP e TOTP, ci sono 3 slot per HOTP e 15 per TOTP. Alcune Nitrokey possono fungere da gestori di password. Possono memorizzare fino a 16 credenziali diverse, criptandole con la stessa password dell'interfaccia OpenPGP. + +!!! warning "Avviso" + + Sebbene le Nitrokey non rilascino i segreti HOTP/TOTP al dispositivo a cui sono collegati, la memoria HOTP e TOTP non è crittografata ed è vulnerabile agli attacchi fisici. Se desideri memorizzare i segreti HOTP o TOTP, consigliamo caldamente di utilizzare una Yubikey. + +!!! warning "Avviso" + + Reimpostare l'interfaccia OpenPGP su una Nitrokey rende il database [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + + Nitrokey Pro 2, Nitrokey Storage 2 e l'imminente Nitrokey 3 supportano la verifica dell'integrità del sistema per i laptop con il firmware [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/). La [Librem Key di Purism](https://puri.sm/products/librem-key/) è un rebranding della NitroKey Pro 2 con un firmware simile e può essere utilizzata per gli stessi scopi. + +Il firmware di Nitrokey è open-source, a differenza di YubiKey. Il firmware dei modelli NitroKey moderni (tranne che per **NitroKey Pro 2**) è aggiornabile. + +!!! important + + L'applicazione Nitrokey, pur essendo compatibile con le chiavi Librem, richiede la versione 3.6 o superiore di `libnitrokey` per riconoscerle. Attualmente il pacchetto è obsoleto nelle repository di Windows, macOS e della maggior parte delle distribuzioni Linux; è quindi probabile dover compilare l'applicazione Nitrokey per farla funzionare con Librem Key. Su Linux, è possibile ottenere una versione aggiornata da [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +#### Requisiti minimi + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Applicazioni di autenticazione + +Le applicazioni di autenticazione implementano lo standard di sicurezza daottato dalla Internet Engineering Task Force (IETF) chaiamto **'Time-based One-time Passwords'**, o **'TOTP'**. È un metodo in cui i siti web condividono un segreto con l'utente, il quale viene utilizzato dall'applicazione di autenticazione per generare, solitamente, un codice a sei cifre basato sull'ora corrente, che viene inserita durante l'accesso al sito web da controllare. Tipicamente questi codici vengono rigenerati ogni 30 secondi; quando ne viene generato uno nuovo, quello vecchio diventa inutile. Anche se un hacker fosse in grado di ottenere il codice a sei cifre, non ha modo di invertire il codice per ottenere il segreto originale, né di prevedere quali potrebbero essere i codici futuri. + +Consigliamo vivamente di utilizare applicazioni TOTP per dispositivi mobili invece delle alternative desktop; questo perché Android e iOS offrono una migliore sicurezza e isolazione delle applicazioni, rispetto alla maggior parte dei sistemi operativi per desktop. + +### Raivo OTP + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** è un'applicazione gratuita, sicura e open-source per gestire i token di verifica dei due passaggi per i vostri servizi online. + + [:octicons-home-16: Pagina principale](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** è un client per password su iOS nativo, leggero e sicuro, basato sul tempo (TOTP) & sul contatore (HOTP). Ravio OTP offre la sincronizzazione & il backup opzionali via iCloud. È inoltre disponibile per macOS come applicazione nella barra di stato, ma non funzione indipendentemente dall'applicazione su iOS. + + [:octicons-home-16: Pagina principale](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Deve essere un software open-source. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/news-aggregators.md b/i18n/it/news-aggregators.md new file mode 100644 index 00000000..608467e8 --- /dev/null +++ b/i18n/it/news-aggregators.md @@ -0,0 +1,182 @@ +--- +title: "Aggregatori di notizie" +icon: octicons/rss-24 +--- + +Un [aggreggatore di notizie](https://it.wikipedia.org/wiki/Aggregatore) è un modo per tenerti aggiornato con i tuoi blog e siti di notizie favoriti. + +## Client aggregatori + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** è un aggregatore di notizie, parte del progetto [KDE](https://kde.org). È dotato di ricerca rapida, funzionalità avanzate di archivio e un browser interno per leggere semplicemente le notizie. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** è un moderno client RSS per android con numerose [features](https://gitlab.com/spacecowboy/Feeder#features) e una buona coesione con le cartelle di feed RSS. Supporta [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) e [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Logo di Fluent Reader](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** è un aggregatore di notizie sicuro e multipiattaforma, dotato di utili funzioni per la privacy come la cancellazione dei cookie all'uscita, di rigorose [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) e del supporto proxy, che consente di utilizzarlo su [Tor](tor.md). + + [:octicons-home-16: Pagina principale](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** è un aggregatore di notizie [RSS](https://en.wikipedia.org/wiki/RSS) e [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) per [GNOME](https://www.gnome.org). Ha un'interfaccia semplice ed è piuttosto veloce. + + [:octicons-home-16: Pagina principale](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** è un aggregatore di notizie basato sul web; è possibile il self-hosting. Supporta [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) e [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Pagina principale](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribuisci } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** è un lettore di feed gratuito ed open-source per macOS e iOS, con un focus su design e funzionalità native. Supporta il tipico format feed, oltre al supporto integrato per i feed di Twitter e Reddit. + + [:octicons-home-16: Pagina principale](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** è un lettore feed RSS/Atom per la console di testo. È un fork attivamente mantenuto di [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). È molto leggero, e ideale per l'utilizzo attraverso [Secure Shell](https://it.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Pagina principale](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Codice sorgente" } + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Deve essere un software open-source. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Usando una qualsiasi [istanza](https://github.com/zedeus/nitter/wiki/Instances) di Nitter, è possibile iscriversi mediante RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Puoi iscriverti ai canali YouTube senza accedere e senza associare le informazioni di utilizzo al proprio account Google. + +!!! example + 1. Scegli un istanza e imposta `istanza_nitter`. + 2. Sostituisci `account_twitter` con il nome dell'account che desideri seguire. + + ```text + https://{{ istanza_nitter }}/{{ account_twitter }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/notebooks.md b/i18n/it/notebooks.md new file mode 100644 index 00000000..1ed3c7cd --- /dev/null +++ b/i18n/it/notebooks.md @@ -0,0 +1,119 @@ +--- +title: "Blocchi note" +icon: material/notebook-edit-outline +--- + +Tieni traccia delle tue note e diari senza doverli dare a una terza parte. + +Se stai attualmente utilizzando un'applicazione come Evernote, Google Keep o Microsoft OneNote, ti suggeriamo di scegliere una delle seguenti alernative che supportano E2EE. + +## Cloud + +### Joplin + +!!! recommendation + + ![Logo Joplin](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** è un'applicazione gratuita, open-source e dotata di tutte le funzionalità per prendere appunti e per le attività da svolgere, in grado di gestire un gran numero di note markdown organizzate in taccuini e tag. Offre E2EE e può sincronizzarsi con Nextcloud, Dropbox e altro ancora. Offre anche la possibilità di importare facilmente note da Evernote e note in testo semplice. + + [:octicons-home-16: Pagina principale](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin non supporta la protezione con password/PIN per [l'applicazione stessa o per i singoli appunti e taccuini](https://github.com/laurent22/joplin/issues/289). Tuttavia, i dati vengono comunque crittografati durante il transito e nella posizione di sincronizzazione utilizzando la chiave master. + +### Standard Notes + +!!! recommendation + + ![Logo Standard Notes](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** è un'applicazione per appunti semplice e privata che rende i tuoi appunti facili e disponibili ovunque tu sia. È dotato di E2EE su ogni piattaforma e di una potente esperienza desktop con temi ed editor personalizzati. È stato anche [sottoposto a ispezione indipendente (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Pagina principale](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Org-mode + +!!! recommendation + + ![Logo Org-mode](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** è una [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) per GNU Emacs. Org-mode serve per prendere appunti, mantenere elenchi TODO, pianificare progetti e scrivere documenti con un sistema di testo semplice rapido ed efficace. + + La sincronizzazione è possibile con gli strumenti di [sincronizzazione dei file](file-sharing.md#file-sync). [:octicons-home-16: Pagina principale](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribuisci } + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Locali + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/os/android-overview.md b/i18n/it/os/android-overview.md new file mode 100644 index 00000000..5c823496 --- /dev/null +++ b/i18n/it/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Panoramica Android +icon: fontawesome/brands/android +--- + +Android è un sistema operativo sicuro, dotato di [sandboxing delle app](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB) e di un robusto sistema di controllo delle [autorizzazioni](https://developer.android.com/guide/topics/permissions/overview). + +## Scegliere una distribuzione di Android + +Quando acquisti un telefono Android, il sistema operativo predefinito del dispositivo è spesso dotato di un'integrazione invasiva con applicazioni e servizi che non fanno parte di [Android Open-Source Project](https://source.android.com/). Un esempio è Google Play Services, che ha privilegi irrevocabili di accesso ai file, alla memoria dei contatti, ai registri delle chiamate, ai messaggi SMS, alla posizione, alla fotocamera, al microfono, agli identificatori hardware e così via. Queste applicazioni e servizi aumentano la superficie di attacco del dispositivo e sono all'origine di vari problemi di privacy con Android. + +Questo problema potrebbe essere risolto utilizzando una distribuzione modificata di Android che non preveda un'integrazione così invasiva. Purtroppo, molte distribuzioni di Android personalizzate spesso violano il modello di sicurezza di Android, non supportando funzioni di sicurezza critiche come AVB, protezione rollback, aggiornamenti del firmware e così via. Alcune distribuzioni forniscono anche build [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) che espongono root tramite [ADB](https://developer.android.com/studio/command-line/adb) e richiedono politiche SELinux [più permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) per ospitare le funzionalità di debug, con conseguente ulteriore aumento della superficie di attacco e indebolimento del modello di sicurezza. + +Idealmente, quando si sceglie una distribuzione modificata di Android, bisogna assicurarsi che rispetti il modello di sicurezza Android. Come minimo, la distribuzione dovrebbe avere build di produzione, supporto per AVB, protezione dal rollback, aggiornamenti tempestivi del firmware e del sistema operativo e SELinux in [modalità enforcing](https://source.android.com/security/selinux/concepts#enforcement_levels). Tutte le distribuzioni di Android da noi consigliate soddisfano questi criteri. + +[Le nostre raccomandazioni per il sistema Android :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Evitare il rooting + +Il [rooting](https://it.wikipedia.org/wiki/Rooting) dei telefoni Android può diminuire notevolmente la sicurezza in quanto indebolisce nel complesso il [modello di sicurezza di Android](https://it.wikipedia.org/wiki/Android#Privacy_e_sicurezza). Questo può ridurre la privacy nel caso in cui si verifichi un exploit favorito dalla riduzione della sicurezza. I metodi di rooting più comuni prevedono la manomissione diretta della partizione di avvio, rendendo impossibile l'esecuzione di un Verified Boot. Le applicazioni che richiedono il root modificheranno anche la partizione di sistema, il che significa che Verified Boot dovrà rimanere disabilitato. L'esposizione di root direttamente nell'interfaccia utente aumenta inoltre la [superficie di attacco](https://it.wikipedia.org/wiki/Superficie_di_attacco) del dispositivo e può favorire [l'escalation dei privilegi](https://it.wikipedia.org/wiki/Privilege_escalation) e l'aggiramento delle politiche di SELinux. + +Gli adblocker che modificano il [file hosts](https://it.wikipedia.org/wiki/Hosts) (AdAway) e i firewall (AFWall+) che richiedono l'accesso root in modo persistente sono pericolosi e non dovrebbero essere utilizzati. Inoltre, non sono il modo corretto per risolvere i loro scopi. Se vuoi bloccare le pubblicità suggeriamo invece l'uso di [DNS](../dns.md) criptati o di [VPN](../vpn.md) con questa funzione. RethinkDNS, TrackerControl e AdAway in modalità non-root occuperanno lo slot VPN (utilizzando un loopback VPN locale) impedendovi di utilizzare servizi di miglioramento della privacy come Orbot o un vero server VPN. + +AFWall+ funziona in base all'approccio del [filtraggio dei pacchetti](https://it.wikipedia.org/wiki/Firewall#Filtraggio_dei_pacchetti/contenuti) e può essere bypassato in alcune situazioni. + +Non crediamo che i sacrifici in termini di sicurezza fatti con il rooting di un telefono valgano i discutibili vantaggi per la di privacy di queste applicazioni. + +## Verified Boot + +Il [Verified Boot](https://source.android.com/security/verifiedboot) (avvio verificato) è una parte importante del modello di sicurezza di Android. Fornisce protezione contro gli attacchi [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack), la persistenza del malware e garantisce che gli aggiornamenti di sicurezza non possano essere declassati con la protezione da [rollback](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +A partire da Android 10 si è passati dalla crittografia dell'intero disco alla più flessibile [crittografia basata sui file](https://source.android.com/security/encryption/file-based). I dati vengono crittografati utilizzando chiavi di crittografia uniche, mentre i file del sistema operativo vengono lasciati in chiaro. + +Il Verified Boot garantisce l'integrità dei file del sistema operativo, impedendo così a un avversario con accesso fisico di manomettere o installare malware sul dispositivo. Nel caso improbabile che il malware sia in grado di sfruttare altre parti del sistema e ottenere un accesso privilegiato superiore, Verified Boot impedisce e ripristina le modifiche alla partizione di sistema al riavvio del dispositivo. + +Sfortunatamente, gli OEM sono obbligati a supportare il Verified Boot solo sulla loro distribuzione stock di Android. Solo alcuni OEM, come Google, supportano la registrazione personalizzata della chiave AVB sui loro dispositivi. Inoltre, alcuni derivati di AOSP come LineageOS o /e/ OS non supportano il Verified Boot anche su hardware con supporto per il Verified Boot per sistemi operativi di terze parti. Si consiglia di verificare il supporto **prima** di acquistare un nuovo dispositivo. I derivati di AOSP che non supportano il Verified Boot **non** sono consigliati. + +Molti OEM hanno anche implementazioni non funzionanti del Verified Boot di cui bisogna essere consapevoli al di là del loro marketing. Ad esempio, i Fairphone 3 e 4 non sono sicuri per impostazione predefinita, poiché il bootloader stock di [si affida alla chiave di firma AVB pubblica](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). Ciò invalida l'avvio verificato su un dispositivo Fairphone stock, in quanto il sistema avvierà sistemi operativi Android alternativi come (ad esempio /e/) [senza alcun avviso](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) sull'utilizzo del sistema operativo modificato. + +## Aggiornamenti del firmware + +Gli aggiornamenti del firmware sono fondamentali per mantenere la sicurezza e senza di essi il dispositivo non può essere sicuro. Gli OEM stipulano accordi di supporto con i loro partner per fornire i componenti closed-source per un periodo di supporto limitato. Questi sono riportati mesilmente in [Android Security Bulletins](https://source.android.com/security/bulletin) (bollettini di sicurezza di Android). + +Poiché i componenti del telefono, come il processore e le tecnologie radio, si basano su componenti closed-source, gli aggiornamenti devono essere forniti dai rispettivi produttori. Pertanto, è importante acquistare un dispositivo all'interno di un ciclo di assistenza attivo. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) e [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) supportano i loro dispositivi per 4 anni, mentre i prodotti più economici hanno spesso cicli di supporto più brevi. Con l'introduzione di [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google produce ora il proprio SoC e fornirà un supporto di almeno 5 anni. + +I dispositivi EOL che non sono più supportati dal produttore del SoC non possono ricevere aggiornamenti del firmware dai fornitori OEM o dai distributori Android after market. Ciò significa che i problemi di sicurezza di questi dispositivi non saranno risolti. + +Fairphone, ad esempio, commercializza i propri dispositivi con 6 anni di assistenza. Tuttavia, il SoC (Qualcomm Snapdragon 750G sul Fairphone 4) ha una data di scadenza molto più breve. Ciò significa che gli aggiornamenti di sicurezza del firmware di Qualcomm per il Fairphone 4 termineranno nel settembre 2023, indipendentemente dal fatto che Fairphone continui a rilasciare aggiornamenti di sicurezza del software. + +## Versioni di Android + +È importante non utilizzare una versione di Android a [fine vita](https://endoflife.date/android). Le nuove versioni di Android non ricevono solo aggiornamenti di sicurezza per il sistema operativo, ma anche importanti aggiornamenti per migliorare la privacy. Ad esempio, [prima di Android 10](https://developer.android.com/about/versions/10/privacy/changes), qualsiasi app con l'autorizzazione [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) poteva accedere a numeri di serie sensibili e unici del telefono, come [IMEI](https://it.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier) e [IMSI](https://it.wikipedia.org/wiki/IMSI) della carta SIM, mentre ora devono essere app di sistema per farlo. Le applicazioni di sistema sono fornite solo dagli OEM o dalla distribuzione di Android. + +## Autorizzazioni di Android + +[Le autorizzazioni su Android](https://developer.android.com/guide/topics/permissions/overview) consentono di controllare ciò a cui le applicazioni hanno accesso. Google apporta regolarmente [miglioramenti](https://developer.android.com/about/versions/11/privacy/permissions) al sistema delle autorizzazioni in ogni nuova versione. Tutte le applicazioni installate sono rigorosamente [confinate in una sandbox](https://source.android.com/security/app-sandbox), pertanto non è necessario installare alcuna applicazione come antivirus. Uno smartphone con l'ultima versione di Android sarà sempre più sicuro di un vecchio smartphone con un antivirus a pagamento. È meglio non pagare il software antivirus e risparmiare per acquistare un nuovo smartphone come il Google Pixel. + +Se volete eseguire un'applicazione di cui non siete sicuri, prendete in considerazione l'utilizzo di un profilo utente o di lavoro. + +## Accesso ai media + +Molte applicazioni consentono di "condividere" un file per il caricamento dei media. Se desideri, ad esempio, caricare una foto su Twitter, non concedere a Twitter l'accesso a "media e foto", perché in questo modo avrà accesso a tutte le immagini. Invece, apri il gestore di file (documentsUI), tieni premuta l'immagine, quindi condividila con Twitter. + +## Profili utente + +I profili utente multipli si trovano in **Impostazioni** → **Sistema** → **Utenti multipli** e sono il modo più semplice per isolare in Android. + +Con i profili utente, è possibile imporre restrizioni a un profilo specifico, come ad esempio: effettuare chiamate, utilizzare SMS o installare applicazioni sul dispositivo. Ogni profilo è crittografato con la propria chiave di crittografia e non può accedere ai dati di altri profili. Anche il proprietario del dispositivo non può visualizzare i dati di altri profili senza conoscere la loro password. I profili utente multipli sono un metodo di isolamento più sicuro. + +## Profilo di lavoro + +I [Profili di lavoro](https://support.google.com/work/android/answer/6191949) sono un altro modo per isolare le singole app e può essere più comodo dei profili utente separati. + +Per creare un profilo di lavoro senza un MDM aziendale è necessaria un'applicazione come **controllore del dispositivo**, come [Shelter](#recommended-apps), a meno che tu non utilizzi un sistema operativo Android modificato che ne include uno. + +Il profilo di lavoro dipende da un controllore del dispositivo per funzionare. Funzionalità come *File Shuttle* e *blocco della ricerca dei contatti* o qualsiasi tipo di funzionalità di isolamento devono essere implementate dal controllore. È inoltre necessario fidarsi completamente dell'app di controllo del dispositivo, che ha pieno accesso ai dati dell'utente all'interno del profilo di lavoro. + +Questo metodo è generalmente meno sicuro di un profilo utente secondario; tuttavia, consente di eseguire contemporaneamente le applicazioni nel profilo di lavoro e in quello personale. + +## Killswitch per VPN + +Android 7 e successivi supporta un killswitch per VPN ed è disponibile senza la necessità di installare applicazioni di terze parti. Questa funzione può prevenire la fuga di dati in caso di disconnessione della VPN. Si trova in :gear: **Impostazioni** → **Rete e Internet** → **VPN** → :gear: → **Blocca connessioni senza VPN**. + +## Interruttori globali + +I dispositivi Android moderni dispongono di interruttori globali per disattivare il Bluetooth e i servizi di localizzazione. Android 12 ha introdotto gli interruttori per la fotocamera e il microfono. Quando non vengono utilizzate, si consiglia di disabilitare queste funzioni. Le applicazioni non possono utilizzare le funzioni disabilitate (anche se hanno ottenuto un'autorizzazione individuale) finché non vengono riattivate. + +## Google + +Se utilizzi un dispositivo con i servizi di Google, sia con il sistema operativo di serie sia con un sistema operativo che mette in sicurezza i Google Play Services, come GrapheneOS, è possibile apportare una serie di modifiche aggiuntive per migliorare la privacy. Si consiglia comunque di evitare del tutto i servizi di Google o di limitare i servizi di Google Play a un profilo specifico utente o di lavoro, combinando un controller di dispositivo come *Shelter* con Sandboxed Google Play di GrapheneOS. + +### Programma di protezione avanzata + +Se disponi di un account Google, consigliamo di iscriversi al https://landing.google.com/intl/it/advancedprotection/programma di protezione avanzata. È disponibile gratuitamente per chiunque possieda due o più chiavi di sicurezza hardware con supporto a [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online). + +Il programma di protezione avanzata offre un monitoraggio avanzato delle minacce e consente: + +- Autenticazione a due fattori più rigorosa; ad esempio, [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **deve** essere utilizzato e non è consentito l'uso di [SMS OTP](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) e [OAuth](https://it.wikipedia.org/wiki/OAuth) +- Solo Google e le app di terze parti verificate possono accedere ai dati dell'account +- Scansione delle email in arrivo sugli account Gmail per i tentativi di [phishing ](https://en.wikipedia.org/wiki/Phishing#Email_phishing) +- [Scansione sicura del browser](https://www.google.com/chrome/privacy/whitepaper.html#malware) più rigorosa con Google Chrome +- Processo di recupero più rigoroso per gli account con credenziali perdute + + Se utilizzi Google Play Services senza sandbox (comuni sui sistemi operativi stock), il programma di protezione avanzata viene fornito anche con [vantaggi aggiuntivi](https://support.google.com/accounts/answer/9764949?hl=it) quali: + +- Non permettere l'installazione di app al di fuori del Google Play Store, dell'app store del fornitore del sistema operativo o tramite [`adb`](https://it.wikipedia.org/wiki/Android_Debug_Bridge) +- Scansione automatica obbligatoria del dispositivo con [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=it#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Avviso sulle applicazioni non verificate + +### Aggiornamenti dei servizi di sistema di Google + +In passato, gli aggiornamenti di sicurezza di Android dovevano essere forniti dal fornitore del sistema operativo. Android è diventato più modulare a partire da Android 10 e Google può inviare aggiornamenti di sicurezza per **alcuni componenti del sistema** tramite i Play Services privilegiati. + +Se disponi di un dispositivo EOL con Android 10 o superiore e non sei in grado di installare uno dei nostri sistemi operativi consigliati sul dispositivo, è probabile che sia meglio attenersi alla distribuzione di Android dell'OEM (rispetto a un sistema operativo non elencato qui, come LineageOS o /e/ OS). Questo ti permetterà di ricevere **alcune** correzioni di sicurezza da parte di Google, senza però violare il modello di sicurezza Android utilizzando un derivato di Android insicuro e aumentando la superficie di attacco. Consigliamo comunque di passare a un dispositivo supportato il prima possibile. + +### ID pubblicità + +Tutti i dispositivi con Google Play Services installato generano automaticamente un [ID pubblicità](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) utilizzato per la pubblicità mirata. Disattiva questa funzione per limitare i dati raccolti su di te. + +Sulle distribuzioni Android con [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), vai su :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, e selezionare *Delete advertising ID*. + +Sulle distribuzioni di Android con Google Play Services privilegiato (come i sistemi operativi stock), l'impostazione può trovarsi in una delle diverse posizioni. Controlla + +- :gear: **Impostazioni** → **Google** → **Annunci** +- :gear: **Impostazioni** → **Privacy** → **Annunci** + +Ti verrà data la possibilità di eliminare l'ID pubblicità o di *rinunciare agli annunci basati sugli interessi*, questo varia tra le distribuzioni OEM di Android. È raccomandato eliminare l'ID pubblicità se viene data la possibilità. In caso contrario, assicurati di disattivare e reimpostare l'ID pubblicità. + +### SafetyNet e API Play Integrity + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) e le API [Play Integrity](https://developer.android.com/google/play/integrity) sono generalmente utilizzate per [le app bancarie](https://grapheneos.org/usage#banking-apps). Molte applicazioni bancarie funzionano bene in GrapheneOS con i servizi Play in sandbox, ma alcune applicazioni non finanziarie hanno i loro meccanismi anti-manomissione che potrebbero fallire. GrapheneOS supera il controllo `basicIntegrity`, ma non il controllo di certificazione `ctsProfileMatch`. I dispositivi con Android 8 o successivi dispongono di un supporto di attestazione hardware che non può essere aggirato senza chiavi trapelate o gravi vulnerabilità. + +Per quanto riguarda Google Wallet, lo sconsigliamo a causa dell'[informativa sulla privacy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), che prevede l'opt-out se non si desidera che il proprio rating creditizio e i propri dati personali vengano condivisi con i servizi di marketing affiliati. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/os/linux-overview.md b/i18n/it/os/linux-overview.md new file mode 100644 index 00000000..941f409a --- /dev/null +++ b/i18n/it/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Consigli generali + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/os/qubes-overview.md b/i18n/it/os/qubes-overview.md new file mode 100644 index 00000000..dcd68496 --- /dev/null +++ b/i18n/it/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Panoramica di Qubes" +icon: pg/qubes-os +--- + +[**Qubes OS**](../desktop.md#qubes-os) è un sistema operativo che utilizza l'hypervisor [Xen](https://en.wikipedia.org/wiki/Xen) per fornire una forte sicurezza per il desktop computing attraverso macchine virtuali isolate. Ogni macchina virtuale è chiamata *Qube* e si può assegnare a ogni Qube un livello di fiducia in base al suo scopo. Poiché il sistema operativo Qubes garantisce la sicurezza utilizzando l'isolamento e consentendo azioni solo su base individuale, è l'opposto dell'[enumerazione delle minacce](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## Come funziona Qubes OS? + +Qubes utilizza la [compartimentazione](https://www.qubes-os.org/intro/) per mantenere il sistema sicuro. I Qubes sono creati da modelli, predefiniti per Fedora, Debian e [Whonix](../desktop.md#whonix). Qubes OS consente anche di creare macchine virtuali [monouso](https://www.qubes-os.org/doc/how-to-use-disposables/). + +![Architettura Qubes](../assets/img/qubes/qubes-trust-level-architecture.png) +
Architettura di Qubes, da "What is Qubes OS Introduction"
+ +Ogni applicazione Qubes ha un [bordo colorato](https://www.qubes-os.org/screenshots/) che può aiutare a tenere traccia della macchina virtuale in cui è in esecuzione. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Bordo colorato](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Perché dovrei usare Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copiare e incollare il testo + +Puoi [copiare e incollare il testo](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) utilizzando `qvm-copy-to-vm` o le istruzioni seguenti: + +1. Premi **Ctrl+C** per comunicare alla macchina virtuale in cui ti trovi che vuoi copiare qualcosa. +2. Premi **Ctrl+Shift+C** per comunicare alla macchina virtuale di rendere disponibile questo buffer negli appunti globali. +3. Premi **Ctrl+Shift+V** nella macchina virtuale di destinazione per rendere disponibili gli appunti globali. +4. Premi **Ctrl+V** nella macchina virtuale di destinazione per incollare il contenuto nel buffer. + +### Scambio di file + +Per copiare e incollare file e directory (cartelle) da una macchina virtuale all'altra, si può usare l'opzione **Copy to Other AppVM...** o **Move to Other AppVM...**. La differenza è che l'opzione **Move** elimina il file originale. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Risorse aggiuntive + +Per ulteriori informazioni si consiglia di consultare le ampie pagine di documentazione di Qubes OS presenti sul [sito web di Qubes OS](https://www.qubes-os.org/doc/). Le copie offline possono essere scaricate dal [repository della documentazione](https://github.com/QubesOS/qubes-doc) di Qubes OS. + +- Open Technology Fund: [*Arguably the world's most secure operating system (Probabilmente il sistema operativo più sicuro al mondo)*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation (Compartimentazione del software vs. separazione fisica)*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains (Suddividere la mia vita digitale in domini di sicurezza)*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Articoli correlati*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/passwords.md b/i18n/it/passwords.md new file mode 100644 index 00000000..ca0b0f8d --- /dev/null +++ b/i18n/it/passwords.md @@ -0,0 +1,249 @@ +--- +title: "Gestori di password" +icon: material/form-textbox-password +--- + +I gestori di password consentono di archiviare e gestire in modo sicuro le password e altre credenziali con l'uso di una password principale. + +[Introduzione alle password :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + I gestori di password integrati nei software, come i browser e i sistemi operativi, a volte non sono all'altezza di un software di gestione delle password dedicato. Il vantaggio di un gestore di password integrato è la buona integrazione con il software, ma spesso può essere molto semplice e privo di caratteristiche di privacy e sicurezza che le offerte autonome offrono. + + Ad esempio, il gestore di password di Microsoft Edge non offre affatto E2EE. Il gestore di password di Google ha E2EE [facoltativo](https://support.google.com/accounts/answer/11350823), e [Apple](https://support.apple.com/en-us/HT202303) offre E2EE di default. + +## Cloud + +Questi gestori di password sincronizzano le password su un server cloud per facilitarne l'accesso da tutti i dispositivi e per garantire la sicurezza contro la perdita del dispositivo. + +### Bitwarden + +!!! recommendation + + ![Logo di Bitwarden](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** è un gestore di password gratuito e open-source. L'obiettivo è quello di risolvere i problemi di gestione delle password per individui, team e organizzazioni aziendali. Bitwarden è una delle soluzioni migliori e più sicure per memorizzare tutti i vostri login e password, mantenendoli comodamente sincronizzati tra tutti i vostri dispositivi. + + [:octicons-home-16: Pagina principale](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden dispone anche di [Bitwarden Send](https://bitwarden.com/products/send/), che consente di condividere testi e file in modo sicuro con [crittografia end-to-end](https://bitwarden.com/help/send-encryption). Una password [](https://bitwarden.com/help/send-privacy/#send-passwords) può essere richiesta insieme al link di invio. Bitwarden Send dispone anche di [cancellazione automatica](https://bitwarden.com/help/send-lifespan). + +Per poter condividere i file è necessario il [piano Premium](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans). Il piano gratuito consente solo la condivisione del testo. + +Il codice lato server di Bitwarden è [open-source](https://github.com/bitwarden/server), quindi se non vuoi usare il cloud Bitwarden, puoi facilmente ospitare il proprio server di sincronizzazione Bitwarden. + +**Vaultwarden** è un'implementazione alternativa del server di sincronizzazione di Bitwarden scritta in Rust e compatibile con i client ufficiali di Bitwarden, perfetta per l'implementazione self-hosted quando l'esecuzione del servizio ufficiale, che richiede molte risorse, non è ideale. Se desideri ospitare Bitwarden sul proprio server, è quasi certamente preferibile utilizzare Vaultwarden al codice server ufficiale di Bitwarden. + +[:octicons-repo-16: Repository di Vaultwarden](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentazione} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Codice sorgente" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribuisci } + +### 1Password + +!!! recommendation + + ![logo 1Password](assets/img/password-management/1password.svg){ align=right } + + **1Password** è un gestore di password con una forte attenzione alla sicurezza e alla facilità d'uso, che consente di archiviare password, carte di credito, licenze software e qualsiasi altra informazione sensibile in una cassaforte digitale sicura. Il caveau personale è ospitato sui server di 1Password per una [tariffa mensile](https://1password.com/sign-up/). 1Password è [ispezionato](https://support.1password.com/security-assessments/) su base regolare e fornisce un'assistenza clienti eccezionale. 1Password è closed source; tuttavia, la sicurezza del prodotto è documentata in modo esauriente nel suo [white paper sulla sicurezza](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Pagina principale](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentazione} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Tradizionalmente, **1Password** ha offerto la migliore esperienza d'uso del gestore di password per chi utilizza macOS e iOS; tuttavia, ora ha raggiunto la parità di funzionalità su tutte le piattaforme. Vanta molte caratteristiche orientate alle famiglie e alle persone meno tecniche, oltre a funzionalità avanzate. + +Il caveau personale di 1Password è protetto sia dalla password principale che da una chiave di sicurezza randomizzata di 34 caratteri per criptare i vostri dati sui loro server. Questa chiave di sicurezza aggiunge un livello di protezione ai dati, perché i dati sono protetti da un'elevata entropia, indipendentemente dalla password principale. Molte altre soluzioni di gestione delle password si affidano interamente alla forza della password principale per proteggere i dati. + +Un vantaggio di 1Password rispetto a Bitwarden è il supporto di prima classe per i client nativi. Mentre Bitwarden relega molte funzioni, in particolare quelle di gestione dell'account, all'interfaccia del suo vault web, 1Password rende disponibili quasi tutte le funzioni all'interno dei suoi client nativi per dispositivi mobili o desktop. I client di 1Password hanno anche un'interfaccia utente più intuitiva, che li rende più facili da usare e da navigare. + +### Psono + +!!! recommendation + + ![Logo Psono](assets/img/password-management/psono.svg){ align=right } + + **Psono** è un gestore di password gratuito e open-source sviluppato in Germania, con particolare attenzione alla gestione delle password per i team. Psono supporta la condivisione sicura di password, file, segnalibri ed email. download + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + + [:octicons-home-16: Pagina principale](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentazione} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono fornisce un'ampia documentazione sul proprio prodotto. Il web-client di Psono può essere auto-ospitato; in alternativa, è possibile scegliere la Community Edition completa o l'Enterprise Edition con funzionalità aggiuntive. + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +#### Requisiti minimi + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Archiviazione locale + +These options allow you to manage an encrypted password database locally. + +### KeePassDX (Android) + +!!! recommendation + + ![Logo KeePassDX](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** è un leggero gestore di password per Android, che consente di modificare i dati crittografati in un unico file in formato KeePass e di compilare i moduli in modo sicuro. + + [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) permette di sbloccare contenuti cosmetici e funzioni del protocollo non standard, ma soprattutto aiuta e incoraggia lo sviluppo. [:octicons-home-16: Pagina principale](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribuisci } + + ??? + +Inoltre, è disponibile una versione solo offline: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). Questa versione è stata ridotta nel tentativo di ridurre la superficie di attacco. We advise you check each record manually. + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Logo Strongbox](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** è un gestore di password nativo e open-source per iOS e macOS. Supportando entrambi i formati KeePass e Password Safe, Strongbox può essere utilizzato in tandem con altri gestori di password, come KeePassXC, su piattaforme non Apple. + + Utilizzando un [modello freemium] (https://strongboxsafe.com/pricing/), Strongbox offre la maggior parte delle funzionalità nel suo livello gratuito, mentre quelle più convenienti [features](https://strongboxsafe.com/comparison/), come l'autenticazione biometrica, sono bloccate dietro un abbonamento o una licenza perpetua. [:octicons-home-16: Pagina principale](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribuisci } + + ??? + +### gopass + +!!! recommendation + + ![logo gopass](assets/img/password-management/gopass.svg){ align=right } + + **gopass** è un gestore di password per la riga di comando scritto in Go. Funziona su tutti i principali sistemi operativi desktop e server (Linux, macOS, BSD, Windows). [:octicons-home-16: Pagina principale](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribuisci } + + ??? + + downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Linea di comando + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Must be cross-platform. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/productivity.md b/i18n/it/productivity.md new file mode 100644 index 00000000..ac0ccd30 --- /dev/null +++ b/i18n/it/productivity.md @@ -0,0 +1,181 @@ +--- +title: "Strumenti di produttività" +icon: material/file-sign +--- + +La maggior parte delle suite per ufficio online non supportano la crittografia end-to-end, il che significa che il provider del cloud ha accesso a tutto ciò che fai. L'informativa sulla privacy potrebbe proteggere legalmente i tuoi diritti, ma non fornisce vincoli tecnici di accesso. + +## Suite per ufficio + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** è una suite per ufficio gratis, open-source e ricca di funzionalità. + + [:octicons-home-16: Pagina principale](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentazione} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +!!! danger "Pericolo" + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** è una suite di ufficio basata sul cloud gratuita, open-source e ricca di funzionalità, come l'integrazione con Nextcloud. [:octicons-home-16: Pagina principale](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Codice sorgente" } + + ??? + +### OnlyOffice + +!!! recommendation + + ![Logo CryptPad](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** è un'alternativa privata e di design ai più diffusi strumenti per l'ufficio. Tutti i contenuti di questo servizio web sono criptati end-to-end e possono essere condivisi facilmente con altri utenti. + + [:octicons-home-16: Pagina principale](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribuisci } + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Servizi di paste + +### PrivateBin + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Deve essere un software open-source. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/real-time-communication.md b/i18n/it/real-time-communication.md new file mode 100644 index 00000000..4d758e03 --- /dev/null +++ b/i18n/it/real-time-communication.md @@ -0,0 +1,204 @@ +--- +title: "Comunicazione in tempo reale" +icon: material/chat-processing +--- + +Questi sono i nostri consigli per comunicazioni criptate in tempo reale. + +[Tipi di reti di comunicazione :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Signal + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** è un'applicazione per dispositivi mobili sviluppata da Signal Messenger LLC. L'applicazione offre messaggistica istantanea, oltre che chiamate e videochiamate. + + Tutte le comunicazioni sono E2EE. La lista dei contatti è crittografata utilizzando il tuo PIN di accesso; in questo modo, il server non può accedervi. Anche i profili personali sono crittografati e condivisi solo con i contatti che ti aggiungono. + + [:octicons-home-16: Pagina principale](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Il protocollo è stato sottoposto ad un [audit](https://eprint.iacr.org/2016/1013.pdf) indipendente nel 2016. Le specifiche del protocollo Signal possono essere trovate nella loro [documentazione](https://signal.org/docs/). Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** è il client di riferimento per il protocollo [Matrix](https://matrix.org/docs/guides/introduction), uno [standard aperto](https://matrix.org/docs/spec) per comunicazione in tempo reale sicura e decentralizzata. I messaggi e i file condivisi nelle stanze private (quelle che richiedono un invito) sono E2EE in modo predefinito, così come le chiamate e videochiamate tra due persone. + + [:octicons-home-16: Pagina principale](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Il protocollo è stato [verificato](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) indipendentemente nel 2016. Le specifiche del protocollo Matrix possono essere trovate nella sua [documentazione](https://spec.matrix.org/latest/). L'algoritmto crittografico [Olm](https://matrix.org/docs/projects/other/olm) utilizzato da Matrix è un'implementazione dell'[algoritmo Double Ratchet](https://signal.org/docs/specifications/doubleratchet/) di Signal. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat è una messaggeria istantanea decentralizzata che non dipende da identificatori univoci come numeri di telefono o nomi utente. Gli utenti di SimpleX Chat possono scansionare un codice QR o fare clic su un link di invito per partecipare alle conversazioni di gruppo. [:octicons-home-16: Pagina principale](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Codice sorgente" } + + ??? + + downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +Attualmente SimpleX Chat fornisce solo un client per Android e iOS. Sono supportate le funzionalità di base delle chat di gruppo, la messaggistica diretta, la modifica dei messaggi e il markdown. + +I dati possono essere esportati e importati su un altro dispositivo, poiché non esistono server centrali in cui viene eseguito il backup. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Element + +!!! warning "Avviso" + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Session offre il supporto per messaggi diretti, chat di gruppo e chiamate vocali. + +### Element + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** è un servizio di messaggistica istantanea che si [connette](https://briarproject.org/how-it-works/) ad altri client utilizzando la rete Tor. + + Briar può anche connettersi via Wi-Fi o Bluetooth quando si trova nelle vicinanze. + + La modalità mesh locale di Briar può essere utile quando la connessione a Internet è problematica. [:octicons-home-16: Pagina principale](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentazione} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Le opzioni per donare solo presenti alla fine della pagina principale" } + + ??? + +Session ha un [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) che descrive le caratteristiche tecniche dell'applicazione e del protocollo. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). recommendation We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/router.md b/i18n/it/router.md new file mode 100644 index 00000000..2969569c --- /dev/null +++ b/i18n/it/router.md @@ -0,0 +1,60 @@ +--- +title: "Firmware Router" +icon: material/router-wireless +--- + +Di seguito sono elencati alcuni sistemi operativi alternativi che possono essere usati su router, punti di accesso Wi-Fi, ecc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** è un sistema operativo basato su Linux, usato principalmente su dispositivi embedded per instradare il traffico di rete. Include util-linux, uClibc e BusyBox. Tutti i componenti sono stati ottimizzati per i router domestici. + + [:octicons-home-16: Pagina principale](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Codice Sorgente" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribuisci } + +È possibile consultare la [tabella degli hardware](https://openwrt.org/toh/start) di OpenWrt per verificare se il tuo dispositivo è supportato. + +## OPNsense + +!!! recommendation + + ![pfSense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** è una piattaforma open source di firewall e routing basata su FreeBSD che incorpora molte funzionalità avanzate come il traffic shaping, il bilanciamento del carico e le funzionalità VPN, con molte altre funzionalità disponibili sotto forma di plugin. OPNsense viene comunemente utilizzato come firewall perimetrale, router, punto di accesso wireless, server DHCP, server DNS ed endpoint VPN. + + [:octicons-home-16: Pagina principale](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Codice Sorgente" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribuisci} + +OPNsense è stato originariamente sviluppato come fork di [pfSense](https://en.wikipedia.org/wiki/PfSense), ed entrambi i progetti sono noti per essere distribuzioni di firewall gratuite e affidabili che offrono funzionalità spesso presenti solo in costosi firewall commerciali. Lanciato nel 2015, gli sviluppatori di OPNsense [hanno citato](https://docs.opnsense.org/history/thefork.html) una serie di problemi di sicurezza e di qualità del codice di pfSense che, a loro avviso, rendevano necessario un fork del progetto, oltre a preoccupazioni sull'acquisizione della maggioranza di pfSense da parte di Netgate e sulla futura direzione del progetto pfSense. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Deve essere open source. +- Deve ricevere aggiornamenti regolari. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/search-engines.md b/i18n/it/search-engines.md new file mode 100644 index 00000000..bb0dc0e1 --- /dev/null +++ b/i18n/it/search-engines.md @@ -0,0 +1,118 @@ +--- +title: "Motori di ricerca" +icon: material/search-web +--- + +Utilizza un motore di ricerca che non crei un profilo pubblicitario basato sulle tue ricerche. + +Le raccomandazioni riportate si basano sui meriti delle privacy policy di ciascun servizio. Non c'è **alcuna garanzia** che queste vengano rispettate. + +Considera l'utilizzo di un [VPN](vpn.md) o di [Tor](https://www.torproject.org/) se il tuo modello di minaccia richiede di nascondere l'indirizzo IP al provider di ricerca. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** è sviluppato da Brave e fornisce principalmente risultati dal proprio indice indipendente, il quale è ottimizzato rispetto a Google Search, potendo quindi fornire risultati più contestualmente accurati, rispetto alle altre alternative. + + Brave Search comprende funzionalità uniche come 'Discussions', che mette in evidenza risultati incentrati su conversazioni, come i post dei forum. + + Suggeriamo di disabilitare l'opzione [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) nelle impostazioni, che è attiva di default. + + [:octicons-home-16: Pagina principale](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Servizio Onion" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentazione} + +Brave Search ha sede negli Stati Uniti. La loro[informativa sulla privacy](https://search.brave.com/help/privacy-policy) dichiara che raccolgono dati aggregati, i quali includono il sistema operativo e il browser in utilizzo, ma nessuna informazione d'identificazione personale. Gli indirizzi IP sono temporaneamente processati, ma non conservati. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** è uno dei motori di ricerca privati più conosciuto. Tra le funzionalità di ricerca di DukDuckGo vi sono i [bangs](https://duckduckgo.com/bang) e molte [risposte istantanee](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). Il motore di ricerca si basa su un'API commerciale di Bing per fornire la maggior parte di risultati, ma utilizza numerose [altre fonti](https://help.duckduckgo.com/results/sources/) per le risposte istantanee e risultati secondari. + + DuckDuckGo è il motore di ricerca predefinito del Tor Browser ed è una delle poche opzioni disponibili sul browser Safari di Apple. + + [:octicons-home-16: Pagina principale](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Servizio Onion" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentazione} + +DuckDuckGo ha sede negli Stati Uniti. La loro[informativa della privacy](https://duckduckgo.com/privacy) dichiara che **raccolgono** le tue ricerche per migliorare il prodotto, ma non registrano il tuo indirizzo IP o qualsiasi altra informazione d'identificazione personale. + +DuckDuckGo offre altre [due versioni](https://help.duckduckgo.com/features/non-javascript/) del proprio motore di ricerca, entrambe le quali non richiedono JavaScript. Tuttavia, queste versioni mancano di funzionalità. Possono essere inoltre essere utilizzate in congiunzione con il loro [indirizzo onion Tor](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/), aggiungendo [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) o [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) rispettivamente. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** è un meta-motore di ricerca open source e self-hostable, che aggrega risultati di altri motore di ricerca, ma senza raccogliere alcuna informazione a sua volta. È un fork attivamente mantenuto di [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Pagina principale](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Istanze pubbliche"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Codice sorgente" } + +SearXNG è un proxy tra l'utente e i motori di ricerca che aggrega. Le tue stringhe di ricerca vengono inviate a tutti i motori dai quali SearXNG ottiene i suoi risultati. + +Nel caso di self-hosting, è importante che anche altre persone utilizzino la tua istanza, in modo che le stringhe di ricerca si confondino tra di loro. Rimani attento a dove e come esegui il self-hosting, in quanto utenti che ricercano contenuti illegali mediante la tua istanza potrebbero attirare l'attenzione indesiderata delle autorità. + +Quando utilizzi una istanza di SearXNG, ricordati di leggere la rispettiva informativa della privacy. Dato che le istanze possono essere modificate dai corrispettivi proprietari, non necessariamente riflettono la propria informativa sulla privacy. Alcune istante vengono eseguite come servizio nascosto Tor, il che può garantire più privacy, a patto che le tue stringhe di ricerca non contengano PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** è un motore di ricerca privato noto per riportare risultati di ricerca di Google. Il fiore all'occhiello di Startpage è la [Anonymous View](https://www.startpage.com/en/anonymous-view/), che si sforza di standardizzare l'attività degli utenti in modo da rendere più difficile l'identificazione univoca. Questa funzione può essere utile per nascondere [alcune](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) caratteristiche della rete e del browser. A differenza di quanto suggerisce il nome, non ci si deve affidare a questa funzione per ottenere l'anonimato. Se cerchi l'anonimato, utilizzate invece il [Tor Browser](tor.md#tor-browser). + + [:octicons-home-16: Pagina principale](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentazione} + +!!! warning "Avviso" + + Startpage limita regolarmente l'accesso ai suori servizi a determinati indirizzi IP, come quelli riservati per i VPN e Tor. [DuckDuckGo](#duckduckgo) e [Brave Search](#brave-search) sono opzioni più amichevoli se il tuo Threat Model richiede di nascondere il tuo indirizzo IP al provider di ricerca. + +Startpage ha sede nei Paesi Bassi. Secondo la loro [informativa sulla privacy](https://www.startpage.com/en/privacy-policy/), registrano dettagli quali: sistema operativo, tipo di browser e lingua. Non registrano l'indirizzo IP, le stringhe di ricerca o altre informazioni d'identificazione personale. + +L'azionista di maggioranza di Startpage è System1, un'azienda di tecnologie pubblicitarie. Non riteniamo ciò essere un problema, visto che seguono una distinta e separata [informativa sulla privacy](https://system1.com/terms/privacy-policy). Il team di Privacy Guides contattò Startpage [ nel 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) per chiarire le preoccupazioni legate al considerevole investimento da parte si System1 nel servizio; siamo stati soddisfatti dalle risposte ricevute. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Requisiti minimi + +- Non devono raccogliere informazioni di identificazione personale secondo la loro informativa sulla privacy. +- Non devono permettere agli utenti di creare un account con loro. + +### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Dovrebbe essere basato su software open-source. +- Non dovrebbe bloccare gli indirizzi IP dei nodi di uscita di Tor. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/tools.md b/i18n/it/tools.md new file mode 100644 index 00000000..c2c90006 --- /dev/null +++ b/i18n/it/tools.md @@ -0,0 +1,441 @@ +--- +title: "Strumenti per la privacy" +icon: material/tools +hide: + - toc +--- + +Se stai cercando una soluzione specifica per qualcosa, questi sono gli strumenti hardware e software che ti consigliamo in una varietà di categorie. I nostri strumenti di privacy consigliati sono scelti principalmente in base alle funzionalità di sicurezza, con maggiore enfasi sugli strumenti decentralizzati e open-source. Sono applicabili a una varietà di modelli di minaccia che vanno dalla protezione contro i programmi di sorveglianza di massa globali e evitare le grandi aziende tecnologiche alla mitigazione degli attacchi, ma solo tu puoi determinare cosa funzionerà meglio per le tue esigenze. + +Se vuoi assistenza per capire i migliori strumenti per la privacy e programmi alternativi più adatti alle tue esigenze, inizia una discussione sul nostro forum [](https://discuss.privacyguides.net/) o sulla nostra community [Matrix](https://matrix.to/#/#privacyguides:matrix.org)! + +Per maggiori dettagli su ogni progetto, sul motivo per cui è stato scelto e su ulteriori suggerimenti o trucchi che consigliamo, clicca il link "Maggiori informazioni" in ogni sezione, oppure clicca il suggerimento stesso per essere indirizzato a quella specifica sezione della pagina. + +## Rete Tor + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake non aumenta la privacy, ma permette di contribuire facilmente alla rete Tor e di aiutare le persone in reti soggette a censura a ottenere una privacy migliore. + +[Maggiori informazioni :material-arrow-right-drop-circle:](tor.md) + +## Browser web desktop + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Risorse aggiuntive + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Browser web mobile + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Risorse aggiuntive + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Sistemi operativi + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](android.md) + +#### Applicazioni Android + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](desktop.md) + +### Firmware Router + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](router.md) + +## Fornitori di servizi + +### Archiviazione in cloud + +
+ +- ![Cryptee logo](assets/img/cloud/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/cloud/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](cloud.md#cryptee) +- ![Nextcloud logo](assets/img/cloud/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](cloud.md#nextcloud) +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### Fornitori DNS + +[Raccomandiamo](dns.md#recommended-providers) una serie di server DNS criptati basati su una serie di criteri, come [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) e [Quad9](https://quad9.net/) tra gli altri. Ti consigliamo di leggere le nostre pagine sui DNS prima di scegliere un fornitore. In molti casi, l'utilizzo di un fornitore DNS alternativo non è consigliato. + +[Maggiori informazioni :material-arrow-right-drop-circle:](dns.md) + +#### Self-hosting + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](email.md) + +#### Email installabili in locale + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### I nostri criteri + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Motori di ricerca + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](search-engines.md) + +### Fornitori di VPN + +??? danger "Le VPN non forniscono anonimato" + + L'utilizzo di una VPN **non** manterrà anonime le tue abitudini di navigazione, né aggiungerà ulteriore sicurezza al traffico non sicuro (HTTP). + + Se stai cercando **anonimato**, dovresti usare il Tor Browser **invece** di una VPN. + + Se stai cercando maggiore **sicurezza**, dovresti sempre assicurarti di connetterti a siti Web usando HTTPS. Una VPN non è un sostituto per buone pratiche di sicurezza. + + [Maggiori informazioni :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Sincronizzazione di calendario e contatti + +
+ +- ![Tutanota logo](assets/img/calendar-contacts/tutanota.svg){ .twemoji } [Tutanota](calendar-contacts.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar-contacts.md#proton-calendar) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](calendar.md) + +### Rimozione di dati e metadati + +
+ +- ![ExifCleaner logo](assets/img/data-redaction/exifcleaner.svg){ .twemoji } [ExifCleaner](data-redaction.md#exifcleaner) +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](data-redaction.md) + +### Condivisione di file + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](email-clients.md) + +### Software di crittografia + +??? info "Crittografia del disco del sistema operativo" + + Per crittografare il disco del sistema operativo, in genere si consiglia di utilizzare lo strumento di crittografia fornito dal sistema operativo, che sia **BitLocker** su Windows, **FileVault** su macOS o **LUKS** su Linux. Questi strumenti sono inclusi nel sistema operativo e in genere utilizzano elementi di crittografia hardware come un TPM che altri software di crittografia full-disk come VeraCrypt non fanno. VeraCrypt è comunque adatto a dischi senza sistema operativo come le unità esterne, in particolare quelle a cui si può accedere da più sistemi operativi. + + [Maggiori informazioni :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](encryption.md) + +#### Client OpenPGP + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### Condivisione e sincronizzazione dei file + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontend + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](frontends.md) + +### Strumenti di autenticazione a più fattori + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### Aggregatori di notizie + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](news-aggregators.md) + +### Blocchi note + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](notebooks.md) + +### Gestori di password + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](passwords.md) + +### Strumenti di produttività + +
+ +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](productivity.md) + +### Comunicazione in tempo reale + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](real-time-communication.md#briar-android) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](real-time-communication.md) + +### Client di streaming video + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/tor.md b/i18n/it/tor.md new file mode 100644 index 00000000..1a60c3f3 --- /dev/null +++ b/i18n/it/tor.md @@ -0,0 +1,124 @@ +--- +title: "Rete Tor" +icon: simple/torproject +--- + +![Logo Tor](assets/img/self-contained-networks/tor.svg){ align=right } + +La rete **Tor** è un gruppo di server gestiti da volontari che permette di connettersi gratuitamente e migliorare la propria privacy e sicurezza su Internet. Individui e organizzazioni possono anche condividere informazioni attraverso la rete Tor con i "servizi nascosti .onion" senza compromettere la loro privacy. Poiché il traffico Tor è difficile da bloccare e tracciare, Tor è un efficace strumento di elusione della censura. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title="Pagina principale" } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Servizio Onion" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentazione} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Codice sorgente" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuisci } + +Tor funziona instradando il traffico internet attraverso questi server gestiti da volontari, invece di effettuare una connessione diretta al sito che si sta cercando di visitare. In questo modo si offusca la provenienza del traffico e nessun server nel percorso di connessione è in grado di vedere il percorso completo del traffico proveniente e diretto, il che significa che nemmeno i server utilizzati per connettersi possono violare l'anonimato. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - I nodi del percorso possono vedere solo i server a cui sono direttamente collegati, ad esempio il nodo "Entry" mostrato può vedere il vostro indirizzo IP e l'indirizzo del nodo "Middle", ma non ha modo di vedere quale sito web state visitando.
+
+ +- [Maggiori informazioni sul funzionamento di Tor :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connessione a Tor + +Esistono diversi modi per connettersi alla rete Tor dal proprio dispositivo, il più comunemente usato è il **Tor Browser**, un fork di Firefox progettato per la navigazione anonima per computer desktop e Android. Oltre alle applicazioni elencate di seguito, esistono anche sistemi operativi progettati appositamente per connettersi alla rete Tor, come [Whonix](desktop.md#whonix) su [Qubes OS](desktop.md#qubes-os), che offrono una sicurezza e una protezione ancora maggiori rispetto al Tor Browser standard. + +### Tor Browser + +!!! recommendation + + ![logo di Tor Browser](assets/img/browsers/tor.svg){ align=right } + + Il **Tor Browser** è la scelta ideale per chi ha bisogno di anonimato, in quanto fornisce l'accesso alla rete e ai ponti Tor e include impostazioni predefinite ed estensioni configurate automaticamente in base ai livelli di sicurezza predefiniti: *Standard*, *Sicuro* e *Il più sicuro*. + + [:octicons-home-16: Pagina principale](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Servizio Onion" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentazione } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuisce } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger "Pericolo" + + Non si devono **mai** installare estensioni aggiuntive su Tor Browser o modificare le impostazioni `about:config`, comprese quelle suggerite per Firefox. Le estensioni del browser e impostazioni non standard ti rendono distinguibile dagli altri utenti della rete Tor, aumentando così il [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting) del tuo browser. + +Tor Browser è progettato per evitare il fingerprinting o l'identificazione dell'utente attraverso la configurazione del browser. Pertanto, è indispensabile **non** modificare il browser oltre i livelli di sicurezza [predefiniti](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Logo Orbot](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** è una VPN Tor gratuita per smartphone che instrada il traffico da qualsiasi app sul dispositivo attraverso la rete Tor. + + [:octicons-home-16: Pagina principale](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentazione} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +Per resistere agli attacchi di analisi del traffico, considera di abilitare *Isola gli indirizzi di destinazione* in :material-menu: → **Impostazioni** → **Connectivity**. In questo modo si utilizzerà un circuito Tor completamente diverso (nodi intermedi e di uscita diversi) per ogni dominio a cui ci si connette. + +!!! tip "Suggerimenti per Android" + + Orbot può eseguire il proxy di singole applicazioni se queste supportano il proxy SOCKS o HTTP. Può anche effettuare il proxy di tutte le connessioni di rete utilizzando [VpnService](https://developer.android.com/reference/android/net/VpnService) e può essere utilizzato con il killswitch VPN in :gear: **Impostazioni** → **Rete & Internet** → **VPN** → :gear: → **Blocca connessioni senza VPN**. + + Orbot è spesso obsoleto sul [repository di F-Droid](https://guardianproject.info/fdroid) e [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) del Guardian Project, per cui si consiglia di scaricarlo direttamente dal [repository di GitHub](https://github.com/guardianproject/orbot/releases). + + Tutte le versioni sono firmate utilizzando la stessa firma, quindi dovrebbero essere compatibili tra loro. + +## Relay e Bridge + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** ti permette di donare larghezza di banda al Tor Project, operando i cosiddetti "Snowflake proxy" all'interno del tuo browser. + + Individui sottoposti a censura possono utilizzare questi proxy per connettersi alla rete Tor. Snowflake è un ottimo modo per contribuire alla rete Tor, senza la necessità di avere il know-how tecnico per gestire un relay o ponte Tor. + + [:octicons-home-16: Pagina principale](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentazione} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Snowflake incorporato" + + Puoi abilitare Snowflake nel tuo browser cliccando il pulsante sottostante e ==lasciando questa pagina aperta==. Puoi inoltre installare Snowflake come un'estensione del browser per poter sempre utilizzarlo quando navighi su Internet, ma, come già detto in precedenza, questo può aumentare la tua superficie di attacco. + +
+ Se l'incorporamento non appare, assicurati di non star bloccando il frame di terza parte da 'torproject.org'. Alternativamente, visita [questa pagina](https://snowflake.torproject.org/embed.html). + +Snowflake non aumenta in alcun modo la tua privacy e non viene utilizzato per connettersi alla rete Tor all'interno del tuo browser personale. Tuttavia, se la tua connessione a Internet non è censurata, dovresti prendere in considerazione la possibilità di utilizzarlo per aiutare le persone che si trovano in reti censurate a ottenere una migliore privacy. Non c'è bisogno di preoccuparsi dei siti web a cui le persone accedono attraverso il tuo proxy: il loro indirizzo IP di navigazione visibile corrisponderà al loro nodo di uscita Tor, non al tuo. + +La gestione di un proxy Snowflake è a basso rischio, anche più della gestione di un relay o bridge di Tor, che già non sono attività particolarmente rischiose. Tuttavia, il traffico viene comunque instradato attraverso la tua rete, il che può avere un certo impatto, soprattutto se la tua rete ha una larghezza di banda limitata. Assicurati di comprendere [come Snowflake funziona](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) prima di decidere se gestire un proxy. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/video-streaming.md b/i18n/it/video-streaming.md new file mode 100644 index 00000000..aa29b60b --- /dev/null +++ b/i18n/it/video-streaming.md @@ -0,0 +1,61 @@ +--- +title: "Streaming video" +icon: material/video-wireless +--- + +Il rischio principale quando si usa una piattaforma di streaming video è che le tue abitudini e iscrizioni possano essere usate per profilarti. Suggeriamo di utilizzare questi strumenti accompagnati da un [VPN](vpn.md) o [Tor](https://www.torproject.org/) in modo da rendere più difficile la profilazione. + +## Client + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **La rete LBRY** è una rete di condivisione video decentralizzata. Utilizza una rete simile a [BitTorrent](https://it.wikipedia.org/wiki/BitTorrent) per memorizzare i contenuti video e una [blockchain](https://it.wikipedia.org/wiki/Blockchain) per memorizzare gli indici di tali video. Il vantaggio principale di questo design è la resistenza alla censura. + + **Il client desktop di LBRY** consente lo streaming di video dalla rete LBRY e memorizza l'elenco delle iscrizioni nel proprio portafoglio LBRY. + + [:octicons-home-16: Pagina principale](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Si raccomanda solo il **client desktop LBRY**, poiché il sito web [Odysee](https://odysee.com) e i client LBRY in F-Droid, Play Store e App Store hanno la sincronizzazione e la telemetria obbligatorie. + +!!! warning "Avviso" + + Durante la visione e l'hosting dei video, il tuo indirizzo IP è visibile alla rete LBRY. Considera l'uso di [VPN](vpn.md) o [Tor](https://www.torproject.org) se il [modello di minaccia](basics/threat-modeling.md) richiede di nascondere l'indirizzo IP. + +Raccomandiamo di **non sincronizzare** il portafoglio con LBRY Inc. poiché la sincronizzazione dei portafogli crittografati non è ancora supportata. Se sincronizzi il tuoportafoglio con LBRY Inc. devi fidarti del fatto che non guarderanno la tua lista delle iscrizioni, i fondi di [LBC](https://lbry.com/faq/earn-credits) o prenderanno il controllo del tuo canale. + +È possibile disattivare l'opzione *Save hosting data to help the LBRY network* in :gear: **Settings** → **Advanced Settings**, per evitare di esporre il proprio indirizzo IP e i video guardati quando si utilizza LBRY per un periodo di tempo prolungato. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Non deve richiedere un account centralizzato per visualizzare i video. + - L'autenticazione decentralizzata, ad esempio tramite la chiave privata di un wallet mobile, è accettabile. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/it/vpn.md b/i18n/it/vpn.md new file mode 100644 index 00000000..607379d6 --- /dev/null +++ b/i18n/it/vpn.md @@ -0,0 +1,323 @@ +--- +title: "Servizi VPN" +icon: material/vpn +--- + +Trova un operatore VPN che non si occupi di leggere o vendere il tuo traffico web. + +??? danger "Le VPN non forniscono anonimato" + + L'utilizzo di una VPN **non** manterrà anonime le tue abitudini di navigazione, né aggiungerà ulteriore sicurezza al traffico non sicuro (HTTP). + + Se stai cercando **anonimato**, dovresti usare il Tor Browser **invece** di una VPN. + + Se stai cercando maggiore **sicurezza**, dovresti sempre assicurarti di connetterti a siti Web usando HTTPS. Una VPN non è un sostituto per buone pratiche di sicurezza. + + [Scarica Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](basics/tor-overview.md){ .md-button } + +??? question "Quando sono utili le VPN?" + + Se stai cercando una maggiore **privacy** dal tuo ISP, su una rete Wi-Fi pubblica o durante il torrenting di file, una VPN potrebbe essere la soluzione, a patto che ne comprendi i rischi. + + [Maggior informazioni](basics/vpn-overview.md){ .md-button } + +## Provider consigliati + +!!! summary "Criteri" + + I fornitori che consigliamo utilizzano la crittografia, accettano Monero, supportano WireGuard & OpenVPN e applicano una politica di non registrazione del traffico. Leggi la nostra [lista completa dei criteri](#our-criteria). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** è un forte concorrente nello spazio VPN ed è attivo dal 2016. Proton AG ha sede in Svizzera e offre un livello gratuito limitato, così come un'opzione premium più ricca di funzioni. + + **Gratuito** — **Piano Plus da 71,88€ all'anno** (1) + + [:octicons-home-16: Pagina principale](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Codice sorgente" } downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 paesi" + + Proton VPN ha [server in 67 paesi](https://protonvpn.com/vpn-servers) (1). Scegliere un provider VPN con un server più vicino a voi ridurrà la latenza del traffico di rete inviato. Ciò è dovuto al fatto che il percorso verso la destinazione è più breve (meno hop). + + Riteniamo inoltre che sia meglio per la sicurezza della chiave privata del provider VPN se utilizza [server dedicati](https://en.wikipedia.org/wiki/Dedicated_hosting_service), invece che soluzioni condivise (con altri clienti) più economiche, come un [virtual private server (VPS)](https://it.wikipedia.org/wiki/Virtual_private_server). + +1. Ultimo controllo: 16-09-2022 + +??? success "Audit indipendente" + + Nel mese di gennaio del 2020, Proton VPN è stato sottoposto ad un audit indipendente da parte di SEC Consult. SEC Consult ha riscontrato alcune vulnerabilità di basso e medio rischio nelle applicazioni di Windows, Android e iOS, le quali sono state "adeguatamente risolte" da Proton VPN prima della pubblicazione dei rapporti. Nessuno dei problemi identificati avrebbe potuto garantire a un hacker di accedere da remoto al tuo dispositivo o al tuo traffico. Puoi vedere i singoli rapporti per ogni piattaforma su [protonvpn.com](https://protonvpn.com/blog/open-source/). Nell'aprile 2022 Proton VPN è stata sottoposta ad [un altro audit](https://protonvpn.com/blog/no-logs-audit/) e il rapporto è stato [prodotto da Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). Una [lettera di attestazione](https://proton.me/blog/security-audit-all-proton-apps) è stata fornita per le applicazioni di Proton VPN il 9 novembre 2021 da [Securitum](https://research.securitum.com). + +??? success "Client Open-Source" + + Proton VPN fornisce il codice sorgente dei loro client desktop e mobile nella loro [organizzazione GitHub](https://github.com/ProtonVPN). + +??? success "Accetta contanti" + + Oltre ad accettare carte di credito/debito e PayPal, Proton VPN accetta pagamenti in Bitcon e **contanti/valuta locale** come forma di pagamento anonima. + +??? success "Supporto WireGuard" + + Proton VPN supporta principalmente il protocollo WireGuard®. [WireGuard](https://www.wireguard.com) è un protocollo più recente che utilizza una [cryptography](https://www.wireguard.com/protocol/) di ultima generazione. Inoltre, WireGuard mira a essere più semplice e performante. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) l'utilizzo di WireGuard con il loro servizio. Nelle applicazioni Windows, macOS, iOS, Android, ChromeOS e Android TV, WireGuard è il protocollo predefinito, tuttavia il [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) per il protocollo non è presente nella loro applicazione Linux. + +??? warning "Remote Port Forwarding" + + Proton VPN supporta attualmente il [port forwarding](https://protonvpn.com/support/port-forwarding/) remoto solo su Windows, il che potrebbe impattare alcune applicazioni. In particolare le applicazioni Peer-to-peer come i client Torrent. + +??? success "Client mobile" + + In aggiunta ai file di configurazione OpenVPN standard, Proton VPN fornisce client per i dispositivi mobili su [App Store](https://apps.apple.com/it/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl_it)e [GitHub](https://github.com/ProtonVPN/android-app/releases), permettendo connessioni facili ai loro server. + +??? info "Funzionalità aggiuntive" + + I client Proton VPN supportano l'autenticazione a due fattori su tutte le piattaforme, ad eccezione di Linux, al momento. Proton VPN ha i propri server e datacenter in Svizzera, Islanda e Svezia. Offrono il blocco delle pubblicità e dei domini malware noti mediante il loro servizio DNS. Inoltre, Proton VPN offre server "Tor" permettendoti di connetterti facilmente ai siti onion; consigliamo fortemente di utilizzare il [browser Tor ufficiale](https://www.torproject.org/) per questo scopo. + +!!! danger "La funzione Killswitch non funziona sui Mac con processori Intel" + + Si possono verificare arresti anomali del sistema (https://protonvpn.com/support/macos-t2-chip-kill-switch/) sui Mac basati su Intel quando si utilizza il killswitch VPN. Se hai bisogno di questa funzione e utilizzi un Mac con chipset Intel, dovresti considerare l'utilizzo di un altro servizio VPN. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** è un altro provider VPN premium, il quale opera dal 2009. IVPN ha sede a Gibilterra. + + [:octicons-home-16: Pagina principale](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 paesi" + + IVPN ha [server in 35 paesi](https://www.ivpn.net/server-locations) (1). Scegliere un provider VPN con un server più vicino a voi ridurrà la latenza del traffico di rete inviato. Ciò è dovuto al fatto che il percorso verso la destinazione è più breve (meno hop). + + Riteniamo inoltre che sia meglio per la sicurezza della chiave privata del provider VPN se utilizza [server dedicati](https://en.wikipedia.org/wiki/Dedicated_hosting_service), invece che soluzioni condivise (con altri clienti) più economiche, come un [virtual private server (VPS)](https://it.wikipedia.org/wiki/Virtual_private_server). + +1. Ultimo controllo: 16-09-2022 + +??? success "Audit indipendente" + + IVPN è stato sottoposto a un [audit no-logging da parte di Cure53](https://cure53.de/audit-report_ivpn.pdf), che si è concluso in accordo con l'affermazione no-logging di IVPN. IVPN ha anche completato un [rapporto pentest completo Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) nel gennaio 2020. IVPN ha dichiarato di avere in programma [rapporti annuali](https://www.ivpn.net/blog/independent-security-audit-concluded) in futuro. Un'ulteriore ispezione è stata condotta [nell'aprile 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) ed è stata resa pubblica da Cure53 [sul loro sito web](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Client Open-Source" + + Da febbrario del 2020, le [applicazioni di IVPN sono open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Il codice sorgente può essere ottenuto dalla loro [organizzazione GitHub](https://github.com/ivpn). + +??? success "Accetta contanti e Monero" + + Oltre ad accettare carte di credito/debito e PayPal, IVPN accetta pagamenti in Bitcon, **Monero** e **contanti/valuta locale** (su piani annuali) come forma di pagamento anonima. + +??? success "Supporto WireGuard" + + IVPN supporta il protocollo WireGuard®. [WireGuard](https://www.wireguard.com) è un protocollo più recente che utilizza una [cryptography](https://www.wireguard.com/protocol/) di ultima generazione. Inoltre, WireGuard mira a essere più semplice e performante. + + IVPN [recommends](https://www.ivpn.net/wireguard/) l'uso di WireGuard con il loro servizio e, come tale, il protocollo è predefinito su tutte le app IVPN. IVPN inoltre offre un generatore di configurazioni WireGuard per l'uso con le [app](https://www.wireguard.com/install/) ufficiali del protocollo. + +??? success "Remote Port Forwarding" + + Il [port forwarding](https://it.wikipedia.org/wiki/Port_forwarding) remoto è possibile con un piano Pro. Il port forwarding [può essere attivato](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) mediante il client. Il port forwarding è disponibile solo su IVPN quando si utilizzano protocolli WireGuard o OpenVPN ed è [disabilitato sui server statunitensi](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Client mobile" + + In aggiunta ai file di configurazione OpenVPN standard, IVPN fornisce client per i dispositivi mobili su [App Store](https://apps.apple.com/it/app/ivpn-serious-privacy-protection/id1193122683), [Google Play] e [GitHub](https://github.com/ivpn/android-app/releases)(https://play.google.com/store/apps/details?id=net.ivpn.client), permettendo connessioni facili ai loro server. + +??? info "Funzionalità aggiuntive" + + I client IVPN supportano l'autenticazione a due fattori (i client Mullvad no). IVPN inoltre fornisce la funzionalità "[AntiTracker](https://www.ivpn.net/antitracker)", la quale blocca le reti pubblicitarie e i tracker a livello di rete. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** è una VPN veloce ed economica con una grande attenzione alla trasparenza e alla sicurezza. Sono operativi dal **2009**. Mullvad ha sede in Svezia e non dispone di una prova gratuita. + + [:octicons-home-16: Pagina principale](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 paesi" + + Mullvad ha [server in 41 paesi](https://mullvad.net/servers/) (1). Scegliere un provider VPN con un server più vicino a voi ridurrà la latenza del traffico di rete inviato. Ciò è dovuto al fatto che il percorso verso la destinazione è più breve (meno hop). + + Riteniamo inoltre che sia meglio per la sicurezza della chiave privata del provider VPN se utilizza [server dedicati](https://en.wikipedia.org/wiki/Dedicated_hosting_service), invece che soluzioni condivise (con altri clienti) più economiche, come un [virtual private server (VPS)](https://it.wikipedia.org/wiki/Virtual_private_server). + +1. Ultimo controllo: 19-01-2023 + +??? success "Audit indipendente" + + I client VPN di Mullvad sono stati revisionati da Cure53 e Assured AB in un rapporto di pentest [pubblicato su cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). I ricercatori di sicurezza hanno concluso che: + + > Cure 53 e Assured AB sono soddisfatte dai risultati della verifica e il software lascia un'impressione complessivamente positiva. Con la dedizione alla sicurezza del team interno al complesso Mullvad VPN, i tester non hanno dubbi riguardo alla giusta direzione del progetto da un punto di vista della sicurezza. + + Nel 2020, un secondo audit [è stato annunciato](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) e il [rapporto finale](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) è stato reso disponibile nel sito web di Cure53: + + > I risultati di questo progetto del periodo maggio-giugno del 2020, riguardante il complesso di Mullvad, sono risultati piuttosto positivi. [...] L'ecosistema applicativo complessivo utilizzato da Mullvad lascia un'impressione solida e strutturata. La struttura complessiva dell'applicazione rende facile l'introduzione di patch e correzioni in modo strutturato. Più di ogni altra cosa, i risultati individuati da Cure53 mostrano l'importanza di controllare e rivalutare costantemente gli attuali vettori di fuga, al fine di garantire sempre la privacy degli utenti finali. Detto questo, Mullvad fa un ottimo lavoro nel proteggere l'utente finale dalle comuni perdite di informazioni d'identificazione personale e i relativi rischi legati alla privacy. + + Nel 2021, [è stato annunciato](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) un audit dell'infrastruttura e il [rapporto finale](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) è stato reso disponibile sul sito web di Cure53. Un altro rapporto è stato commissionato [nel giugno 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) ed è disponibile sul [sito web di Assured](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Client Open-Source" + + Mullvad rende disponibile il codice sorgente per i loro client desktop e per dispositivi mobili nella loro [organizzazione GitHub](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accetta contanti e Monero" + + Oltre ad accettare carte di credito/debito e PayPal, Mullvad accetta pagamenti in Bitcon, Bitcoin Cash, **Monero** e **contanti/valuta locale** come forma di pagamento anonima. Accettano inoltre Swish e bonifici bancari. + +??? success "Supporto WireGuard" + + Mullvad supporta il protocollo WireGuard®. [WireGuard](https://www.wireguard.com) è un protocollo più recente che utilizza una [cryptography](https://www.wireguard.com/protocol/) di ultima generazione. Inoltre, WireGuard mira a essere più semplice e performante. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) l'utilizzo di WireGuard con il loro servizio. È il protocollo unico e predefinito nelle applicazioni su Android, iOS, macOS e Linux, mentre su Windows WireGuard va [attivato manualmente](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/). Mullvad offre un generatore di configurazioni WireGuard per l'uso con le [apps](https://www.wireguard.com/install/) ufficiali del protocollo. + +??? success "Supporto IPv6" + + Mullvad supporta il futuro del networking [IPv6](https://it.wikipedia.org/wiki/IPv6). La loro rete ti permette di [accedere a servizi che utilizzano IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/), al contrario degli altri provider, che bloccano le connessioni IPv6. + +??? success "Remote Port Forwarding" + + Il [port forwarding](https://it.wikipedia.org/wiki/Port_forwarding) remoto è possibile per utenti che eseguono pagamenti una tantum, ma non per gli account con un metodo di pagamento ricorrente/sottoscrizione. Questo per evitare che Mullvad possa identificarti in base all'utilizzo della porta e alle informazioni di abbonamento memorizzate. Per ulteriori informazioni, vedere [port forwarding con Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/). + +??? success "Client mobile" + + Mullvad ha pubblicato i client su [App Store](https://apps.apple.com/it/app/mullvad-vpn/id1488466513) e [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn), entrambi supportano un'interfaccia facile da usare, invece che richiederti di configurare manualmente la tua connnesione WireGuard. Il client Android è disponibile anche su [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Funzionalità aggiuntive" + + Mullvad è molto trasparente su quali nodi [possiede o fitta](https://mullvad.net/en/servers/). Utilizzano [ShadowSocks](https://shadowsocks.org/) nella loro configurazione ShadowSocks + OpenVPN, rendendoli più resistenti ai firewall con [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) che cercano di bloccare le VPN. A quanto pare, [la Cina deve utilizzare un metodo diverso per bloccare i server ShadowSocks](https://github.com/net4people/bbs/issues/22). Il sito web di Mullvad è inoltre accessibile mediante Tor presso [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## CryptPad + +!!! danger "Pericolo" + + È importante notare che l'utilizzo di una VPN non ti rende anonimo, ma può migliorare la tua privacy in alcune situazioni. Una VPN non è uno strumento per attività illegali. Non affidarti ad una politica "no log". + +**Si prega di notare che non siamo affiliati a nessuno dei fornitori che raccomandiamo. Questo ci permette di fornire raccomandazioni completamente oggettive.** Abbiamo sviluppato un insieme di requisti chiari per ogni provider di VPN, tra cui una forte crittografia, controlli sulla sicurezza indipendenti, tecnologia moderna e altro. Ti suggeriamo di familiarizzare con questa lista prima di scegliere un provider VPN e di condurre la propria ricerca per assicurarsi che il provider scelto sia il più affidabile possibile. + +### Tecnologia + +Richiediamo a tutti i provider VPN da noi consigliati di fornire file di configurazione OpenVPN da utilizzare in qualsiasi client. **Se** una VPN fornisce il proprio client personalizzato, richiediamo un killswitch per bloccare le fughe di dati di rete quando si è disconnessi. + +**Requisiti minimi:** + +- Supporto per protocolli forti come WireGuard & OpenVPN. +- Killswitch integrato nei client. +- Supporto multihop. Il multihopping è importante per mantenere i dati privati nel caso in cui un nodo venisse compromesso. +- Se vengono forniti client VPN, devono essere [open-source](https://en.wikipedia.org/wiki/Open_source), come il software VPN che generalmente hanno incorporato. Crediamo che la disponibilità del [codice sorgente](https://en.wikipedia.org/wiki/Source_code) fornisca grande trasparenza riguardo ciò che il tuo dispositivo sta effettivamente facendo. + +**Best Case:** + +- Supporto per WireGuard e OpenVPN. +- Killswitch con opzioni altamente configurabili (abilitazione/disabilitazione su determinate reti, all'avvio, ecc.) +- Client VPN facili da usare +- Supporto per [IPv6](https://en.wikipedia.org/wiki/IPv6). Ci aspettiamo che i server accettino connessioni in arrivo via IPv6 e che ti permettano di accedere a servizi su indirizzi IPv6. +- La capacità di [port forwarding remoto](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) aiuta a creare connessioni quando si utilizza software per la condivisione file P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)), o nell'hosting di un server (es. Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. È necessario non raccogliere informazioni personali al momento della registrazione e accettare forme di pagamento anonime. + +**Requisiti minimi:** + +- Opzione di pagamento in contanti o in Monero. +- Nessuna informazione personale richiesta per registrarsi: solo nome utente, password ed e-mail al massimo. + +**Best Case:** + +- Accetta Monero, contanti e altre forme di pagamento anonimo (carte regalo, etc.) +- Nessuna informazione personale richiesta (nome utente autogenerato, nessuna e-mail richiesta, etc.) + +### Sicurezza + +Una VPN è inutile se non è nemmeno in grado di fornire una sicurezza adeguata. Richiediamo a tutti i nostri provider consigliati di rispettare gli standard di sicurezza attuali per le loro connessioni OpenVPN. L'ideale sarebbe utilizzare schemi di crittografia a prova di futuro per impostazione predefinita. Richiediamo inoltre che una terza parte indipendente verifichi la sicurezza del fornitore, idealmente in modo molto completo e su base ripetuta (annuale). + +**Requisiti minimi:** + +- Schemi di crittografia forti: OpenVPN con autenticazione SHA-256; handshake RSA-2048 o migliore; crittografia dei dati AES-256-GCM o AES-256-CBC. +- Perfect Forward Secrecy (PFS). +- Audit sulla sicurezza pubblicati da un'azienda terza affidabile. + +**Best Case:** + +- Crittografia più forte: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Audit sulla sicurezza completi pubblicati da un'azienda terza affidabile. +- Programmi di bug-bounty e/o un processo coordinato di divulgazione delle vulnerabilità. + +### Fiducia + +Non affideresti le tue finanze a qualcuno con un'identità falsa, quindi perché dovresti affidargli i tuoi dati internet? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Requisiti minimi:** + +- Dirigenza o proprietà pubblica. + +**Best Case:** + +- Dirigenza pubblica. +- Rapporti di trasparenza frequenti. + +### Marketing + +Con i fornitori di VPN che raccomandiamo ci piace vedere un marketing responsabile. + +**Requisiti minimi:** + +- Deve utilizzare sistemi di analisi dei dati propri (es. no Google Analytics). Il sito del provider deve inoltre rispettare [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) per le persone che desiderano rinunciare. + +Must not have any marketing which is irresponsible: + +- Garantire al 100% la protezione dell'anonimato. Quando qualcuno afferma che qualcosa è al 100% significa che non esiste fallimento. Sappiamo che le persone possono deanonimizzarsi facilmente in vari modi, ad es.: + - Riutilizzare informazioni personali (es., account e-mail, pseudonimi unici ecc.) con cui hanno eseguito accessi senza software di anonimizzazione (Tor, VPN, ecc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Sostenere che un singolo circuito VPN è più "anonimo di Tor", il quale è un circuito con 3 o più hop che cambiano regolarmente. +- Utilizzare linguaggio responsabile: per esempio, è accettabile dire che la VPN è "disconnessa" o "non connessa", tuttavia affermare che un utente è "esposto", "vulnerabile" o "compromesso" può creare allarmismi incorretti e inutili. Per esempio, quella persona potrebbe semplicemente star usando un'altra VPN o Tor. + +**Best Case:** + +Il marketing responsabile, che è sia educativo che utile per il consumatore, potrebbe includere: + +- Un confronto accurato con quando si dovrebbe usare [Tor](tor.md). +- Disponibilità del sito web del provider VPN su un [servizio .onion](https://en.wikipedia.org/wiki/.onion) + +### Funzionalità aggiuntive + +Anche se non requisiti rigidi, ci sono alcuni fattori che abbiamo considerato nel determinare quali servizi consigliare. Tra questi ci sono funzionalità di blocco dei tracker e delle pubblicità, canarini di garanzia, connessioni multihop, eccellenza nell'assistenza clienti, numero di connessioni simultanee consentite, ecc. + +--8<-- "includes/abbreviations.it.txt" diff --git a/i18n/nl/404.md b/i18n/nl/404.md new file mode 100644 index 00000000..be1bb643 --- /dev/null +++ b/i18n/nl/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Niet gevonden + +We konden de pagina die je zoekt niet vinden! Misschien was je op zoek naar een van deze? + +- [Inleiding tot dreigingsmodellering](basics/threat-modeling.md) +- [Aanbevolen DNS-providers](dns.md) +- [Beste desktop webbrowsers](desktop-browsers.md) +- [Beste VPN-providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Onze Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/CODE_OF_CONDUCT.md b/i18n/nl/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..888b1d6b --- /dev/null +++ b/i18n/nl/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Gedragscode van de Gemeenschap + +**Wij beloven** om van onze gemeenschap een intimidatievrije ervaring te maken voor iedereen. + +**Wij streven naar** om een positieve omgeving te creëren, door uitnodigende en inclusieve taal te gebruiken en respect te tonen voor de standpunten van anderen. + +**Wij staan geen** ongepast of anderszins onaanvaardbaar gedrag toe, zoals geseksualiseerd taalgebruik, trollen en beledigende opmerkingen, of het anderszins bevorderen van onverdraagzaamheid of intimidatie. + +## Gemeenschap normen + +Wat we verwachten van leden van onze community: + +1. **Verspreid geen verkeerde informatie** + + Wij creëren een op feiten gebaseerde onderwijsgemeenschap rond informatieprivacy en -beveiliging, geen huis voor complottheorieën. Als u bijvoorbeeld beweert dat een bepaald stuk software kwaadaardig is of dat bepaalde telemetriegegevens inbreuk maken op de privacy, leg dan in detail uit wat er wordt verzameld en hoe dat gebeurt. Dergelijke beweringen moeten met technische bewijzen worden gestaafd. + +1. **Maak geen misbruik van onze bereidheid om te helpen** + + Onze gemeenschapsleden zijn niet uw gratis technische ondersteuning. Wij helpen je graag met specifieke stappen op jouw privacyreis als je bereid bent er zelf moeite voor te doen. Wij zijn niet bereid eindeloos herhaalde vragen te beantwoorden over algemene computerproblemen die je zelf had kunnen beantwoorden met een 30 seconden durende zoektocht op internet. Wees geen [help vampier](https://slash7.com/2006/12/22/vampires/). + +1. **Gedraag je op een positieve en constructieve manier** + + Voorbeelden van gedrag dat bijdraagt aan een positieve omgeving voor onze gemeenschap zijn: + + - Empathie en vriendelijkheid tonen ten opzichte van andere mensen + - Respect hebben voor verschillende meningen, standpunten en ervaringen + - Op een elegante manier constructieve feedback geven en accepteren + - Verantwoordelijkheid nemen en excuses aanbieden aan degenen die getroffen zijn door onze fouten, en leren van de ervaring + - Focussen op wat het beste is, niet alleen voor ons als individuen, maar voor de hele gemeenschap + +### Onaanvaardbaar gedrag + +De volgende gedragingen worden beschouwd als intimidatie en zijn onaanvaardbaar binnen onze gemeenschap: + +- Het gebruik van geseksualiseerde taal of beelden, en seksuele aandacht of vooruitgang van welke aard dan ook +- Trollen, beledigen of denigrerende opmerkingen, en persoonlijke of politieke aanvallen +- Openbare of particuliere intimidatie +- Publiceren van persoonlijke informatie van anderen, zoals een fysiek of e-mailadres, zonder hun uitdrukkelijke toestemming +- Ander gedrag dat redelijkerwijs als ongepast kan worden beschouwd in een professionele omgeving + +## Toepassingsgebied + +Onze Gedragscode is van toepassing binnen alle projectruimten, evenals wanneer een persoon het project Privacy Guides in andere gemeenschappen vertegenwoordigt. + +Wij zijn verantwoordelijk voor het verduidelijken van de normen van onze community en hebben het recht om de opmerkingen van degenen die deelnemen aan onze community te verwijderen of te wijzigen, indien nodig en naar eigen goeddunken. + +### Contact + +Als u een probleem opmerkt op een platform zoals Matrix of Reddit, neem dan contact op met onze moderators op dat platform in de chat, via DM of via een aangewezen "Modmail" -systeem. + +Als je ergens anders een probleem hebt of een probleem dat onze communitymoderators niet kunnen oplossen, neem dan contact op met `jonah@privacyguides.org` en/of `dngray@privacyguides.org`. + +Alle gemeenschapsleiders zijn verplicht om de privacy en veiligheid van de melder van een incident te respecteren. diff --git a/i18n/nl/about/criteria.md b/i18n/nl/about/criteria.md new file mode 100644 index 00000000..9913777a --- /dev/null +++ b/i18n/nl/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: Algemene criteria +--- + +!!! example "Werk in uitvoering" + + De volgende pagina is een werk in uitvoering, en geeft op dit moment niet de volledige criteria voor onze aanbevelingen weer. Eerdere discussie over dit onderwerp: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Hieronder staan enkele zaken die moeten gelden voor alle inzendingen aan Privacy Guides. Aan elke categorie worden aanvullende eisen gesteld. + +## Financiële informatie + +We verdienen geen geld met het aanbevelen van bepaalde producten, we gebruiken geen affiliate links en we geven geen speciale aandacht aan projectdonoren. + +## Algemene richtlijnen + +We passen deze prioriteiten toe bij het overwegen van nieuwe aanbevelingen: + +- **Secure**: Tools moeten de beste beveiligingspraktijken volgen, waar van toepassing. +- **Bronbeschikbaarheid**: Open source projecten hebben over het algemeen de voorkeur boven gelijkwaardige merkalternatieven. +- **Cross-Platform**: We geven er meestal de voorkeur aan dat aanbevelingen cross-platform zijn, om lock-in van leveranciers te voorkomen. +- **Actieve ontwikkeling**: De hulpmiddelen die wij aanbevelen moeten actief worden ontwikkeld, niet-onderhouden projecten zullen in de meeste gevallen worden verwijderd. +- **Bruikbaarheid**: Tools moeten toegankelijk zijn voor de meeste computergebruikers, een al te technische achtergrond is niet vereist. +- **Gedocumenteerd**: Tools moeten duidelijke en uitgebreide documentatie hebben voor gebruik. + +## Zelfinzendingen van ontwikkelaars + +Wij stellen deze eisen aan ontwikkelaars die hun project of software in overweging willen geven. + +- Je moet jouw banden bekendmaken, d.w.z. jouw positie binnen het ingediende project. + +- Moet een security whitepaper hebben als het een project is waarbij gevoelige informatie wordt verwerkt, zoals een messenger, password manager, versleutelde cloudopslag etc. + - Auditstatus van derden. We willen weten of je er een hebt, of gepland hebt. Vermeld indien mogelijk wie de controle zal uitvoeren. + +- Moet uitleggen wat het project te bieden heeft op het gebied van privacy. + - Lost het een nieuw probleem op? + - Waarom zou iemand het gebruiken boven de alternatieven? + +- Moeten aangeven wat het exacte dreigingsmodel is van hun project. + - Het moet voor potentiële gebruikers duidelijk zijn wat het project kan bieden, en wat niet. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/about/donate.md b/i18n/nl/about/donate.md new file mode 100644 index 00000000..007d3a72 --- /dev/null +++ b/i18n/nl/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Ons steunen +--- + + +Het vergt veel [mensen](https://github.com/privacyguides/privacyguides.org/graphs/contributors) en [werk](https://github.com/privacyguides/privacyguides.org/pulse/monthly) om Privacy Guides up-to-date te houden en het woord te verspreiden over privacy en massabewaking. Als je het leuk vindt wat we doen, overweeg dan om mee te doen door [de site](https://github.com/privacyguides/privacyguides.org) te bewerken of aan de [vertalingen bij te dragen](https://crowdin.com/project/privacyguides). + +Als je ons financieel wilt steunen, is de handigste methode voor ons om bij te dragen via Open Collective, een website die wordt beheerd door onze fiscale gastheer. Open Collective accepteert betalingen via creditcards, PayPal en bankoverschrijvingen. + +[Doneer op OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donaties rechtstreeks aan ons Open Collective zijn in het algemeen aftrekbaar van de belasting in de VS, omdat onze fiscale gastheer (de Open Collective Foundation) een geregistreerde 501(c)3 organisatie is. Na jouw donatie ontvangt je een ontvangstbewijs van de Open Collective Foundation. Privacy Guides geeft geen financieel advies, en je dient contact op te nemen met uw belastingadviseur om na te gaan of dit op je van toepassing is. + +Als je al gebruik maakt van GitHub sponsoring, kun je onze organisatie daar ook sponsoren. + +[Sponsor ons op GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +Een speciaal woord van dank aan allen die onze missie steunen! :heart: + +*Let op: Dit onderdeel laadt een widget rechtstreeks vanuit Open Collective. Dit gedeelte geeft geen donaties weer die buiten Open Collective om zijn gedaan, en wij hebben geen controle over de specifieke donoren die in dit gedeelte worden vermeld.* + + + +## Hoe we donaties gebruiken + +Privacy Guides is een **non-profit** organisatie. Wij gebruiken donaties voor verschillende doeleinden, waaronder: + +**Domein registraties** +: + +Wij hebben een paar domeinnamen zoals `privacyguides.org` die ons ongeveer $10 per jaar kosten om hun registratie te behouden. + +**Web Hosting** +: + +Het verkeer naar deze website verbruikt honderden gigabytes aan gegevens per maand, wij maken gebruik van verschillende dienstverleners om dit verkeer bij te houden. + +**Online diensten** +: + +Wij hosten [internetdiensten](https://privacyguides.net) voor het testen en tonen van verschillende privacy-producten die wij leuk vinden en [aanbevelen](../tools.md). Sommige daarvan worden publiekelijk beschikbaar gesteld voor gebruik door onze gemeenschap (SearXNG, Tor, enz.), en sommige worden ter beschikking gesteld aan onze teamleden (e-mail, enz.). + +**Aankopen van producten** +: + +Wij kopen af en toe producten en diensten aan om onze [aanbevolen instrumenten te testen](../tools.md). + +We werken nog steeds samen met onze fiscale host (de Open Collective Foundation) om donaties in cryptogeld te ontvangen, op dit moment is de boekhouding onhaalbaar voor veel kleinere transacties, maar dit zou in de toekomst moeten veranderen. In de tussentijd, als je een aanzienlijke (> $100) crypto donatie wilt doen, neem dan contact op met [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/about/index.md b/i18n/nl/about/index.md new file mode 100644 index 00000000..a2c4584b --- /dev/null +++ b/i18n/nl/about/index.md @@ -0,0 +1,63 @@ +--- +title: "Over Privacy Guides" +--- + +**Privacy Guides** is een sociaal gemotiveerde website die informatie verstrekt voor de bescherming van jouw gegevensbeveiliging en privacy. Wij zijn een non-profit collectief dat volledig wordt beheerd door vrijwillige [teamleden](https://discuss.privacyguides.net/g/team) en bijdragers. + +[:material-hand-coin-outline: Steun het project](donate.md ""){.md-button.md-button--primary} + +## Ons Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: E-mail](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: E-mail](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Bovendien hebben [veel mensen](https://github.com/privacyguides/privacyguides.org/graphs/contributors) bijgedragen aan het project. Jij kunt het ook, we zijn open source op GitHub! + +Onze teamleden bekijken alle wijzigingen aan de website en nemen administratieve taken op zich zoals webhosting en financiën, maar zij profiteren niet persoonlijk van bijdragen aan deze site. Onze financiën worden transparant gehost door de Open Collective Foundation 501(c)(3) op [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Giften aan Privacy Guides zijn in het algemeen aftrekbaar van de belasting in de Verenigde Staten. + +## Site Licentie + +*Het volgende is een menselijk leesbare samenvatting van (en geen vervanging voor) de [licentie](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Tenzij anders vermeld, wordt de oorspronkelijke inhoud van deze website beschikbaar gesteld onder de [Creative Commons Naamsvermelding-Niet-afgeleide producten 4.0 Internationale Openbare Licentie](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). Dit betekent dat u vrij bent om het materiaal te kopiëren en opnieuw te verspreiden in elk medium of formaat voor elk doel, zelfs commercieel; zolang u gepaste eer geeft aan `Privacy Guides (www.privacyguides.org)` en een link geeft naar de licentie. U **mag de Privacy Guides branding niet** gebruiken in uw eigen project zonder uitdrukkelijke toestemming van dit project. Als u de inhoud van deze website remixt, transformeert of erop voortbouwt, mag u het gewijzigde materiaal niet verspreiden. + +Deze licentie is er om te voorkomen dat mensen ons werk delen zonder de juiste credits te geven, en om te voorkomen dat mensen ons werk aanpassen op een manier die gebruikt kan worden om mensen te misleiden. Als u de voorwaarden van deze licentie te beperkend vindt voor het project waaraan u werkt, neem dan contact met ons op via `jonah@privacyguides.org`. Wij bieden graag alternatieve licentiemogelijkheden voor goedbedoelde projecten op het gebied van privacy! + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/about/notices.md b/i18n/nl/about/notices.md new file mode 100644 index 00000000..971ba2b5 --- /dev/null +++ b/i18n/nl/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Mededelingen en vrijwaringsclausules" +hide: + - toc +--- + +## Wettelijke aansprakelijkheid + +Privacy Guides is geen advocatenkantoor. Als zodanig geven de Privacy Gidsen website en hun medewerkers geen juridisch advies. Het materiaal en de aanbevelingen in onze website en gidsen vormen geen juridisch advies, noch schept het bijdragen aan de website of het communiceren met Privacy Guides of andere bijdragers over onze website een advocaat-cliënt relatie. + +Het runnen van deze website brengt, zoals elke menselijke inspanning, onzekerheid en afwegingen met zich mee. Wij hopen dat deze website helpt, maar er kunnen fouten in staan en niet elke situatie kan worden behandeld. Als je vragen hebt over jouw situatie, moedigen wij je aan jouw eigen onderzoek te doen, andere deskundigen te raadplegen en deel te nemen aan discussies met de Privacy Guides-gemeenschap. Indien je juridische vragen hebt, dien je jouw eigen juridisch adviseur te raadplegen alvorens verder te gaan. + +Privacy Guides is een open source-project waaraan wordt bijgedragen onder licenties die voorwaarden bevatten die, ter bescherming van de website en de bijdragers, duidelijk maken dat het Privacy Guides-project en de website "as-is" worden aangeboden, zonder garantie, en waarin aansprakelijkheid wordt afgewezen voor schade die voortvloeit uit het gebruik van de website of de aanbevelingen die erin zijn opgenomen. Privacy Guides geeft geen garantie en doet geen uitspraken over de nauwkeurigheid, de waarschijnlijke resultaten, of de betrouwbaarheid van het gebruik van de materialen op de website of anderszins met betrekking tot dergelijke materialen op de website of op sites van derden die zijn gekoppeld aan deze site. + +Privacy Guides garandeert evenmin dat deze website voortdurend beschikbaar zal zijn, of helemaal niet beschikbaar zal zijn. + +## Licenties + +Tenzij anders vermeld, wordt alle inhoud op deze website vrij ter beschikking gesteld onder de voorwaarden van de [Creative Commons CC0 1.0 Universal](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +Dit geldt niet voor code van derden die in dit archief is opgenomen, of code waar een vervangende licentie anderszins is aangegeven. Hieronder volgen enkele belangrijke voorbeelden, maar deze lijst is wellicht niet volledig: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is gelicenseerd onder de [Apache Licentie 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Delen van deze mededeling zelf zijn overgenomen van [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) op GitHub. Die bron en deze pagina zelf zijn vrijgegeven onder [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +Dit betekent dat je de menselijk leesbare inhoud in deze repository kunt gebruiken voor je eigen project, volgens de voorwaarden in de CC0 1.0 Universele tekst. U **mag de Privacy Guides branding niet** gebruiken in uw eigen project zonder uitdrukkelijke toestemming van dit project. De handelsmerken van Privacy Guides omvatten het woordmerk "Privacy Guides" en het schildlogo. De handelsmerken van Privacy Guides omvatten het woordmerk "Privacy Guides" en het schildlogo. + +Wij zijn van mening dat de logo's en andere afbeeldingen in `activa` verkregen van derde leveranciers ofwel in het publieke domein zijn of **eerlijk gebruik**. In een notendop staat de juridische [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) het gebruik toe van auteursrechtelijk beschermde afbeeldingen om het onderwerp aan te duiden met het oog op openbaar commentaar. Deze logo's en andere afbeeldingen kunnen echter nog steeds onderworpen zijn aan het merkenrecht in een of meer rechtsgebieden. Alvorens deze inhoud te gebruiken, dien je zich ervan te vergewissen dat de entiteit of organisatie die eigenaar is van het handelsmerk wordt geïdentificeerd en dat je het recht hebt het te gebruiken volgens de wetten die van toepassing zijn in de omstandigheden van het door je beoogde gebruik. *Wanneer je inhoud van deze website kopieert, bent je er als enige verantwoordelijk voor dat je geen inbreuk maakt op het handelsmerk of auteursrecht van iemand anders.* + +Als je bijdraagt aan dit archief, doet je dat onder de bovenstaande licenties. + +## Aanvaardbaar gebruik + +Je mag deze website niet gebruiken op een manier die schade toebrengt of kan toebrengen aan de website of de beschikbaarheid of toegankelijkheid van Privacy Guides aantast, of op een manier die onwettig, illegaal, frauduleus of schadelijk is, of in verband met een onwettig, illegaal, frauduleus of schadelijk doel of activiteit. + +Je mag geen systematische of geautomatiseerde gegevensverzamelingsactiviteiten uitvoeren op of met betrekking tot deze website zonder uitdrukkelijke schriftelijke toestemming van Aragon Ventures Llc, inclusief: + +* Buitensporige geautomatiseerde scans +* Ontzegging van dienst aanvallen +* Schrapen +* Datamining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/about/privacy-policy.md b/i18n/nl/about/privacy-policy.md new file mode 100644 index 00000000..bbf61460 --- /dev/null +++ b/i18n/nl/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacybeleid" +--- + +Privacy Guides is een gemeenschapsproject dat door een aantal actieve vrijwilligers wordt uitgevoerd. De openbare lijst van teamleden [is te vinden op GitHub](https://github.com/orgs/privacyguides/people). + +## Gegevens die wij van bezoekers verzamelen + +De privacy van onze websitebezoekers is belangrijk voor ons, dus we volgen geen individuele personen. Als bezoeker van onze website: + +- Er wordt geen persoonlijke informatie verzameld +- Er wordt geen informatie, zoals cookies, opgeslagen in de browser +- Er wordt geen informatie gedeeld met, verstuurd naar of verkocht aan derden +- Er wordt geen informatie gedeeld met reclamebedrijven +- Er wordt geen informatie gemijnd en geoogst voor persoonlijke en gedragstrends +- Geen informatie wordt te gelde gemaakt + +Je kunt de gegevens die wij verzamelen bekijken op onze pagina [statistieken](statistics.md). + +Wij draaien een zelf gehoste installatie van [Plausible Analytics](https://plausible.io) om enkele anonieme gebruiksgegevens voor statistische doeleinden te verzamelen. Het doel is om algemene trends in ons websiteverkeer te volgen, niet om individuele bezoekers te volgen. Alle gegevens zijn alleen in geaggregeerde vorm. Er worden geen persoonsgegevens verzameld. + +De verzamelde gegevens omvatten verwijzingsbronnen, toppagina's, duur van het bezoek, informatie over de apparaten (apparaattype, besturingssysteem, land en browser) die tijdens het bezoek werden gebruikt en meer. Je kunt meer te weten komen over hoe Plausible werkt en informatie verzamelt op een privacy- respecterende manier [hier](https://plausible.io/data-policy). + +## Gegevens die wij van account houders verzamelen + +Op sommige websites en diensten die wij aanbieden, kan voor veel functies een account vereist zijn. Een account kan bijvoorbeeld vereist zijn om onderwerpen te posten en te beantwoorden op een forumplatform. + +Om je voor de meeste accounts aan te melden, verzamelen wij een naam, gebruikersnaam, e-mail en wachtwoord. Indien een website meer informatie vereist dan alleen die gegevens, zal dat duidelijk worden aangegeven en vermeld in een afzonderlijke privacyverklaring per site. + +Wij gebruiken uw accountgegevens om je te identificeren op de website en om pagina's te creëren die specifiek voor je zijn, zoals jouw profielpagina. Wij zullen jouw accountgegevens ook gebruiken om een openbaar profiel voor je op onze diensten te publiceren. + +Wij gebruiken jouw e-mail om: + +- Je op de hoogte te brengen van berichten en andere activiteiten op de websites of diensten. +- Reset jouw wachtwoord en help jouw account veilig te houden. +- Contact met je op te nemen in bijzondere omstandigheden die verband houden met jouw rekening. +- Contact met je op te nemen over wettelijke verzoeken, zoals DMCA takedown verzoeken. + +Op sommige websites en diensten kunt je aanvullende informatie verstrekken voor jouw account, zoals een korte biografie, avatar, jouw locatie of jouw verjaardag. Wij maken die informatie beschikbaar voor iedereen die toegang heeft tot de website of de dienst in kwestie. Deze informatie is niet vereist om van onze diensten gebruik te maken en kan op elk moment worden gewist. + +Wij bewaren jouw account gegevens zolang jouw account open blijft. Na het sluiten van een account kunnen wij sommige of al uw accountgegevens bewaren in de vorm van back-ups of archieven gedurende maximaal 90 dagen. + +## Contact met ons opnemen + +Het Privacy Guides-team heeft in het algemeen geen toegang tot persoonsgegevens, afgezien van beperkte toegang die via sommige moderatiepanelen wordt verleend. Vragen over uw persoonlijke gegevens moeten rechtstreeks worden gericht aan: + +```text +Jonah Aragon +Dienstenadministrateur +jonah@privacyguides.org +``` + +Voor alle andere vragen kunt je contact opnemen met elk lid van ons team. + +Voor meer algemene klachten in het kader van de GDPR kun je terecht bij jouw lokale toezichthoudende autoriteiten voor gegevensbescherming. In Frankrijk is het de Commission Nationale de l'Informatique et des Libertés die de klachten behandelt. Ze bieden een [sjabloon van de klachtenbrief](https://www.cnil.fr/en/plaintes) aan om te kunnen gebruiken. + +## Over dit beleid + +Eventuele nieuwe versies van deze verklaring [zullen wij hier](privacy-policy.md)plaatsen. Wij kunnen de wijze waarop wij wijzigingen aankondigen in toekomstige versies van dit document wijzigen. In de tussentijd kunnen wij onze contactgegevens te allen tijde bijwerken zonder een wijziging aan te kondigen. Raadpleeg het [Privacybeleid](privacy-policy.md) voor de meest recente contactinformatie op elk moment. + +Een volledige revisie [geschiedenis](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) van deze pagina is te vinden op GitHub. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/about/privacytools.md b/i18n/nl/about/privacytools.md new file mode 100644 index 00000000..9e4cf32d --- /dev/null +++ b/i18n/nl/about/privacytools.md @@ -0,0 +1,146 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Waarom we zijn overgestapt van PrivacyTools + +In september 2021 hebben alle actieve medewerkers unaniem ingestemd om van PrivacyTools over te stappen naar deze site: Privacy Guides. Deze beslissing werd genomen omdat de oprichter van PrivacyTools en beheerder van de domeinnaam voor langere tijd was verdwenen en niet kon worden gecontacteerd. + +Aangezien PrivacyTools.io een gerenommeerde site en een reeks diensten had opgebouwd, baarde dit grote zorgen voor de toekomst van PrivacyTools, aangezien elke toekomstige verstoring de hele organisatie zou kunnen wegvagen zonder herstelmethode. Deze overgang werd vele maanden van tevoren aan de PrivacyTools-gemeenschap meegedeeld via verschillende kanalen, waaronder de blog, Twitter, Reddit en Mastodon, om ervoor te zorgen dat het hele proces zo soepel mogelijk zou verlopen. We deden dit om ervoor te zorgen dat niemand in het ongewisse werd gelaten, wat onze modus operandi is geweest sinds de oprichting van ons team, en om ervoor te zorgen dat Privacy Guides werd herkend als dezelfde betrouwbare organisatie die PrivacyTools was voor de overgang. + +Na de organisatorische verhuizing keerde de oprichter van PrivacyTools terug en begon verkeerde informatie over het Privacy Guides-project te verspreiden. Ze gaan door met het verspreiden van verkeerde informatie en exploiteren daarnaast een betaalde linkfarm op het PrivacyTools-domein. We maken deze pagina om misvattingen uit de weg te ruimen. + +## Wat is PrivacyTools? + +PrivacyTools werd in 2015 opgericht door "BurungHantu", die een bron van informatie over privacy wilde maken - nuttige hulpmiddelen na de onthullingen van Snowden. De site groeide uit tot een bloeiend open-sourceproject met [veel bijdragers](https://github.com/privacytools/privacytools.io/graphs/contributors), waarvan sommigen uiteindelijk verschillende organisatorische verantwoordelijkheden kregen, zoals het beheren van online diensten als Matrix en Mastodon, het beheren en beoordelen van wijzigingen aan de site op GitHub, het vinden van sponsors voor het project, het schrijven van blogberichten en het beheren van platforms voor sociale media zoals Twitter, enz. + +Vanaf 2019 nam BurungHantu steeds meer afstand van de actieve ontwikkeling van de website en de gemeenschappen, en begon hij betalingen uit te stellen waarvoor hij verantwoordelijk was in verband met de servers die we beheerden. Om te voorkomen dat onze systeembeheerder de serverkosten uit eigen zak moet betalen, hebben we de donatiemethoden die op de site staan veranderd van BurungHantu's persoonlijke PayPal- en cryptorekeningen naar een nieuwe OpenCollective-pagina op [31 oktober 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). Dit had het bijkomende voordeel dat het onze financiën volledig transparant maakte, een waarde waarin wij sterk geloven, en fiscaal aftrekbaarheid in de Verenigde Staten, omdat ze werden beheerd door de Open Collective Foundation 501(c)3. Deze wijziging werd unaniem goedgekeurd door het team en werd niet betwist. + +## Waarom we verder zijn gegaan + +In 2020 werd de afwezigheid van BurungHantu veel opvallender. Op een gegeven moment moesten de naamservers van het domein worden gewijzigd in naamservers die worden beheerd door onze systeembeheerder om toekomstige verstoringen te voorkomen, en deze wijziging werd pas meer dan een maand na de eerste aanvraag voltooid. Hij verdween maandenlang uit de openbare chat en de privé chatrooms van het team op Matrix. Af en toe kwam hij even langs om wat kleine feedback te geven of beloofde hij actiever te worden, voordat hij weer verdween. + +In oktober 2020 verliet de systeembeheerder van PrivacyTools (Jonah) [het project](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) vanwege deze moeilijkheden, waarbij de controle werd overgedragen aan een andere vrijwilliger die al lange tijd meewerkt. Jonah had bijna elke PrivacyTools dienst beheerd en fungeerde als de *de facto* projectleider voor website ontwikkeling in BurungHantu's afwezigheid, dus zijn vertrek was een belangrijke verandering voor de organisatie. Vanwege deze belangrijke organisatorische veranderingen beloofde BurungHantu destijds aan het overblijvende team dat hij zou terugkeren om de leiding van het project over te nemen. ==Het PrivacyTools-team heeft in de daaropvolgende maanden via verschillende communicatiemethoden contact opgenomen, maar geen reactie ontvangen.== + +## Afhankelijkheid van domeinnaam + +Begin 2021 maakte het PrivacyTools-team zich zorgen over de toekomst van het project, omdat de domeinnaam op 1 maart 2021 zou verlopen. Het domein werd uiteindelijk verlengd door BurungHantu zonder commentaar. + +De zorgen van het team werden niet weggenomen, en we realiseerden ons dat dit elk jaar een probleem zou zijn: Als het domein zou verlopen, zou het kunnen worden gestolen door krakers of spammers, waardoor de reputatie van de organisatie zou worden geruïneerd. We zouden ook moeite hebben gehad de gemeenschap te bereiken om hen te informeren over wat er is gebeurd. + +Zonder enig contact te hebben met BurungHantu, besloten we dat het het beste zou zijn om naar een nieuwe domeinnaam te verhuizen terwijl we nog gegarandeerde controle over de oude domeinnaam hadden, ergens voor maart 2022. Op deze manier kunnen we alle PrivacyTools-resources netjes omleiden naar de nieuwe site zonder enige onderbreking van de dienstverlening. Deze beslissing werd vele maanden van tevoren genomen en aan het hele team meegedeeld in de hoop dat BurungHantu zijn steun aan het project zou toezeggen, want met een herkenbare merknaam en grote gemeenschappen online, was het weggaan van "PrivacyTools" de minst wenselijke uitkomst. + +Medio 2021 nam het PrivacyTools team contact op met Jonah, die ermee instemde zich weer bij het team aan te sluiten om te helpen bij de overgang. + +## Gemeenschaps oproep tot actie + + Eind juli 2021 hebben we + +de PrivacyTools gemeenschap op de hoogte gebracht van ons voornemen om een nieuwe naam te kiezen en het project voort te zetten op een nieuw domein, dat [gekozen zal worden](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) op 2 augustus 2022. Uiteindelijk werd "Privacy Guides" gekozen, met het domein `privacyguides.org` dat Jonah al bezat voor een zijproject uit 2020 dat onontwikkeld bleef.

+ + + +## Controle over r/privacytoolsIO + +Gelijktijdig met de lopende website problemen bij privacytools.io, werd het r/privacytoolsIO moderatieteam geconfronteerd met uitdagingen bij het beheer van de subreddit. De subreddit werd altijd grotendeels onafhankelijk van de ontwikkeling van de website beheerd, maar BurungHantu was ook de primaire moderator van de subreddit, en hij was de enige moderator die "Volledige controle"-rechten kreeg. u/trai_dep was op dat moment de enige actieve moderator, en [plaatste op 28 juni 2021 een verzoek aan de beheerders van Reddit](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) met het verzoek om de primaire moderatorpositie en volledige controleprivileges te krijgen, om zo de nodige wijzigingen in de Subreddit aan te brengen. + +Reddit vereist dat subreddits actieve moderatoren hebben. Indien de eerste moderator gedurende een lange periode (bijvoorbeeld een jaar) inactief is, kan de positie van eerste moderator opnieuw worden toegewezen aan de volgende moderator in de rij. Om dit verzoek in te willigen, moest BurungHantu volledig afwezig zijn geweest bij alle Reddit-activiteiten gedurende een lange periode, wat consistent was met zijn gedrag op andere platforms. + + + +> Als je als moderator van een subreddit werd verwijderd via een Reddit-verzoek is dat omdat je gebrek aan reactie en gebrek aan activiteit de subreddit kwalificeerde voor een r/redditrequest-overplaatsing. +> +> r/redditrequest is Reddit's manier om ervoor te zorgen dat gemeenschappen actieve moderators hebben en maakt deel uit van de [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + + + +## Begin van de transitie + +Op 14 september 2021 hebben we [](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) het begin van onze migratie naar dit nieuwe domein aangekondigd: + + + +> [...] wij vonden het nodig deze omschakeling eerder vroeger dan later te maken om ervoor te zorgen dat de mensen zo snel mogelijk van deze overgang op de hoogte zouden zijn. Dit geeft ons voldoende tijd om de domeinnaam, die momenteel doorverwijst naar www.privacyguides.org, te veranderen en hopelijk geeft het iedereen genoeg tijd om de verandering op te merken, bladwijzers en websites bij te werken, enz. + +Deze verandering [hield in:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- www.privacytools.io omleiden naar [www.privacyguides.org](https://www.privacyguides.org). +- Het archiveren van de broncode op GitHub om ons werk uit het verleden en de issue tracker te bewaren, die we bleven gebruiken voor maanden van toekomstige ontwikkeling van deze site. +- Aankondigingen plaatsen op onze subreddit en diverse andere gemeenschappen om mensen te informeren over de officiële verandering. +- Formeel sluiten van privacytools.io-diensten, zoals Matrix en Mastodon, en bestaande gebruikers aanmoedigen om zo snel mogelijk te migreren. + +Alles leek soepel te verlopen, en het grootste deel van onze actieve gemeenschap maakte de overstap naar ons nieuwe project, precies zoals we hoopten. + + + +## Volgende gebeurtenissen + +Ongeveer een week na de overgang kwam BurungHantu voor het eerst in bijna een jaar weer online, maar niemand van ons team wilde terugkeren naar PrivacyTools vanwege zijn historische onbetrouwbaarheid. In plaats van zich te verontschuldigen voor zijn langdurige afwezigheid, ging hij onmiddellijk in de aanval en positioneerde de overgang naar Privacy Guides als een aanval op hem en zijn project. Vervolgens heeft hij [veel van deze berichten verwijderd](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) toen de gemeenschap hem erop wees dat hij afwezig was geweest en het project had verlaten. + +Op dit punt beweerde BurungHantu dat hij alleen verder wilde werken aan privacytools.io en vroeg ons de redirect van www.privacytools.io naar [www.privacyguides.org](https://www.privacyguides.org)te verwijderen. We hebben hem gevraagd de subdomeinen voor Matrix, Mastodon en PeerTube ten minste een paar maanden actief te houden als openbare dienst voor onze gemeenschap, zodat gebruikers op deze platforms gemakkelijk naar andere accounts kunnen migreren. Door de gefedereerde aard van de diensten die wij leverden, waren deze gebonden aan specifieke domeinnamen waardoor het zeer moeilijk (en in sommige gevallen onmogelijk) was om te migreren. + +Helaas, omdat de controle over de r/privacytoolsIO-subreddit niet werd teruggegeven aan BurungHantu op zijn verzoek (meer informatie hieronder), werden die subdomeinen [begin oktober afgesneden van](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/), waardoor alle migratiemogelijkheden voor gebruikers die deze diensten nog gebruikten, werden beëindigd. + +Hierna heeft BurungHantu valse beschuldigingen geuit over het stelen van donaties van het project door Jonah. BurungHantu had meer dan een jaar na het vermeende incident, en toch heeft hij nooit iemand op de hoogte gebracht tot na de migratie van de Privacy Guides. BurungHantu is herhaaldelijk door het team [en de gemeenschap](https://twitter.com/TommyTran732/status/1526153536962281474)gevraagd om bewijzen en om commentaar op de reden voor zijn stilzwijgen, maar heeft dat niet gedaan. + +BurungHantu maakte ook een [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) bewerend dat een "advocaat" hem had bereikt op Twitter en advies gaf, in een andere poging om ons te intimideren om hem de controle over onze subreddit te geven, en als onderdeel van zijn lastercampagne om het water rond de lancering van Privacy Guides te vertroebelen terwijl hij zich voordoet als een slachtoffer. + + + +## PrivacyTools.io Nu + +Vanaf 25 september 2022 zien we de algemene plannen van BurungHantu in vervulling gaan op privacytools.io, en dat is precies de reden waarom we besloten hebben vandaag deze verklarende pagina te maken. De website die hij exploiteert lijkt een zwaar SEO-geoptimaliseerde versie te zijn van de site die hulpmiddelen aanbeveelt in ruil voor financiële compensatie. Zeer recentelijk zijn IVPN en Mullvad, twee VPN-providers die door de privacygemeenschap bijna universeel [worden aanbevolen](../vpn.md) en die bekend staan om hun stellingname tegen affiliate programma's, uit PrivacyTools verwijderd. In hun plaats? NordVPN, Surfshark, ExpressVPN, en hide.me; Gigantische VPN bedrijven met onbetrouwbare platforms en zakelijke praktijken, berucht om hun agressieve marketing en affiliate programma's. + +==**PrivacyTools is precies het type site geworden waar we [voor waarschuwden](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) op de PrivacyTools blog in 2019.**== We hebben geprobeerd om sinds de overgang afstand te houden van PrivacyTools, maar hun voortdurende pesterijen jegens ons project en nu hun absurde misbruik van de geloofwaardigheid die hun merk in 6 jaar van open source bijdragen heeft verworven, is voor ons uiterst verontrustend. Degenen onder ons die daadwerkelijk voor privacy vechten, vechten niet tegen elkaar en krijgen hun advies niet van de hoogste bieder. + + + +## privacyTools. io Nu + + Na de lancering van [r/PrivacyGuides](https://www.reddit.com/r/privacyguides)was het onpraktisch voor u/trai_dep om beide subreddits te blijven modereren, en met de gemeenschap aan boord van de overgang, werd r/privacytoolsIO een beperkt subreddit gemaakt in een post op 1 november 2021:

+ + + +> [...] De groei van deze Sub was het resultaat van grote inspanningen, gedurende meerdere jaren, door het PrivacyGuides.org team. En door ieder van jullie. +> +> Een Subreddit is veel werk om te beheren en te modereren. Net als een tuin vereist het geduldig onderhoud en dagelijkse zorg. Het is geen taak voor dilettantes of vrijblijvende mensen. Het kan niet gedijen onder een tuinman die het enkele jaren in de steek laat en dan de oogst van dit jaar als eerbetoon eist. Het is oneerlijk tegenover het team dat jaren geleden werd gevormd. Het is niet eerlijk tegenover jou. [...] + +Subreddits zijn van niemand, en al helemaal niet van merkhouders. Ze horen bij hun gemeenschap, en de gemeenschap en haar moderatoren hebben besloten de verhuizing naar r/PrivacyGuides te steunen. + +In de maanden daarna heeft BurungHantu gedreigd en gesmeekt om de controle over de subreddit terug te geven aan zijn account in [schending](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) van Reddit regels: + + + +> Vergelding door een moderator met betrekking tot verwijderingsverzoeken is niet toegestaan. + +Voor een gemeenschap met vele duizenden resterende abonnees, vinden we dat het ongelooflijk respectloos zou zijn om de controle over dat enorme platform terug te geven aan de persoon die het meer dan een jaar heeft verlaten en die nu een website beheert waarvan we denken dat deze informatie van zeer lage kwaliteit biedt. Het behoud van de jaren van eerdere discussies in die gemeenschap is belangrijker voor ons, en dus hebben u/trai_dep en de rest van het subreddit moderatieteam de beslissing genomen om r/privacytoolsIO as-is te houden. + + + +## OpenCollective Nu + +Ons fondsenwervingsplatform, OpenCollective, is een andere bron van onenigheid. Ons standpunt is dat OpenCollective door ons team is opgezet en door ons team wordt beheerd om diensten te financieren die wij momenteel exploiteren en wat PrivacyTools niet langer doet. [Wij bereikten](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) al onze donateurs over onze overstap naar Privacy Guides, en we werden unaniem gesteund door onze sponsors en gemeenschap. + +De fondsen in OpenCollective behoren dus toe aan Privacy Guides, ze zijn gegeven aan ons project, en niet aan de eigenaar van een bekende domeinnaam. In de aankondiging aan donateurs op 17 september 2021 boden wij donateurs die het niet eens zijn met ons standpunt een terugbetaling aan, maar niemand is op dit aanbod ingegaan: + + + +> Als sponsors of donateurs het niet eens zijn met of zich misleid voelen door deze recente gebeurtenissen en een terugbetaling willen aanvragen gezien deze hoogst ongebruikelijke omstandigheden, neem dan contact op met onze projectbeheerder door een e-mail te sturen naar jonah@triplebit.net. + + + +## Meer lezen + +Dit onderwerp is uitgebreid besproken binnen onze gemeenschappen op verschillende plaatsen, en het lijkt waarschijnlijk dat de meeste mensen die deze pagina lezen al bekend zijn met de gebeurtenissen die hebben geleid tot de overgang naar Privacy Guides. Sommige van onze eerdere berichten over deze kwestie hebben mogelijk extra details die we hier voor de beknoptheid hebben weggelaten. Voor de volledigheid zijn ze hieronder gelinkt. + +- [28 juni 2021 verzoek om controle van r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [27 juli 2021 aankondiging van onze intenties om te verhuizen op de PrivacyTools blog, geschreven door het team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [13 september 2021 aankondiging van het begin van onze overgang naar privacyguides op r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [17 sept 2021 aankondiging op OpenCollective van Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [30 september 2021 Twitter-draad met details over de meeste gebeurtenissen die nu op deze pagina worden beschreven](https://twitter.com/privacy_guides/status/1443633412800225280) +- [1 okt 2021 bericht door u/dng99 met vermelding van subdomeinfout](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [2 apr 2022 reactie van u/dng99 op beschuldigende blogpost van PrivacyTools](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [16 mei 2022 reactie door @TommyTran732 op Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post op Techlore's forum door @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/about/services.md b/i18n/nl/about/services.md new file mode 100644 index 00000000..38234548 --- /dev/null +++ b/i18n/nl/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Diensten + +We draaien een aantal webdiensten om functies te testen en coole gedecentraliseerde, gefedereerde en/of open-source projecten te promoten. Veel van deze diensten zijn beschikbaar voor het publiek en worden hieronder beschreven. + +[:material-comment-alert: Een probleem melden](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domein: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Beschikbaarheid: Openbaar +- Bron: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domein: [code.privacyguides.dev](https://code.privacyguides.dev) +- Beschikbaarheid: Alleen op uitnodiging + Toegang kan op verzoek worden verleend aan elk team dat werkt aan *Privacy Guides*-gerelateerde ontwikkeling of inhoud. +- Bron: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domein: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Beschikbaarheid: Alleen op uitnodiging + Toegang kan op verzoek worden verleend aan leden van het Privacy Guides-team, Matrix-moderators, Matrix-communitybeheerders van derden, Matrix-botbeheerders en andere personen die een betrouwbare Matrix-aanwezigheid nodig hebben. +- Bron: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domein: [search.privacyguides.net](https://search.privacyguides.net) +- Beschikbaarheid: Openbaar +- Bron: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domein: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Beschikbaarheid: Semi-Openbaar + Wij hosten Invidious voornamelijk om ingesloten YouTube-video's op onze website weer te geven, deze instantie is niet bedoeld voor algemeen gebruik en kan op elk moment worden beperkt. +- Bron: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/about/statistics.md b/i18n/nl/about/statistics.md new file mode 100644 index 00000000..bc71e4e0 --- /dev/null +++ b/i18n/nl/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Verkeersstatistieken +--- + +## Website statistieken + + +
Statistieken mogelijk gemaakt door Plausible Analytics
+ + + + +## Blog Statistieken + + +
Statistieken mogelijk gemaakt door Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/advanced/communication-network-types.md b/i18n/nl/advanced/communication-network-types.md new file mode 100644 index 00000000..c230fb05 --- /dev/null +++ b/i18n/nl/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Soorten communicatienetwerken" +icon: 'material/transit-connection-variant' +--- + +Er zijn verschillende netwerkarchitecturen die gewoonlijk worden gebruikt om berichten tussen mensen door te geven. Deze netwerken kunnen verschillende privacygaranties bieden, en daarom is het de moeite waard jouw [bedreigingsmodel](../basics/threat-modeling.md) in overweging te nemen bij de beslissing welke app je gaat gebruiken. + +[Aanbevolen Instant Messengers](../real-time-communication.md ""){.md-button} + +## Gecentraliseerde netwerken + +![Diagram gecentraliseerde netwerken](../assets/img/layout/network-centralized.svg){ align=left } + +Gecentraliseerde berichten diensten zijn die waarbij alle deelnemers zich op dezelfde server of hetzelfde netwerk van servers bevinden die door dezelfde organisatie worden gecontroleerd. + +Bij sommige zelf gehoste berichten diensten kun je je eigen server opzetten. Zelf-hosting kan extra privacywaarborgen bieden, zoals geen gebruikslogs of beperkte toegang tot metadata (gegevens over wie met wie praat). Zelf gehoste gecentraliseerde berichten diensten zijn geïsoleerd en iedereen moet op dezelfde server zijn om te kunnen communiceren. + +**Voordelen:** + +- Nieuwe functies en veranderingen kunnen sneller worden doorgevoerd. +- Gemakkelijker om mee te beginnen en om contacten te vinden. +- De meeste volwassen en stabiele functies, ecosystemen, omdat ze gemakkelijker te programmeren zijn in een gecentraliseerde software. +- Privacyproblemen kunnen worden verminderd wanneer je vertrouwt op een server die je zelf host. + +**Nadelen:** + +- Kan [beperkte controle of toegang](https://drewdevault.com/2018/08/08/Signal.html)omvatten. Dit kan dingen inhouden zoals: +- Het is [verboden om clients van derden](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) aan te sluiten op het gecentraliseerde netwerk, wat zou kunnen zorgen voor meer maatwerk of een betere ervaring. Vaak gedefinieerd in de gebruiksvoorwaarden. +- Slechte of geen documentatie voor externe ontwikkelaars. +- De [eigendom](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), het privacybeleid en de verrichtingen van de dienst kunnen gemakkelijk veranderen wanneer één enkele entiteit de dienst controleert, waardoor de dienst later in gevaar kan worden gebracht. +- Zelf-hosting vergt inspanning en kennis van het opzetten van een dienst. + +## Gefedereerde netwerken + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Bij gefedereerde berichten diensten worden meerdere, onafhankelijke, gedecentraliseerde servers gebruikt die met elkaar kunnen praten (e-mail is een voorbeeld van een gefedereerde dienst). Federatie stelt systeembeheerders in staat hun eigen server te beheren en toch deel uit te maken van het grotere communicatienetwerk. + +Bij zelf-hosting kunnen leden van een federatieve server leden van andere servers ontdekken en met hen communiceren, hoewel sommige servers ervoor kunnen kiezen privé te blijven door niet-federated te zijn (bv. een werk team server). + +**Voordelen:** + +- Maakt een grotere controle over jouw eigen gegevens mogelijk wanneer je jouw eigen server gebruikt. +- Hiermee kunt je kiezen aan wie je jouw gegevens toevertrouwt door te kiezen tussen meerdere "openbare" servers. +- Staat vaak clients van derden toe die een meer native, aangepaste of toegankelijke ervaring kunnen bieden. +- Bij serversoftware kan worden nagegaan of deze overeenkomt met de openbare broncode, ervan uitgaande dat je toegang hebt tot de server of dat je de persoon die dat heeft (bijvoorbeeld een familielid) vertrouwt. + +**Nadelen:** + +- Het toevoegen van nieuwe functies is ingewikkelder, omdat deze functies moeten worden gestandaardiseerd en getest om ervoor te zorgen dat ze werken met alle servers op het netwerk. +- Door het vorige punt kunnen functies ontbreken, of onvolledig zijn of op onverwachte manieren werken in vergelijking met gecentraliseerde platforms, zoals het doorgeven van berichten wanneer zij offline zijn of het verwijderen van berichten. +- Sommige metadata kunnen beschikbaar zijn (bv. informatie zoals "wie praat met wie", maar niet de eigenlijke berichtinhoud indien E2EE wordt gebruikt). +- Voor federatieve servers is het over het algemeen nodig de beheerder van uw server te vertrouwen. Ze kunnen een hobbyist zijn of anderszins geen "beveiligingsprofessional", en dienen misschien geen standaarddocumenten in zoals een privacybeleid of servicevoorwaarden waarin staat hoe jouw gegevens worden gebruikt. +- Serverbeheerders kiezen er soms voor andere servers te blokkeren, die een bron van ongemodereerd misbruik zijn of algemene regels van aanvaard gedrag overtreden. Dit zal jouw vermogen om te communiceren met leden van die servers belemmeren. + +## Peer-to-Peer netwerken + +![P2P-diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P berichten diensten maken verbinding met een [gedistribueerd netwerk](https://en.wikipedia.org/wiki/Distributed_networking) van knooppunten om een bericht door te geven aan de ontvanger zonder een server van derden. + +Cliënten (peers) vinden elkaar meestal via een [gedistribueerd computernetwerk](https://en.wikipedia.org/wiki/Distributed_computing). Voorbeelden hiervan zijn [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), gebruikt door [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) en [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) bijvoorbeeld. Een andere benadering is op nabijheid gebaseerde netwerken, waarbij een verbinding tot stand wordt gebracht via WiFi of Bluetooth (bijvoorbeeld Briar of het [Scuttlebutt](https://www.scuttlebutt.nz) sociale netwerkprotocol). + +Zodra een peer via een van deze methoden een route naar zijn contactpersoon heeft gevonden, wordt een rechtstreekse verbinding tussen hen tot stand gebracht. Hoewel berichten meestal versleuteld zijn, kan een waarnemer toch de locatie en de identiteit van de verzender en de ontvanger afleiden. + +P2P-netwerken maken geen gebruik van servers, aangezien peers rechtstreeks met elkaar communiceren en dus niet zelf gehost kunnen worden. Sommige aanvullende diensten kunnen echter afhankelijk zijn van gecentraliseerde servers, zoals het ontdekken van gebruikers of het doorgeven van offline berichten, die baat kunnen hebben bij zelfhosting. + +**Voordelen:** + +- Er wordt zo min mogelijk informatie aan derden verstrekt. +- Moderne P2P-platforms implementeren standaard E2EE. Er zijn geen servers die jouw transmissies kunnen onderscheppen en ontsleutelen, in tegenstelling tot gecentraliseerde en gefedereerde netwerken. + +**Nadelen:** + +- Beperkte functies: +- Berichten kunnen alleen worden verzonden als beide peers online zijn, maar jouw cliënt kan berichten lokaal opslaan om te wachten tot de contactpersoon weer online is. +- Verhoogt in het algemeen het batterijverbruik op mobiele toestellen, omdat de client verbonden moet blijven met het gedistribueerde netwerk om te weten te komen wie online is. +- Sommige veelgebruikte messenger-functies zijn mogelijk niet of onvolledig geïmplementeerd, zoals het verwijderen van berichten. +- Uw IP-adres en dat van de contacten waarmee je communiceert kunnen worden blootgesteld als je de software niet gebruikt in combinatie met een [VPN](../vpn.md) of [Tor](../tor.md). Veel landen kennen een vorm van massasurveillance en/of het bewaren van metadata. + +## Anonieme routering + +![Anoniem routeringsschema](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +Een berichten diensten die gebruik maakt van [anonieme routering](https://doi.org/10.1007/978-1-4419-5906-5_628) verbergt de identiteit van de verzender, de ontvanger of het bewijs dat zij hebben gecommuniceerd. Idealiter zou een berichten diensten alle drie moeten verbergen. + +Er zijn [veel](https://doi.org/10.1145/3182658) verschillende manieren om anonieme routering te implementeren. Een van de bekendste is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (d.w.z. [Tor](tor-overview.md)), waarbij versleutelde berichten worden gecommuniceerd via een virtueel [overlay netwerk](https://en.wikipedia.org/wiki/Overlay_network) dat de locatie van elk knooppunt en de ontvanger en verzender van elk bericht verbergt. De verzender en de ontvanger hebben nooit rechtstreeks contact en ontmoeten elkaar alleen via een geheim rendez-vousknooppunt, zodat er geen IP-adressen of fysieke locatie uitlekken. Knooppunten kunnen berichten niet ontcijferen, noch de eindbestemming; alleen de ontvanger kan dat. Elk tussenliggend knooppunt kan slechts een deel decoderen dat aangeeft waar het nog versleutelde bericht naartoe moet, totdat het aankomt bij de ontvanger die het volledig kan decoderen, vandaar de "ui-lagen" + +Het zelf hosten van een knooppunt in een anoniem routenetwerk biedt de hoster geen extra privacyvoordelen, maar draagt bij tot de weerbaarheid van het hele netwerk tegen identificatieaanvallen, wat in ieders voordeel is. + +**Voordelen:** + +- Minimale tot geen informatie wordt blootgesteld aan andere partijen. +- Berichten kunnen op gedecentraliseerde wijze worden doorgegeven, zelfs als een van de partijen offline is. + +**Nadelen:** + +- Trage verspreiding van berichten. +- Vaak beperkt tot minder mediatypen, meestal tekst, omdat het netwerk traag is. +- Minder betrouwbaar als de knooppunten worden geselecteerd door gerandomiseerde routering, kunnen sommige knooppunten zeer ver van de verzender en de ontvanger verwijderd zijn, waardoor vertraging optreedt of zelfs berichten niet worden verzonden als een van de knooppunten offline gaat. +- Ingewikkelder om mee te beginnen omdat de creatie en beveiligde backup van een cryptografische private sleutel vereist is. +- Net als bij andere gedecentraliseerde platforms is het toevoegen van functies ingewikkelder voor ontwikkelaars dan op een gecentraliseerd platform. Daarom kunnen functies ontbreken of onvolledig zijn geïmplementeerd, zoals het offline doorgeven van berichten of het verwijderen van berichten. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/advanced/dns-overview.md b/i18n/nl/advanced/dns-overview.md new file mode 100644 index 00000000..4e9c6e38 --- /dev/null +++ b/i18n/nl/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "Inleiding tot DNS" +icon: material/dns +--- + +Het [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is het "telefoonboek van het internet". DNS vertaalt domeinnamen naar IP-adressen zodat browsers en andere diensten internetbronnen kunnen laden, via een gedecentraliseerd netwerk van servers. + +## Wat is DNS? + +Wanneer je een website bezoekt, wordt een numeriek adres teruggezonden. Wanneer je bijvoorbeeld `privacyguides.org`bezoekt, wordt het adres `192.98.54.105` teruggezonden. + +DNS bestaat al sinds de [begindagen](https://en.wikipedia.org/wiki/Domain_Name_System#History) van het internet. DNS-verzoeken aan en van DNS-servers zijn **niet** over het algemeen versleuteld. In een residentiële omgeving krijgt een klant servers van de ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Onversleutelde DNS-verzoeken kunnen onderweg gemakkelijk worden **gesurveilleerd** en **gewijzigd**. In sommige delen van de wereld worden ISP's opgedragen primitieve [DNS-filters te gebruiken](https://en.wikipedia.org/wiki/DNS_blocking). Wanneer je het IP-adres opvraagt van een domein dat is geblokkeerd, antwoordt de server mogelijk niet of met een ander IP-adres. Aangezien het DNS-protocol niet versleuteld is, kan de ISP (of om het even welke netwerkexploitant) [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) gebruiken om verzoeken te controleren. ISP's kunnen ook verzoeken blokkeren op basis van gemeenschappelijke kenmerken, ongeacht welke DNS-server wordt gebruikt. Onversleutelde DNS gebruikt altijd [poort](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 en gebruikt altijd UDP. + +Hieronder bespreken we en geven we een tutorial om te bewijzen wat een externe waarnemer kan zien met gewone onversleutelde DNS en [versleutelde DNS](#what-is-encrypted-dns). + +### Onversleutelde DNS + +1. Met [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (onderdeel van het [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) kunnen we de internet packet flow monitoren en opnemen. Dit commando registreert pakketten die aan de gespecificeerde regels voldoen: + + ```bash + tshark -w /tmp/dns.pcap udp poort 53 en host 1.1.1.1 of host 8.8.8.8 + ``` + +2. We kunnen dan [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) of [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) gebruiken om de DNS lookup naar beide servers te sturen. Software zoals webbrowsers doen deze lookups automatisch, tenzij zij geconfigureerd zijn om gecodeerde DNS te gebruiken. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Vervolgens willen wij [analyseren](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) de resultaten: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +Als je het bovenstaande Wireshark-commando uitvoert, toont het bovenste deelvenster de "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", en het onderste deelvenster toont alle gegevens over het geselecteerde frame. Oplossingen voor bedrijfsfiltering en -monitoring (zoals die welke door overheden worden aangeschaft) kunnen dit proces automatisch uitvoeren, zonder menselijke tussenkomst, en kunnen deze frames samenvoegen tot statistische gegevens die nuttig zijn voor de netwerkwaarnemer. + +| Nee. | Tijd | Bron | Bestemming | Protocol | Lengte | Info | +| ---- | -------- | --------- | ---------- | -------- | ------ | ----------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standaard zoekopdracht 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standaard vraag antwoord 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standaard zoekopdracht 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standaard query-antwoord 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +Een waarnemer kan elk van deze pakketten wijzigen. + +## Wat is "versleutelde DNS"? + +Versleutelde DNS kan verwijzen naar een van een aantal protocollen, waarvan de meest voorkomende zijn: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was een van de eerste methoden om DNS-query's te versleutelen. DNSCrypt werkt op poort 443 en werkt met zowel de TCP- als de UDP-transportprotocollen. DNSCrypt is nooit ingediend bij de [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) en is ook nooit door het [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) proces gegaan, dus is het buiten een paar [implementaties nog niet op grote schaal gebruikt](https://dnscrypt.info/implementations). Als gevolg daarvan is het grotendeels vervangen door het meer populaire [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is een andere methode voor het versleutelen van DNS-communicatie die is gedefinieerd in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Ondersteuning werd voor het eerst geïmplementeerd in Android 9, iOS 14, en op Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in versie 237. De laatste jaren is de voorkeur in de sector verschoven van DoT naar DoH, omdat DoT een [complex protocol is](https://dnscrypt.info/faq/) en de naleving van de RFC in de bestaande implementaties varieert. DoT werkt ook op een speciale poort 853 die gemakkelijk kan worden geblokkeerd door restrictieve firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) zoals gedefinieerd in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) verpakt query's in het [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol en biedt beveiliging met HTTPS. Ondersteuning werd voor het eerst toegevoegd in webbrowsers zoals Firefox 60 en Chrome 83. + +Native implementatie van DoH dook op in iOS 14, macOS 11, Microsoft Windows, en Android 13 (het zal echter niet standaard worden ingeschakeld [](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). Algemene Linux desktop ondersteuning wacht op de systemd [implementatie](https://github.com/systemd/systemd/issues/8639) dus [het installeren van third-party software is nog steeds vereist](../dns.md#linux). + +## Wat kan een buitenstaander zien? + +In dit voorbeeld zullen we vastleggen wat er gebeurt als we een DoH-verzoek doen: + +1. Start eerst `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Ten tweede, doe een aanvraag met `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. Na het verzoek te hebben gedaan, kunnen we de packet capture stoppen met CTRL + C. + +4. Analyseer de resultaten in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We zien de [verbinding tot stand brengen](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) en [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) die bij elke versleutelde verbinding optreedt. Als we kijken naar de "toepassings gegevens" pakketten die volgen, bevat geen van hen het domein dat we hebben aangevraagd of het IP adres dat wordt teruggestuurd. + +## Waarom **zou ik geen** versleutelde DNS gebruiken? + +Op plaatsen waar internet wordt gefilterd (of gecensureerd), kan het bezoeken van verboden bronnen eigen gevolgen hebben waarmee je rekening moet houden in jouw [bedreigingsmodel](../basics/threat-modeling.md). Wij **niet** suggereren het gebruik van gecodeerde DNS voor dit doel. Gebruik in plaats daarvan [Tor](https://torproject.org) of een [VPN](../vpn.md). Als je een VPN gebruikt, moet je de DNS-servers van jouw VPN gebruiken. Wanneer je een VPN gebruikt, vertrouwt je hen al jouw netwerkactiviteiten toe. + +Wanneer we een DNS lookup doen, is dat meestal omdat we toegang willen tot een bron. Hieronder bespreken we enkele van de methoden die jouw surf-activiteiten kunnen onthullen, zelfs wanneer je versleutelde DNS gebruikt: + +### IP-adres + +De eenvoudigste manier om de surfactiviteit vast te stellen, is te kijken naar de IP-adressen waartoe jouw apparaten toegang hebben. Als de waarnemer bijvoorbeeld weet dat `privacyguides.org` op `198.98.54.105`staat, en jouw apparaat gegevens opvraagt van `198.98.54.105`, is de kans groot dat je Privacy Guides bezoekt. + +Deze methode is alleen nuttig wanneer het IP-adres toebehoort aan een server die slechts enkele websites host. Het is ook niet erg nuttig als de site wordt gehost op een gedeeld platform (bijv. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, enz). Het is ook niet erg nuttig als de server gehost wordt achter een [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), wat heel gebruikelijk is op het moderne Internet. + +### Server Naam Aanwijzing (SNA) + +Server Name Indication wordt meestal gebruikt wanneer een IP-adres veel websites host. Dit kan een dienst als Cloudflare zijn, of een andere [Denial-of-service-aanval](https://en.wikipedia.org/wiki/Denial-of-service_attack) bescherming. + +1. Begin opnieuw te vangen met `tshark`. We hebben een filter toegevoegd met ons IP adres zodat je niet veel pakketten opvangt: + + ```bash + tshark -w /tmp/pg.pcap poort 443 en host 198.98.54.105 + ``` + +2. Dan gaan we naar [https://privacyguides.org](https://privacyguides.org). + +3. Na het bezoek aan de website, willen we de packet capture stoppen met CTRL + C. + +4. Vervolgens willen we de resultaten analyseren: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We zullen de verbinding tot stand zien komen, gevolgd door de TLS handshake voor de Privacy Gidsen website. Rond frame 5. zie je een "Client Hello". + +5. Vouw de driehoek ▸ uit naast elk veld: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Uitbreiding: server_name (len=22) + ▸ Uitbreiding servernaam-aanduiding + ``` + +6. Wij kunnen de SNI-waarde zien die aangeeft welke website wij bezoeken. Het `tshark` commando kan je de waarde rechtstreeks geven voor alle pakketten die een SNI waarde bevatten: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +Dit betekent dat zelfs als we "Encrypted DNS" servers gebruiken, het domein waarschijnlijk zal worden onthuld via SNI. Het [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brengt het [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/) met zich mee, dat dit soort lekken voorkomt. + +Regeringen, met name [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) en [Rusland](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), zijn al begonnen [met het blokkeren van](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) of hebben de wens geuit dit te doen. Onlangs is Rusland [begonnen met het blokkeren van buitenlandse websites](https://github.com/net4people/bbs/issues/108) die gebruik maken van de [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) norm. Dit komt doordat het [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol dat deel uitmaakt van HTTP/3 vereist dat `ClientHello` ook gecodeerd wordt. + +### Protocol voor onlinecertificaatstatus (PVOC/OCSP) + +Een andere manier waarop jouw browser jouw surfactiviteiten kan onthullen is met het [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). Wanneer je een HTTPS-website bezoekt, kan de browser controleren of het [-certificaat](https://en.wikipedia.org/wiki/Public_key_certificate) van de website is ingetrokken. Dit gebeurt over het algemeen via het HTTP-protocol, wat betekent dat het **niet** versleuteld is. + +Het OCSP-verzoek bevat het certificaat "[serienummer](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", dat uniek is. Het wordt naar de "OCSP responder" gezonden om de status ervan te controleren. + +We kunnen simuleren wat een browser zou doen met het [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) commando. + +1. Haal het server certificaat op en gebruik [`sed`](https://en.wikipedia.org/wiki/Sed) om alleen het belangrijke deel te bewaren en schrijf het uit naar een bestand: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Haal het tussenliggende certificaat op. [Certificaatautoriteiten (CA)](https://en.wikipedia.org/wiki/Certificate_authority) ondertekenen een certificaat gewoonlijk niet rechtstreeks; zij gebruiken een zogeheten "intermediair" certificaat. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. Het eerste certificaat in `pg_and_intermediate.cert` is eigenlijk het servercertificaat uit stap 1. We kunnen `sed` opnieuw gebruiken om te wissen tot de eerste instantie van END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Haal de OCSP responder voor het server certificaat op: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Ons certificaat toont de Lets Encrypt certificaat responder. Als we alle details van het certificaat willen zien, kunnen we gebruik maken van: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start de pakketopname: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Doe het OCSP-verzoek: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open de opname: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + Er komen twee pakketten met het "OCSP"-protocol: een "Request" en een "Response". Voor de "Aanvraag" kunnen we het "serienummer" zien door het driehoekje ▸ naast elk veld uit te vouwen: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Verzoek + ▸ reqCert + serialNumber + ``` + + Voor de "Response" kunnen we ook het "serienummer" zien: + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ antwoorden: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Of gebruik `tshark` om de pakketten te filteren op het Serienummer: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +Als de netwerkwaarnemer het publieke certificaat heeft, dat publiekelijk beschikbaar is, kunnen zij het serienummer met dat certificaat vergelijken en op basis daarvan de site bepalen die je bezoekt. Het proces kan worden geautomatiseerd en IP-adressen kunnen worden gekoppeld aan serienummers. Het is ook mogelijk om [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs te controleren op het serienummer. + +## Moet ik versleutelde DNS gebruiken? + +We hebben dit stroomschema gemaakt om te beschrijven wanneer u *versleutelde DNS zou moeten* gebruiken: + +``` mermaid +grafiek TB + Start[Start] --> anoniem{Probeert
anoniem te zijn?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censuur --> | Ja | vpnOrTor(Gebruik
VPN of Tor) + censuur --> | Nee | privacy{Wil je privacy
van ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + onaangenaam --> | Yes | encryptedDNS(Gebruik
gecodeerde DNS
met derde partij) + onaangenaam --> | No | ispDNS{Doet ISP ondersteunen
gecodeerde DNS?} + ispDNS --> | Yes | useISP(Gebruik
gecodeerde DNS
met ISP) + ispDNS --> | No | nothing(Doe niets) +``` + +Versleutelde DNS met een derde partij mag alleen worden gebruikt om redirects en basis-DNS-blokkering van [te omzeilen](https://en.wikipedia.org/wiki/DNS_blocking) als je er zeker van kunt zijn dat er geen gevolgen zijn of als je geïnteresseerd bent in een provider die een aantal rudimentaire filters uitvoert. + +[Lijst van aanbevolen DNS-servers](../dns.md ""){.md-button} + +## Wat is DNSSEC? + +[DNSSEC (Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)) is een functie van DNS waarmee reacties op domeinnaamzoekopdrachten worden geverifieerd. Het biedt geen bescherming van de privacy voor die lookups, maar voorkomt dat aanvallers de antwoorden op DNS-verzoeken manipuleren of vergiftigen. + +Met andere woorden, DNSSEC ondertekent gegevens digitaal om de geldigheid ervan te helpen garanderen. Om een veilige lookup te garanderen, vindt de ondertekening plaats op elk niveau in het DNS lookup-proces. Als gevolg daarvan kunnen alle antwoorden van DNS worden vertrouwd. + +Het DNSSEC-ondertekeningsproces is vergelijkbaar met iemand die een juridisch document met een pen ondertekent; die persoon ondertekent met een unieke handtekening die niemand anders kan maken, en een gerechtsdeskundige kan naar die handtekening kijken en verifiëren dat het document door die persoon is ondertekend. Deze digitale handtekeningen garanderen dat er niet met de gegevens is geknoeid. + +DNSSEC implementeert een hiërarchisch digitaal ondertekeningsbeleid over alle lagen van DNS. Bijvoorbeeld, in het geval van een `privacyguides.org` lookup, zou een root DNS-server een sleutel ondertekenen voor de `.org` nameserver, en de `.org` nameserver zou dan een sleutel ondertekenen voor `privacyguides.org`'s gezaghebbende nameserver. + +Aangepast uit [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) van Google en [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) van Cloudflare, beide met een licentie onder [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## Wat is QNAME-minimalisatie? + +Een QNAME is een "gekwalificeerde naam", bijvoorbeeld `privacyguides.org`. QNAME-minimalisatie vermindert de hoeveelheid informatie die van de DNS-server naar de [authoratieve naamserver](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server) wordt gestuurd. + +In plaats van het hele domein `privacyguides.org` te sturen, betekent QNAME-minimalisatie dat de DNS-server alle records opvraagt die eindigen op `.org`. Een verdere technische beschrijving is te vinden in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## Wat is EDNS Client Subnet (ECS)? + +Het [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is een methode voor een recursieve DNS-oplosser om een [subnetwerk](https://en.wikipedia.org/wiki/Subnetwork) te specificeren voor de [host of client](https://en.wikipedia.org/wiki/Client_(computing)) die de DNS-query uitvoert. + +Het is bedoeld om de levering van gegevens te "versnellen" door de client een antwoord te geven dat toebehoort aan een server die zich dicht bij hem bevindt, zoals een [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), die vaak worden gebruikt bij videostreaming en het serveren van JavaScript-webapps. + +Deze functie gaat wel ten koste van de privacy, aangezien de DNS-server informatie krijgt over de locatie van de client. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/advanced/tor-overview.md b/i18n/nl/advanced/tor-overview.md new file mode 100644 index 00000000..1b1d3612 --- /dev/null +++ b/i18n/nl/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overzicht" +icon: 'simple/torproject' +--- + +Tor is een gratis te gebruiken, gedecentraliseerd netwerk dat is ontworpen om het internet met zoveel mogelijk privacy te gebruiken. Bij correct gebruik maakt het netwerk privé en anoniem browsen en communicatie mogelijk. + +## Route opbouwen + +Tor werkt door jouw webverkeer te routeren via een netwerk dat bestaat uit duizenden vrijwillig gerunde servers die knooppunten (of nodes/relays) worden genoemd. + +Elke keer dat u verbinding maakt met Tor, kiest het drie knooppunten om een pad naar het internet te bouwen - dit pad wordt een "circuit" genoemd Elk van deze knooppunten heeft zijn eigen functie: Elk van deze knooppunten heeft zijn eigen functie: + +### De Entry Node + +De entry node, vaak de guard node genoemd, is het eerste knooppunt waarmee uw Tor-client verbinding maakt. De entry node kan uw IP-adres zien, maar het kan niet zien waarmee u verbinding maakt. + +In tegenstelling tot de andere nodes, zal de Tor client willekeurig een entry node kiezen en deze twee tot drie maanden aanhouden om je te beschermen tegen bepaalde aanvallen.[^1] + +### De Middle Node + +De Middle node is het tweede knooppunt waarmee je Tor client verbinding maakt. Het kan zien van welk knooppunt het verkeer afkomstig is - de entry node - en naar welk knooppunt het vervolgens gaat. De middle node kan jouw IP-adres of het domein waarmee je verbinding maakt niet zien. + +Voor elk nieuw circuit wordt de middle node willekeurig gekozen uit alle beschikbare Tor-knooppunten. + +### De Exit Node + +De exit node is het punt waar je webverkeer het Tor netwerk verlaat en wordt doorgestuurd naar de gewenste bestemming. De exit node kan jouw IP-adres niet zien, maar weet wel met welke site hij verbinding maakt. + +De exit node wordt willekeurig gekozen uit alle beschikbare Tor-knooppunten met een exit-relaisvlag.[^2] + +
+ ![Tor-pad](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor-pad](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor-circuitpad
+
+ +## Encryptie + +Tor versleutelt elk netwerk pakket ( in een blok verzonden gegevens) drie keer met de sleutels van het Exit-, middle- en entry node- in die volgorde. + +Zodra Tor een circuit heeft gebouwd, verloopt de gegevensoverdracht als volgt: + +1. Ten eerste: wanneer het pakket bij het entry node aankomt, wordt de eerste encryptielaag verwijderd. In dit versleutelde pakket vindt de entry een ander versleuteld pakket met het adres van de middle node. De entry node stuurt het pakket dan door naar de middle node. + +2. Ten tweede: wanneer de middle node het pakket van de entr node ontvangt, verwijdert het ook een versleutelingslaag met zijn sleutel, en vindt ditmaal een versleuteld pakket met het adres van de exit node. De middle node stuurt het pakket dan door naar de exit node. + +3. Ten slotte: wanneer de exit node zijn pakket ontvangt, verwijdert het de laatste versleutelingslaag met zijn sleutel. De exit node ziet hierna bestemmingsadres en stuurt het pakket door naar dat adres. + +Hieronder staat een alternatief schema dat het proces weergeeft. Elke node verwijdert zijn eigen versleutelings laag, en wanneer de bestemmings server gegevens terugstuurt, gebeurt hetzelfde proces volledig in omgekeerde richting. Zo weet de exit node niet wie je bent, maar wel van welk knooppunt het afkomstig is, en dus voegt het zijn eigen versleutelings laag toe en stuurt het het terug. + +
+ Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Gegevens verzenden en ontvangen via het Tor Netwerk
+
+ +Met Tor kunnen we verbinding maken met een server zonder dat een enkele partij het hele pad kent. De entry node weet wie je bent, maar niet waar je naartoe gaat; De middle node weet niet wie je bent of waar je naartoe gaat; en de exit node weet waar je naartoe gaat, maar niet wie je bent. Omdat de exit node de uiteindelijke verbinding maakt, zal de bestemmingsserver nooit jouw IP-adres kennen. + +## Opmerkingen + +Hoewel Tor sterke privacygaranties biedt, moet men beseffen dat Tor niet perfect is: + +- Goed gefinancierde tegenstanders met de mogelijkheid om passief het meeste netwerkverkeer over de hele wereld te bekijken, hebben een kans om Tor-gebruikers te deanonimiseren door middel van geavanceerde verkeersanalyse. Tor beschermt je ook niet tegen het per ongeluk blootstellen van jezelf, bijvoorbeeld als je te veel informatie over je echte identiteit deelt. +- Tor exit nodes kunnen ook het verkeer controleren dat via hen verloopt. Dit betekent dat verkeer dat niet versleuteld is, zoals gewoon HTTP-verkeer, kan worden geregistreerd en gecontroleerd. Als dergelijk verkeer persoonlijk identificeerbare informatie bevat, kan het u deanonimiseren tot dat exit-knooppunt. Daarom raden wij aan waar mogelijk HTTPS over Tor te gebruiken. + +Als je Tor wilt gebruiken om op het web te surfen, raden we alleen de **officiële** Tor Browser aan - deze is ontworpen om vingerafdrukken te voorkomen. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Extra bronnen + +- [Tor Browser Gebruikershandleiding](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.nl.txt" + +[^1]: De entry node in jouw circuit wordt een "bewaker" of "Guard" genoemd. Het is een snel en stabiel node dat gedurende 2-3 maanden de eerste blijft in jouw circuit, ter bescherming tegen een bekende anonimiteitsdoorbrekende aanval. De rest van je circuit verandert bij elke nieuwe website die je bezoekt, en alles bij elkaar bieden deze relays de volledige privacybescherming van Tor. Voor meer informatie over de werking van guard nodes, zie deze [blogpost](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) en [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) over inloopbeveiliging. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relaysvlag: een speciale (dis-)kwalificatie van relais voor circuitposities (bijvoorbeeld "Guard", "Exit", "BadExit"), circuiteigenschappen (bijvoorbeeld "Fast", "Stable"), of rollen (bijvoorbeeld "Authority", "HSDir"), zoals toegewezen door de directory-autoriteiten en nader gedefinieerd in de specificatie van het directory-protocol. ([https://metrics.torproject.org/glossary.html/](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/nl/android.md b/i18n/nl/android.md new file mode 100644 index 00000000..f4d7140c --- /dev/null +++ b/i18n/nl/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +Het **Android Open Source Project** is een open-source mobiel besturingssysteem onder leiding van Google dat de meerderheid van de mobiele apparaten van de wereld aandrijft. De meeste telefoons die met Android worden verkocht zijn aangepast om invasieve integraties en apps zoals Google Play Services op te nemen, dus je kunt jouw privacy op jouw mobiele apparaat aanzienlijk verbeteren door de standaardinstallatie van jouw telefoon te vervangen door een versie van Android zonder deze invasieve functies. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentatie} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Broncode" } + +Dit zijn de Android-besturingssystemen, apparaten en apps die wij aanbevelen om de beveiliging en privacy van jouw mobiele apparaat te maximaliseren. aanbeveling + +- [Algemeen Android-overzicht en -aanbevelingen :material-arrow-right-drop-circle:](os/android-overview.md) +- [Waarom we GrapheneOS aanbevelen boven CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP-derivaten + +Wij raden je aan een van deze aangepaste Android-besturingssystemen op jouw toestel te installeren, in volgorde van voorkeur, afhankelijk van de compatibiliteit van jouw toestel met deze besturingssystemen. + +!!! note + + End-of-life apparaten (zoals GrapheneOS of CalyxOS's apparaten met "uitgebreide ondersteuning") beschikken niet over volledige beveiligingspatches (firmware-updates) omdat de OEM de ondersteuning heeft stopgezet. Deze apparaten kunnen niet als volledig veilig worden beschouwd, ongeacht de geïnstalleerde software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is de beste keuze als het gaat om privacy en veiligheid. + + GrapheneOS biedt extra [beveiligingsversteviging](https://en.wikipedia.org/wiki/Hardening_(computing)) en privacyverbeteringen. Het heeft een [geharde geheugentoewijzer](https://github.com/GrapheneOS/hardened_malloc), netwerk- en sensormachtigingen, en diverse andere [beveiligingskenmerken](https://grapheneos.org/features). GrapheneOS wordt ook geleverd met volledige firmware-updates en ondertekende builds, dus geverifieerd opstarten wordt volledig ondersteund. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentatie} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Broncode" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Bijdragen } + +DivestOS heeft geautomatiseerde kernel kwetsbaarheden ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), minder eigen blobs, een aangepaste [hosts](https://divested.dev/index.php?page=dnsbl) bestand, en [F-Droid](https://www.f-droid.org) als de app store. Zijn geharde WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), maakt [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) mogelijk voor alle architecturen en [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), en ontvangt out-of-band updates. + +Google Pixel-telefoons zijn de enige apparaten die momenteel voldoen aan GrapheneOS's [hardware beveiligingseisen](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is een soft-fork van [LineageOS](https://lineageos.org/). + DivestOS erft veel [ondersteunde apparaten](https://divestos.org/index.php?page=devices&base=LineageOS) van LineageOS. Het heeft ondertekende builds, waardoor het mogelijk is om [geverifieerde boot](https://source.android.com/security/verifiedboot) te hebben op sommige niet-Pixel apparaten. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Broncode" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Bijdragen } + +DivestOS heeft geautomatiseerde kernel kwetsbaarheden ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), minder propriëtaire blobs, en een aangepaste [hosts](https://divested.dev/index.php?page=dnsbl) bestand. waarschuwing DivestOS bevat ook kernelpatches van GrapheneOS en schakelt alle beschikbare kernelbeveiligingsfuncties in via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). Alle kernels nieuwer dan versie 3.4 bevatten volledige pagina [sanitization](https://lwn.net/Articles/334747/) en alle ~22 Clang-gecompileerde kernels hebben [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) ingeschakeld. + +DivestOS implementeert enkele systeemhardingspatches die oorspronkelijk voor GrapheneOS zijn ontwikkeld. De software en firmware van mobiele toestellen worden slechts een beperkte tijd ondersteund, dus door nieuw te kopen wordt die levensduur zoveel mogelijk verlengd. 17.1 en hoger bevat GrapheneOS's per-netwerk volledige [MAC randomisatie](https://en.wikipedia.org/wiki/MAC_address#Randomization) optie, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) controle, en automatische reboot/Wi-Fi/Bluetooth [timeout opties](https://grapheneos.org/features). + +CalyxOS bevat optioneel [microG](https://microg.org/), een gedeeltelijk open-source herimplementatie van Play Services die een bredere app compatibiliteit biedt. Het bundelt ook alternatieve locatiediensten: [Mozilla](https://location.services.mozilla.com/) en [DejaVu](https://github.com/n76/DejaVu). Op DivestOS is dat echter niet mogelijk; de ontwikkelaars werken hun apps bij via hun eigen F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) en [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). Wij raden aan de officiële F-Droid app uit te schakelen en [Neo Store](https://github.com/NeoApplications/Neo-Store/) te gebruiken met de DivestOS repositories ingeschakeld om die componenten up-to-date te houden. Voor andere apps gelden nog steeds onze aanbevolen methoden om ze te verkrijgen. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) en kwaliteitscontrole varieert tussen de apparaten die het ondersteunt. We raden nog steeds GrapheneOS aan, afhankelijk van de compatibiliteit van uw toestel. Voor andere apparaten is DivestOS een goed alternatief. + + Niet alle ondersteunde apparaten hebben geverifieerde boot, en sommige doen het beter dan andere. + +## Android-apparaten + +Wanneer je een apparaat koopt, raden wij je aan er een zo nieuw als mogelijk te kopen. De software en firmware van mobiele apparaten worden slechts een beperkte tijd ondersteund, dus door nieuw te kopen wordt die levensduur zoveel mogelijk verlengd. + +Vermijd het kopen van telefoons van mobiele netwerkoperatoren. Deze hebben vaak een **vergrendelde bootloader** en bieden geen ondersteuning voor [OEM-ontgrendeling](https://source.android.com/devices/bootloader/locking_unlocking). Deze telefoonvarianten voorkomen dat je enige vorm van alternatieve Android-distributie installeert. + +Wees zeer **voorzichtig** met het kopen van tweedehands telefoons van online marktplaatsen. Controleer altijd de reputatie van de verkoper. Als het apparaat is gestolen, is het mogelijk [IMEI geblacklist](https://www.gsma.com/security/resources/imei-blacklisting/) is. Er is ook een risico dat je in verband wordt gebracht met de activiteiten van de vorige eigenaar. + +Nog een paar tips met betrekking tot Android toestellen en compatibiliteit van het besturingssysteem: + +- Koop geen apparaten die het einde van hun levensduur hebben bereikt of bijna hebben bereikt, de fabrikant moet voor extra firmware-updates zorgen. +- Koop geen voorgeladen LineageOS of /e/ OS telefoons of Android telefoons zonder de juiste [Verified Boot](https://source.android.com/security/verifiedboot) ondersteuning en firmware updates. Deze apparaten hebben ook geen manier om te controleren of er mee geknoeid is. +- Kortom, als een toestel of Android-distributie hier niet vermeld staat, is daar waarschijnlijk een goede reden voor. Kijk op ons [forum](https://discuss.privacyguides.net/) voor meer details! + +### Google Pixel + +Google Pixel-telefoons zijn de **enige** toestellen die we aanraden om te kopen. Pixel-telefoons hebben een sterkere hardwarebeveiliging dan alle andere Android-toestellen die momenteel op de markt zijn, dankzij de juiste AVB-ondersteuning voor besturingssystemen van derden en Google's aangepaste [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) -beveiligingschips die functioneren als het Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel**-apparaten staan bekend om hun goede beveiliging en goede ondersteuning van [Verified Boot](https://source.android.com/security/verifiedboot), zelfs bij het installeren van aangepaste besturingssystemen. + + Vanaf de **Pixel 6** en **6 Pro** krijgen Pixel-apparaten minimaal 5 jaar lang gegarandeerde beveiligingsupdates, wat een veel langere levensduur garandeert dan de 2-4 jaar die concurrerende OEM's doorgaans bieden. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements zoals de Titan M2 zijn beperkter dan de Trusted Execution Environment van de processor die door de meeste andere telefoons gebruikt wordt, omdat ze alleen gebruikt worden voor geheimen opslag, hardware attestatie, en snelheidsbeperking van het invoeren van wachtwoorden, niet voor het draaien van "vertrouwde" programma's. Telefoons zonder een Secure Element moeten de TEE gebruiken voor *alle* van die functies, wat resulteert in een groter aanvalsoppervlak. + +Google Pixel-telefoons gebruiken een TEE OS genaamd Trusty dat [open-source](https://source.android.com/security/trusty#whyTrusty)is, in tegenstelling tot veel andere telefoons. + +De installatie van GrapheneOS op een Pixel telefoon is eenvoudig met hun [web installer](https://grapheneos.org/install/web). Als je zich niet op jouw gemak voelt om het zelf te doen en bereid bent om een beetje extra geld uit te geven, kijk dan eens naar de [NitroPhone](https://shop.nitrokey.com/shop). Deze zijn voorgeladen met GrapheneOS van het gerenommeerde bedrijf [Nitrokey](https://www.nitrokey.com/about). + +Nog een paar tips voor de aanschaf van een Google Pixel: + +- Als je op zoek bent naar een koopje voor een Pixel-toestel, raden wij je aan een "**a**"-model te kopen, net nadat het volgende vlaggenschip is uitgebracht. Kortingen zijn meestal beschikbaar omdat Google zal proberen om hun voorraad op te ruimen. +- Overweeg de mogelijkheden om de prijzen te verlagen en de speciale aanbiedingen van de fysieke winkels. +- Kijk naar online naar de koopjes sites in jouw land. Deze kunnen je waarschuwen voor goede uitverkopen. +- Google geeft een lijst met de [ondersteuningscyclus](https://support.google.com/nexus/answer/4457705) voor elk van hun toestellen. De prijs per dag voor een apparaat kan worden berekend als: $\text{Kosten} \over \text {Datum einde levensduur}-\text{Huidige datum}$, wat betekent dat hoe langer het apparaat wordt gebruikt, hoe lager de kosten per dag zijn. + +## Algemene toepassingen + +De volgende OEM's worden alleen genoemd omdat zij telefoons hebben die compatibel zijn met de door ons aanbevolen besturingssystemen. Als je een nieuw toestel koopt, raden we alleen aan om een Google Pixel te kopen. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is een app waarmee je gebruik kunt maken van de functie Werkprofiel van Android om apps op uw apparaat te isoleren of te dupliceren. + + Shelter ondersteunt het blokkeren van het zoeken naar contacten tussen profielen en het delen van bestanden tussen profielen via de standaard bestandsbeheerder ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter wordt aanbevolen boven [Insular](https://secure-system.gitlab.io/Insular/) en [Island](https://github.com/oasisfeng/island) omdat het [blokkeren van contact zoeken](https://secure-system.gitlab.io/Insular/faq.html) ondersteunt. + + Wanneer je Shelter gebruikt, stelt je jouw volledige vertrouwen in de ontwikkelaar, aangezien Shelter optreedt als [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) voor het werkprofiel en uitgebreide toegang heeft tot de gegevens die erin zijn opgeslagen. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is een app die hardwarebeveiligingsfuncties gebruikt om de integriteit van het apparaat te bewaken voor [ondersteunde apparaten](https://attestation.app/about#device-support). Momenteel werkt het alleen met GrapheneOS en het standaard besturingssysteem van het toestel. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentatie} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Broncode" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor voert attest en inbraakdetectie uit door: + +- Door gebruik te maken van een [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model tussen een *auditor* en *audittee*, stelt het paar een private sleutel op in de [hardwaregebaseerde sleutelbewaarplaats](https://source.android.com/security/keystore/) van de *auditor*. +- De *auditor* kan een ander exemplaar van de Auditor app zijn of de [Remote Attestation Service](https://attestation.app). +- De *auditor* registreert de huidige toestand en configuratie van de *auditee*. +- Mocht er met het besturingssysteem van de *auditee worden geknoeid* nadat de koppeling is voltooid, dan zal de auditor op de hoogte zijn van de verandering in de toestand en de configuraties van het apparaat. +- U zult op de hoogte worden gebracht van de wijziging. + +Er wordt geen persoonlijk identificeerbare informatie aan de attestatiedienst verstrekt. Wij raden je aan je aan te melden met een anonieme account en attestatie op afstand in te schakelen voor voortdurende controle. + +Als jouw [bedreigingsmodel](basics/threat-modeling.md) privacy vereist, kunt je overwegen [Orbot](tor.md#orbot) of een VPN te gebruiken om jouw IP-adres voor de attestatiedienst te verbergen. Om er zeker van te zijn dat jouw hardware en besturingssysteem echt zijn, voert [onmiddellijk na de installatie van het apparaat en vóór elke internetverbinding een lokale attestatie uit:](https://grapheneos.org/install/web#verifying-installation). + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is een camera-app gericht op privacy en veiligheid die afbeeldingen, video's en QR-codes kan vastleggen. De uitbreidingen van CameraX (Portret, HDR, Nachtzicht, Gezichtsretouche en Auto) worden ook ondersteund op beschikbare toestellen. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Broncode" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Bijdrage leveren } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +De belangrijkste privacyfuncties zijn: + +- Automatisch verwijderen van [Exif](https://en.wikipedia.org/wiki/Exif) metadata (standaard ingeschakeld) +- Gebruik van de nieuwe [Media](https://developer.android.com/training/data-storage/shared/media) API, daarom zijn [opslagmachtigingen](https://developer.android.com/training/data-storage) niet vereist +- Microfoontoestemming niet vereist, tenzij u geluid wilt opnemen + +!!! note + + Metadata worden momenteel niet verwijderd uit videobestanden, maar dat is wel de bedoeling. + + De metadata over de beeldoriëntatie worden niet gewist. Als je gps locatie inschakelt (in Secure camera), wordt deze **niet** verwijderd. Als je dat later wilt verwijderen moet je een externe app gebruiken zoals [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is een PDF-viewer gebaseerd op [pdf.js](https://en.wikipedia.org/wiki/PDF.js) die geen rechten vereist. De PDF wordt ingevoerd in een [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_ontwikkeling)) [webview](https://developer.android.com/guide/webapps/webview). Dit betekent dat er niet direct toestemming nodig is om toegang te krijgen tot inhoud of bestanden. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) wordt gebruikt om af te dwingen dat de JavaScript en styling eigenschappen binnen het WebView volledig statische inhoud zijn. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Het verkrijgen van Applicaties + +### GrapheneOS App Store + +De app store van GrapheneOS is beschikbaar op [GitHub](https://github.com/GrapheneOS/Apps/releases). Het ondersteunt Android 12 en hoger en is in staat om zichzelf te updaten. De app store heeft standalone applicaties gebouwd door het GrapheneOS project zoals de [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), en [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). Als je op zoek bent naar deze applicaties, raden wij je ten zeerste aan ze te halen uit de app-winkel van GrapheneOS in plaats van de Play Store, omdat de apps in hun winkel zijn ondertekend door de eigen handtekening van het GrapheneOS-project waar Google geen toegang toe heeft. + +### Aurora Store + +De Google Play Store vereist een Google-account om in te loggen, wat de privacy niet ten goede komt. U kunt dit omzeilen door een alternatieve client te gebruiken, zoals Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is een Google Play Store-client waarvoor geen Google-account, Google Play Services of microG nodig is om apps te downloaden. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Met de Aurora Store kun je geen betaalde apps downloaden met hun anonieme accountfunctie. Je kunt optioneel inloggen met jouw Google-account bij de Aurora Store om apps te downloaden die je hebt gekocht, waardoor Google toegang krijgt tot de lijst van apps die je hebt geïnstalleerd, maar je profiteert nog steeds van het feit dat je niet de volledige Google Play-client en Google Play Services of microG op jouw toestel nodig hebt. + +### Handmatig met RSS-meldingen + +Voor apps die worden uitgebracht op platforms als GitHub en GitLab, kun je misschien een RSS-feed toevoegen aan je [nieuwsaggregator](/news-aggregators) waarmee je nieuwe releases kunt volgen. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK wijzigingen](./assets/img/android/rss-changes-light.png#only-light) ![APK wijzigingen](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +Op GitHub, met [Secure Camera](#secure-camera) als voorbeeld, zou je navigeren naar de [release pagina](https://github.com/GrapheneOS/Camera/releases) en `.atom` toevoegen aan de URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### Gitlab + +Op GitLab, met [Aurora Store](#aurora-store) als voorbeeld, zou je naar zijn [project repository](https://gitlab.com/AuroraOSS/AuroraStore) navigeren en `/-/tags?format=atom` aan de URL toevoegen: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifiëren van APK vingerafdrukken + +Als u APK-bestanden downloadt om handmatig te installeren, kunt je hun handtekening verifiëren met de tool [`apksigner`](https://developer.android.com/studio/command-line/apksigner), die deel uitmaakt van Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Installeer [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download de [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Pak het gedownloade archief uit: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Voer het handtekening verificatie commando uit: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. De resulterende hashes kunnen dan worden vergeleken met een andere bron. Sommige ontwikkelaars zoals Signal [tonen de vingerafdrukken](https://signal.org/android/apk/) op hun website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We raden **momenteel niet** F-Droid aan als een manier om apps te verkrijgen.== F-Droid wordt vaak aanbevolen als alternatief voor Google Play, vooral in de privacygemeenschap. De optie om repositories van derden toe te voegen en niet beperkt te zijn tot het ecosysteem van Google heeft geleid tot de populariteit. F-Droid heeft bovendien [reproduceerbare builds](https://f-droid.org/en/docs/Reproducible_Builds/) voor sommige toepassingen en zet zich in voor vrije en open-source software. Er zijn echter [opmerkelijke problemen](https://privsec.dev/posts/android/f-droid-security-issues/) met de officiële F-Droid-client, hun kwaliteitscontrole en hoe ze pakketten bouwen, ondertekenen en leveren. + +Vanwege hun proces van het bouwen van apps lopen apps in de officiële F-Droid-repository vaak achter op updates. F-Droid maintainers hergebruiken ook pakket-ID's tijdens het ondertekenen van apps met hun eigen sleutels, wat niet ideaal is omdat het F-Droid team dan het ultieme vertrouwen krijgt. + +Andere populaire repositories van derden zoals [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) verlichten enkele van deze zorgen. De IzzyOnDroid repository haalt builds rechtstreeks van GitHub en is het op één na beste optie naast het direct downloaden vanaf de eigen repositories van de ontwikkelaars. Het is echter niet iets dat we kunnen aanbevelen, aangezien apps meestal [worden verwijderd](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) van die respository wanneer ze in de hoofdrepository van F-Droid terechtkomen. Hoewel dat logisch is (omdat het doel van die specifieke repository is om apps te hosten voordat ze worden geaccepteerd in de belangrijkste F-Droid-repository), kan het je achterlaten met geïnstalleerde apps die niet langer updates ontvangen. + +Dat gezegd zijnde, de [F-Droid](https://f-droid.org/en/packages/) en [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories zijn de thuisbasis van talloze apps, dus ze kunnen een nuttig hulpmiddel zijn om open-source apps te zoeken en te ontdekken die je vervolgens kunt downloaden via Play Store, Aurora Store, of door het verkrijgen van de APK rechtstreeks van de ontwikkelaar. Het is belangrijk om in gedachten te houden dat sommige apps in deze repositories al jaren niet zijn bijgewerkt en mogelijk afhankelijk zijn van niet-ondersteunde bibliotheken, onder andere, die een potentieel beveiligingsrisico vormen. Je moet jouw beste oordeel gebruiken bij het zoeken naar nieuwe apps via deze methode. + +!!! note + + In sommige zeldzame gevallen verspreidt de ontwikkelaar van een app deze alleen via F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is hier een voorbeeld van). Als je echt zo'n app nodig hebt, raden we je aan de [Neo Store](https://github.com/NeoApplications/Neo-Store/) te gebruiken in plaats van de officiële F-Droid app om hem te verkrijgen. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Besturingssystemen + +- Moet open-source software zijn. +- Moet bootloadervergrendeling met aangepaste AVB-sleutel ondersteunen. +- Moet belangrijke Android-updates ontvangen binnen 0-1 maanden na de release. +- Moet binnen 0-14 dagen na release Android feature updates (minor versie) ontvangen. +- Moet regelmatige beveiligingspatches ontvangen binnen 0-5 dagen na vrijgave. +- Moet **niet** standaard "geroot" zijn uit de doos. +- Moet **niet** standaard Google Play Services inschakelen. +- Moet **niet** systeemaanpassing vereisen om Google Play Services te ondersteunen. + +### Apparaten + +- Moet ten minste één van onze aanbevolen aangepaste besturingssystemen ondersteunen. +- Moet momenteel nieuw in de winkel worden verkocht. +- Moet minimaal 5 jaar beveiligingsupdates ontvangen. +- Moet beschikken over speciale hardware voor secure elements. + +### Applicaties + +- Toepassingen op deze pagina mogen niet van toepassing zijn op andere softwarecategorieën op de site. +- Algemene toepassingen moeten de kernfunctionaliteit van het systeem uitbreiden of vervangen. +- Toepassingen moeten regelmatig worden bijgewerkt en onderhouden. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/assets/img/account-deletion/exposed_passwords.png b/i18n/nl/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/nl/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/nl/assets/img/android/rss-apk-dark.png b/i18n/nl/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/nl/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/nl/assets/img/android/rss-apk-light.png b/i18n/nl/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/nl/assets/img/android/rss-apk-light.png differ diff --git a/i18n/nl/assets/img/android/rss-changes-dark.png b/i18n/nl/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/nl/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/nl/assets/img/android/rss-changes-light.png b/i18n/nl/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/nl/assets/img/android/rss-changes-light.png differ diff --git a/i18n/nl/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/nl/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..26731ca9 --- /dev/null +++ b/i18n/nl/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Jouw + + apparaat + + + + Gegevens verzenden naar een website + + + + + Gegevens ontvangen van een website + + + + + Jouw + + apparaat + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/nl/assets/img/how-tor-works/tor-encryption.svg b/i18n/nl/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..ab2c4b1e --- /dev/null +++ b/i18n/nl/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Jouw + + apparaat + + + + Gegevens verzenden naar een website + + + + + Gegevens ontvangen van een website + + + + + Jouw + + apparaat + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/nl/assets/img/how-tor-works/tor-path-dark.svg b/i18n/nl/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..782897a2 --- /dev/null +++ b/i18n/nl/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Jouw + apparaat + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/nl/assets/img/how-tor-works/tor-path.svg b/i18n/nl/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..200c9a5d --- /dev/null +++ b/i18n/nl/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Jouw + apparaat + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/nl/assets/img/multi-factor-authentication/fido.png b/i18n/nl/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/nl/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/nl/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/nl/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/nl/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/nl/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/nl/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/nl/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/nl/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/nl/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/nl/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/nl/basics/account-creation.md b/i18n/nl/basics/account-creation.md new file mode 100644 index 00000000..93002d83 --- /dev/null +++ b/i18n/nl/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Het aanmaken van accounts" +icon: 'material/account-plus' +--- + +Vaak melden mensen zich aan voor diensten zonder na te denken. Misschien is het een streamingdienst zodat je die nieuwe show kunt bekijken waar iedereen het over heeft, of een account waarmee je korting krijgt op uw favoriete fastfood zaak. Wat het geval ook is, je moet nu en later rekening houden met de implicaties voor jouw gegevens. + +Aan elke nieuwe dienst die je gebruikt, zijn risico's verbonden. Datalekken; onthulling van klanteninformatie aan derden; malafide werknemers die toegang krijgen tot gegevens; het zijn allemaal mogelijkheden die moeten worden overwogen wanneer je jouw informatie verstrekt. Je moet er zeker van zijn dat je de service kunt vertrouwen, daarom raden we niet aan om waardevolle gegevens op te slaan over iets anders dan de meest volwassen en stressgeteste producten. Dat betekent meestal diensten die end-to-end encryptie leveren en een cryptografische audit hebben ondergaan. Een audit vergroot de zekerheid dat het product is ontworpen zonder opvallende beveiligingsproblemen die zijn veroorzaakt door een onervaren ontwikkelaar. + +Bij sommige diensten kan het ook moeilijk zijn om de accounts te verwijderen. Soms kan [gegevens overschrijven](account-deletion.md#overwriting-account-information) die aan een account zijn gekoppeld, maar in andere gevallen bewaart de dienst een hele geschiedenis van wijzigingen in de account. + +## Servicevoorwaarden en Privacybeleid + +De ToS zijn de regels waarmee je akkoord gaat wanneer je de dienst gebruikt. Bij grotere diensten worden deze regels vaak afgedwongen door geautomatiseerde systemen. Soms kunnen deze geautomatiseerde systemen fouten maken. Je kunt bijvoorbeeld bij sommige diensten worden verbannen of uitgesloten van jouw account omdat je een VPN- of VOIP-nummer gebruikt. Een beroep doen op een dergelijke verbanning is vaak moeilijk en omvat ook een geautomatiseerd proces, wat niet altijd succesvol is. Dit is een van de redenen waarom wij bijvoorbeeld niet aanraden Gmail als e-mail te gebruiken. E-mail is cruciaal voor de toegang tot andere diensten waarvoor je zich misschien hebt aangemeld. + +Het privacybeleid is hoe de service zegt dat ze jouw gegevens zullen gebruiken en het is de moeite waard om te lezen, zodat je begrijpt hoe jouw gegevens zullen worden gebruikt. Een bedrijf of organisatie is mogelijk niet wettelijk verplicht om alles wat in het beleid staat te volgen (het hangt af van de jurisdictie). We raden je aan om een idee te hebben van wat je lokale wetten zijn en wat ze een provider toestaan om te verzamelen. + +Wij raden je aan te zoeken naar bepaalde termen zoals "gegevensverzameling", "gegevensanalyse", "cookies", "advertenties" of "diensten van derden". Soms kunt je je afmelden voor het verzamelen van gegevens of voor het delen van jouw gegevens, maar het is het beste om een dienst te kiezen die jouw privacy vanaf het begin respecteert. + +Vergeet niet dat je ook jouw vertrouwen stelt in het bedrijf of de organisatie en dat zij hun eigen privacybeleid zullen naleven. + +## Authenticatie methodes + +Er zijn meestal meerdere manieren om een account aan te maken, elk met hun eigen voor- en nadelen. + +### E-mailadres en wachtwoord + +De meest gebruikelijke manier om een nieuwe account aan te maken is met een e-mailadres en wachtwoord. Wanneer je deze methode gebruikt, moet je een wachtwoord manager gebruiken en de best practices [volgen](passwords-overview.md) met betrekking tot wachtwoorden. + +!!! tip + + Je kunt jouw wachtwoord manager ook gebruiken om andere verificatiemethoden te organiseren! Voeg gewoon het nieuwe item toe en vul de juiste velden in, u kunt notities toevoegen voor zaken als beveiligingsvragen of een back-up sleutel. + +Je bent verantwoordelijk voor het beheer van jouw inloggegevens. Voor extra beveiliging kunt je [MFA](multi-factor-authentication.md) instellen op jouw accounts. + +[Lijst van aanbevolen wachtwoordbeheerders](../passwords.md ""){.md-button} + +#### E-mail aliassen + +Als je jouw echte e-mailadres niet aan een dienst wilt geven, kunt je een alias gebruiken. We hebben deze in meer detail beschreven op onze pagina met aanbevelingen voor e-maildiensten. Met alias diensten kunt je nieuwe e-mailadressen aanmaken die alle e-mails doorsturen naar jouw hoofdadres. Dit kan helpen bij het voorkomen van tracking tussen services en je helpen bij het beheren van de marketing-e-mails die soms bij het aanmeldingsproces worden geleverd. Die kunnen automatisch worden gefilterd op basis van de alias waarnaar ze worden gestuurd. + +Als een dienst wordt gehackt, kunt je phishing- of spam-e-mails ontvangen op het adres waarmee je je hebt aangemeld. Het gebruik van unieke aliassen voor elke service kan helpen bij het identificeren van precies welke service is gehackt. + +[Aanbevolen diensten voor e-mailaliasing](../email.md#email-aliasing-services ""){.md-button} + +### Eenmalige aanmelding + +!!! note + + We bespreken Single sign-on voor persoonlijk gebruik, niet voor zakelijke gebruikers. + +Single sign-on (SSO) is een authenticatiemethode waarmee je zich kunt registreren voor een dienst zonder veel informatie te delen, als die er al is. Wanneer je iets ziet in de trant van "Aanmelden met *providernaam*" op een registratieformulier, dan is dat SSO. + +Wanneer je kiest voor eenmalige aanmelding op een website, wordt jouw aanmeldingspagina van de SSO-provider gevraagd en wordt jouw account vervolgens verbonden. Jouw wachtwoord wordt niet gedeeld, maar sommige basisinformatie wel (je kunt deze bekijken tijdens het inlogverzoek). Dit proces is nodig elke keer dat je wilt inloggen op hetzelfde account. + +De belangrijkste voordelen zijn: + +- **Beveiliging**: geen risico om betrokken te raken bij een [datalek](https://en.wikipedia.org/wiki/Data_breach) omdat de website uw inlog gegevens niet opslaat. +- **Gebruiksgemak**: meerdere accounts worden beheerd door één enkele login. + +Maar er zijn ook nadelen: + +- **Privacy**: een SSO-provider weet welke diensten je gebruikt. +- **Centralisatie**: als uw SSO-account wordt gecompromitteerd of als je niet kunt inloggen, worden alle andere accounts die ermee verbonden zijn, getroffen. + +SSO kan vooral nuttig zijn in situaties waarin je zou kunnen profiteren van een diepere integratie tussen services. Een van die diensten kan bijvoorbeeld SSO aanbieden voor de andere. Onze aanbeveling is om SSO te beperken tot alleen waar je het nodig hebt en de hoofdaccount te beschermen met [MFA](multi-factor-authentication.md). + +Alle diensten die SSO gebruiken zijn even veilig als jouw SSO-account. Als je bijvoorbeeld een account wilt beveiligen met een hardwaresleutel, maar die dienst ondersteunt geen hardwaresleutels, dan kunt je jouw SSO-account beveiligen met een hardwaresleutel en nu hebt je in wezen hardware-MFA op al jouw accounts. Het is echter vermeldenswaard dat zwakke authenticatie op jouw SSO-account betekent dat elk account dat aan die login is gekoppeld, ook zwak zal zijn. + +### Telefoonnummer + +We raden je aan services te vermijden waarvoor een telefoonnummer nodig is om je aan te melden. Een telefoonnummer kan je identificeren in meerdere services en afhankelijk van overeenkomsten voor het delen van gegevens zal dit jouw gemakkelijker te volgen maken, vooral als een van die services wordt geschonden, omdat het telefoonnummer vaak **niet** versleuteld is. + +Vermijd het geven van jouw echte telefoonnummer als je kunt. Sommige diensten staan het gebruik van VOIP-nummers toe, maar deze alarmeren vaak fraudedetectiesystemen, waardoor een rekening wordt geblokkeerd. + +In veel gevallen moet je een nummer opgeven waarvan je smsjes of telefoontjes kunt ontvangen, vooral wanneer je internationaal winkelt, voor het geval er een probleem is met jouw bestelling bij de grenscontrole. Het is gebruikelijk dat services je nummer gebruiken als verificatiemethode; laat je niet buitensluiten van een belangrijk account omdat je slim wilt zijn en een nepnummer wilt geven! + +### Gebruikersnaam en wachtwoord + +Bij sommige diensten kunt je je zonder e-mailadres registreren en hoeft je alleen een gebruikersnaam en wachtwoord in te stellen. Deze diensten kunnen meer anonimiteit bieden in combinatie met een VPN of Tor. Houd er rekening mee dat er voor deze accounts hoogstwaarschijnlijk **geen manier is om jouw account** te herstellen als je jouw gebruikersnaam of wachtwoord vergeet. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/basics/account-deletion.md b/i18n/nl/basics/account-deletion.md new file mode 100644 index 00000000..762100c9 --- /dev/null +++ b/i18n/nl/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account verwijderen" +icon: 'material/account-remove' +--- + +Na verloop van tijd kan het gemakkelijk zijn om een aantal online accounts te verzamelen, waarvan je er vele misschien niet meer gebruikt. Het verwijderen van deze ongebruikte accounts is een belangrijke stap in het terugwinnen van jouw privacy, aangezien slapende accounts kwetsbaar zijn voor gegevensinbreuken. Van een datalek is sprake wanneer de beveiliging van een dienst wordt gecompromitteerd en beschermde informatie door onbevoegden wordt ingezien, doorgegeven of gestolen. Inbreuken op gegevens zijn tegenwoordig helaas al [te gewoon](https://haveibeenpwned.com/PwnedWebsites), en dus is een goede digitale hygiëne de beste manier om de impact ervan op jouw leven te minimaliseren. Het doel van deze gids is je door het vervelende proces van accountverwijdering te loodsen, vaak bemoeilijkt door [bedrieglijk ontwerp](https://www.deceptive.design/), ten voordele van uw online aanwezigheid. + +## Oude accounts vinden + +### Wachtwoord Manager + +Als u een wachtwoord manager hebt die je al jouw hele digitale leven gebruikt, is dit deel heel eenvoudig. Vaak hebben ze ingebouwde functionaliteit om te detecteren of jouw gegevens zijn blootgesteld bij een datalek, zoals het [Data Breach Report van Bitwarden](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden 's Data Breach Report-functie](../assets/img/account-deletion/exposed_passwords.png) +
+ +Zelfs als je nog nooit expliciet een wachtwoordmanager hebt gebruikt, is de kans groot dat je er een in jouw browser of op jouw telefoon hebt gebruikt zonder het te beseffen. Bijvoorbeeld: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) en [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktopplatforms hebben vaak ook een wachtwoordmanager waarmee je vergeten wachtwoorden kunt terugvinden: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Wachtwoorden](https://support.apple.com/en-us/HT211145) +- iOS [Wachtwoorden](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, die toegankelijk is via [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) of [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +Als je in het verleden geen wachtwoord manager hebt gebruikt of je denkt dat je accounts hebt die nooit aan jouw wachtwoord manager zijn toegevoegd, is een andere optie om de e-mailaccount(s) te doorzoeken waarop je zich volgens je hebt aangemeld. Zoek in jouw e-mailprogramma op trefwoorden als "verifiëren" of "welkom" Bijna elke keer dat je een online account aanmaakt, zal de dienst een verificatielink of een inleidend bericht naar jouw e-mail sturen. Dit kan een goede manier zijn om oude, vergeten accounts te vinden. + +## Oude accounts verwijderen + +### Inloggen + +Om je oude accounts te verwijderen, moet je er eerst voor zorgen dat je er op in kunt loggen. Nogmaals, als de account in jouw wachtwoordmanager stond, is deze stap eenvoudig. Zo niet, dan kunt je proberen jouw wachtwoord te raden. Als dat niet lukt, zijn er meestal opties om weer toegang te krijgen tot jouw account, meestal beschikbaar via een link "wachtwoord vergeten" op de inlogpagina. Het kan ook zijn dat accounts die je hebt opgegeven al zijn verwijderd - soms verwijderen diensten alle oude accounts. + +Als de site een foutmelding geeft dat het e-mailadres niet gekoppeld is aan een account, of als je na meerdere pogingen nooit een reset-link ontvangt, dan hebt je geen account onder dat e-mailadres en moet je een ander e-mailadres proberen. Als je niet kunt achterhalen welk e-mailadres je hebt gebruikt, of als je geen toegang meer hebt tot dat e-mailadres, kunt je proberen contact op te nemen met de klantenondersteuning van de dienst. Helaas is er geen garantie dat je de toegang tot jouw account kunt terugkrijgen. + +### GDPR (alleen inwoners van de EER) + +Inwoners van de EER hebben aanvullende rechten met betrekking tot het wissen van gegevens, zoals gespecificeerd in [artikel 17](https://www.gdpr.org/regulation/article-17.html) van de GDPR. Als het op je van toepassing is, lees dan het privacybeleid voor een bepaalde dienst om informatie te vinden over hoe je jouw recht op wissing kunt uitoefenen. Het lezen van het privacybeleid kan belangrijk blijken, want sommige diensten hebben een optie "Account verwijderen" die alleen jouw account uitschakelt en voor echte verwijdering moet je extra actie ondernemen. Soms kan het daadwerkelijk wissen inhouden dat je een enquête invult, een e-mail stuurt naar de functionaris voor gegevensbescherming van de dienst of zelfs bewijst dat je in de EER woont. Als je van plan bent deze weg te gaan, overschrijf dan de accountgegevens van **niet** - jouw identiteit als inwoner van de EER kan vereist zijn. Merk op dat de locatie van de dienst er niet toe doet; GDPR is van toepassing op iedereen die Europese gebruikers bedient. Indien de dienst jouw recht op wissing niet respecteert, kunt je contact opnemen met jouw nationale [gegevensbeschermingsautoriteit](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) en kunt je recht hebben op een geldelijke vergoeding. + +### Overschrijven van account informatie + +In sommige situaties waarin je van plan bent een account op te heffen, kan het zinvol zijn de accountinformatie te overschrijven met valse gegevens. Zodra je zeker weet dat je kunt inloggen, wijzig je alle gegevens in je account in vervalste gegevens. De reden hiervoor is dat veel sites informatie bewaren die je eerder had, zelfs na het verwijderen van jouw account. De hoop is dat zij de vorige informatie zullen overschrijven met de nieuwste gegevens die je hebt ingevoerd. Er is echter geen garantie dat er geen back-ups zullen zijn met de vroegere informatie. + +Voor de e-mail van de account maakt je een nieuwe alternatieve e-mailaccount aan via de provider van jouw keuze of maakt je een alias aan met behulp van een [e-mail aliasing service](/email/#email-aliasing-services). Je kunt dan jouw alternatieve e-mailadres verwijderen zodra je klaar bent. Wij raden het gebruik van tijdelijke e-mailproviders af, omdat het vaak onmogelijk is tijdelijke e-mails weer te activeren. + +### Verwijderen + +Je kunt kijken op [JustDeleteMe](https://justdeleteme.xyz) voor instructies over het verwijderen van de account voor een specifieke dienst. Sommige sites hebben vriendelijk een "Delete Account" optie, terwijl andere zo ver gaan dat ze je dwingen met een support medewerker te spreken. Het verwijderingsproces kan van site tot site verschillen, en op sommige sites is het onmogelijk een account te verwijderen. + +Voor diensten die het wissen van een account niet toestaan, kunt je het beste al jouw informatie vervalsen zoals eerder vermeld en de beveiliging van jouw account versterken. Schakel daartoe [MFA](multi-factor-authentication.md) en alle extra aangeboden beveiligingsfuncties in. Verander ook het wachtwoord in een willekeurig gegenereerd wachtwoord dat de maximaal toegestane grootte heeft (een [password manager](/passwords/#local-password-managers) kan hier handig voor zijn). + +Als je tevreden bent dat alle informatie waar je om geeft verwijderd is, kunt je deze account gerust vergeten. Zo niet, dan is het misschien een goed idee om de gegevens bij jouw andere wachtwoorden te bewaren en af en toe opnieuw in te loggen om het wachtwoord te resetten. + +Zelfs wanneer je een account kunt verwijderen, is er geen garantie dat al jouw informatie zal worden verwijderd. Sommige ondernemingen zijn zelfs wettelijk verplicht bepaalde informatie te bewaren, met name wanneer deze verband houdt met financiële transacties. Je hebt meestal geen controle over wat er met jouw gegevens gebeurt als het gaat om websites en clouddiensten. + +## Vermijd nieuwe accounts + +Zoals het oude gezegde luidt: "Voorkomen is beter dan genezen." Telkens wanneer je in de verleiding komt om een nieuwe account aan te maken, vraag jezelf dan af: "Heb ik dit echt nodig? Kan ik doen wat ik moet doen zonder een account?" Het kan vaak veel moeilijker zijn om een account te verwijderen dan om er een aan te maken. En zelfs na het verwijderen of wijzigen van de info op jouw account, kan er een cache-versie van een derde partij zijn, zoals het [Internet Archive](https://archive.org/). Vermijd de verleiding als je kunt. Je toekomstige ik zal je dankbaar zijn! + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/basics/common-misconceptions.md b/i18n/nl/basics/common-misconceptions.md new file mode 100644 index 00000000..5f7df183 --- /dev/null +++ b/i18n/nl/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Veel voorkomende misvattingen" +icon: 'material/robot-confused' +--- + +## "Open source software is altijd veilig" of "Private software is veiliger" + +Deze mythes komen voort uit een aantal vooroordelen, maar of de broncode beschikbaar is en hoe software in licentie wordt gegeven, heeft op geen enkele manier invloed op de beveiliging ervan. ==Open-source software heeft de *potentieel* om veiliger te zijn dan propriëtaire software, maar er is absoluut geen garantie dat dit het geval is.== Wanneer je software evalueert, moet je op individuele basis naar de reputatie en beveiliging van elke tool kijken. + +Open-source software *kan* worden gecontroleerd door derden, en is vaak transparanter over mogelijke kwetsbaarheden dan propriëtaire tegenhangers. Ze kunnen ook flexibeler zijn, zodat je in de code kunt duiken en alle verdachte functionaliteit kunt uitschakelen die je zelf vindt. Echter, *tenzij je dit zelf doet*, is er geen garantie dat code ooit is geëvalueerd, vooral bij kleinere softwareprojecten. Het open ontwikkelingsproces is soms ook misbruikt om zelfs in grote projecten nieuwe kwetsbaarheden te introduceren.[^1] + +Aan de andere kant is propriëtaire software minder transparant, maar dat betekent niet dat het niet veilig is. Grote propriëtaire softwareprojecten kunnen intern en door derden worden gecontroleerd, en onafhankelijke veiligheidsonderzoekers kunnen nog steeds kwetsbaarheden vinden met technieken als reverse engineering. + +Om bevooroordeelde beslissingen te vermijden, is het *van vitaal belang* dat je de privacy- en veiligheidsnormen evalueert van de software die je gebruikt. + +## "Verschuiven van vertrouwen kan de privacy vergroten" + +We hebben het vaak over "verschuivend vertrouwen" bij het bespreken van oplossingen zoals VPN's (die het vertrouwen dat je in jouw ISP stelt verschuiven naar de VPN-aanbieder). Hoewel dit je surf gedrag beschermt tegen uw ISP *specifiek*, heeft de VPN provider die je kiest nog steeds toegang tot jouw surf gedrag: jouw gegevens zijn niet volledig beveiligd tegen alle partijen. Dit betekent dat: + +1. Je moet voorzichtig zijn bij het kiezen van een provider om je vertrouwen naar toe te verschuiven. +2. Je zou nog steeds andere technieken moeten gebruiken, zoals E2EE, om je gegevens volledig te beschermen. Alleen al het wantrouwen van een provider om een andere te vertrouwen, staat niet gelijk aan het beveiligen van je gegevens. + +## Privacy-gerichte oplossingen zijn van nature betrouwbaar + +Als je je zich uitsluitend richt op het privacybeleid en de marketing van een tool of provider, kunt je je blindstaren op de zwakke punten ervan. Wanneer je op zoek bent naar een meer private oplossing, moet je bepalen wat het onderliggende probleem is en technische oplossingen voor dat probleem vinden. Je kunt bijvoorbeeld Google Drive vermijden, dat Google toegang geeft tot al Jouw gegevens. Het onderliggende probleem is in dit geval een gebrek aan end-to-end encryptie, dus je moet ervoor zorgen dat de provider waar je naar overstapt daadwerkelijk end-to-end encryptie implementeert of een tool (zoals [Cryptomator](../encryption.md#cryptomator-cloud)) gebruiken die end-to-end encryptie biedt op elke cloud provider. Overstappen naar een "privacygerichte" provider (die geen end-to-end encryptie implementeert) lost je probleem niet op: het verschuift alleen het vertrouwen van Google naar die provider. + +Het privacybeleid en de zakelijke praktijken van de aanbieders die je kiest, zijn zeer belangrijk. Maar moeten toch worden beschouwd als minder belangrijk dan technische garanties van jouw privacy: je moet vertrouwen niet overdragen naar een andere provider wanneer het vertrouwen in een provider helemaal geen vereiste is. + +## "Ingewikkeld is beter" + +We zien vaak dat mensen overdreven ingewikkelde dreigingsmodellen voor privacybedreigingen beschrijven. Vaak omvatten deze oplossingen problemen zoals veel verschillende e-mailaccounts of ingewikkelde opstellingen met veel bewegende delen en voorwaarden. De antwoorden zijn meestal antwoorden op "Wat is de beste manier om *X* te doen?" + +Het vinden van de "beste" oplossing voor jezelf betekent niet noodzakelijk dat je op zoek bent naar een onfeilbare oplossing met tientallen voorwaarden - deze oplossingen zijn vaak moeilijk om realistisch mee te werken. Zoals we eerder hebben besproken, gaat veiligheid vaak ten koste van gemak. Hieronder geven we enkele tips: + +1. ==Acties moeten een bepaald doel dienen==, denk na over hoe je met zo weinig mogelijk acties kunt doen wat je wilt. +2. ==Verwijder menselijke faalpunten:== We maken fouten, worden moe, en vergeten dingen. Om de veiligheid te behouden, moet je voorkomen dat je vertrouwt op handmatige acties en processen die je moet onthouden. +3. ==Gebruik het juiste niveau van bescherming voor wat je van plan bent.== Wij zien vaak aanbevelingen van zogenaamde politie, en legerbestendige oplossingen. Deze vereisen vaak specialistische kennis en zijn over het algemeen niet wat de mensen willen. Het heeft geen zin een ingewikkeld dreigingsmodel voor anonimiteit op te stellen als je gemakkelijk kunt worden gedeanonimiseerd door een eenvoudige vergissing. + +Dus, hoe zou dit eruit zien? + +Een van de duidelijkste dreigingsmodellen is een model waarbij mensen *weten wie je bent* en een model waarbij ze dat niet weten. Er zullen altijd situaties zijn waarin je je wettelijke naam moet opgeven en er zijn situaties waarin je dat niet hoeft te doen. + +1. **Bekende identiteit** - Een bekende identiteit wordt gebruikt voor zaken waarbij je jouw naam moet opgeven. Er zijn veel juridische documenten en contracten waar een wettelijke identiteit vereist is. Dit kan variëren van het openen van een bankrekening, het ondertekenen van een huurovereenkomst, het verkrijgen van een paspoort, douaneaangiften bij het importeren van spullen, of op andere manieren omgaan met de overheid. Deze dingen zullen meestal leiden tot referenties zoals creditcards, kredietwaardigheidscontroles, rekeningnummers en mogelijk fysieke adressen. + + We raden niet aan om een VPN of Tor voor een van deze dingen te gebruiken, omdat je identiteit al op andere manieren bekend is. + + !!! tip + + Wanneer je online winkelt, kan het gebruik van een [pakketkluis](https://en.wikipedia.org/wiki/Parcel_locker) helpen om jouw fysieke adres privé te houden. + +2. **Onbekende identiteit** - Een onbekende identiteit kan een stabiel pseudoniem zijn dat je regelmatig gebruikt. Het is niet anoniem omdat het niet verandert. Als je deel uitmaakt van een online gemeenschap, wilt je misschien een identiteit behouden dat anderen kennen. Dit pseudoniem is niet anoniem omdat - indien lang genoeg gevolgd - details over de eigenaar verdere informatie kunnen onthullen, zoals de manier waarop hij of zij schrijft, algemene kennis over interessante onderwerpen, enz. + + Je kunt hiervoor eventueel een VPN gebruiken om jouw IP-adres te maskeren. Financiële transacties zijn moeilijker te maskeren: je kunt hier overwegen anonieme crypto valuta te gebruiken, zoals [Monero](https://www.getmonero.org/). Het gebruik van altcoin-shifting kan ook helpen om te verbergen waar jouw valuta vandaan komt. Doorgaans vereisen exchanges dat KYC (know your customer/ ken jouw klant) wordt ingevuld voordat zij u toestaan fiat valuta zoals euro's en dollars om te wisselen in een of andere crypto valuta. Lokale meet-ups kunnen ook een oplossing zijn; deze zijn echter vaak duurder en vereisen soms ook KYC. + +3. **Anonieme identiteit** - zelfs met ervaring, anonieme identiteiten zijn moeilijk te behouden voor lange perioden. Deze identiteiten horen een korte levensduur te hebben, en dienen regelmatig gerouleerd te worden. + + Het gebruik van Tor kan hierbij helpen. Ook moet worden opgemerkt dat een grotere anonimiteit mogelijk is door asynchrone communicatie: Real-time communicatie is kwetsbaar voor analyse van typpatronen (d.w.z. meer dan een alinea tekst, verspreid op een forum, via e-mail, enz.) + +--8<-- "includes/abbreviations.nl.txt" + +[^1]: Een opmerkelijk voorbeeld hiervan is het incident van [2021, waarbij onderzoekers van de Universiteit van Minnesota drie kwetsbaarheden in het Linux-kernelontwikkelingsproject](https://cse.umn.edu/cs/linux-incident)introduceerden. diff --git a/i18n/nl/basics/common-threats.md b/i18n/nl/basics/common-threats.md new file mode 100644 index 00000000..2c25b3b5 --- /dev/null +++ b/i18n/nl/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Veel voorkomende bedreigingen" +icon: 'material/eye-outline' +--- + +In grote lijnen delen wij onze aanbevelingen in in deze algemene categorieën van [bedreigingen](threat-modeling.md) of doelstellingen die voor de meeste mensen gelden. ==U kunt zich bezighouden met geen, een, enkele, of al deze mogelijkheden==, en de instrumenten en diensten die je gebruikt hangen af van wat jouw doelstellingen zijn. Misschien heb je ook specifieke bedreigingen buiten deze categorieën, en dat is prima! Het belangrijkste is dat je inzicht krijgt in de voordelen en tekortkomingen van de middelen die je gebruikt, want vrijwel geen enkel middel beschermt je tegen elke denkbare bedreiging. + +- :material-incognito: Anonimiteit - Het afschermen van jouw online activiteiten van jouw echte identiteit, waardoor je beschermd bent tegen mensen die proberen te achterhalen *jouw* identiteit specifiek. +- :material-target-account: Gerichte aanvallen - Beschermd zijn tegen gerichte hackers of andere kwaadwillenden die toegang proberen te krijgen tot *jouw* gegevens of apparaten specifiek. +- :material-bug-outline: Passieve aanvallen - Beschermd zijn tegen zaken als malware, inbreuken op gegevens en andere aanvallen die tegen veel mensen tegelijk worden uitgevoerd +- :material-server-network: Dienstverleners - Bescherming van jouw gegevens tegen dienstverleners, bv. met end-to-endencryptie waardoor jouw gegevens onleesbaar worden voor de server. +- :material-eye-outline: Mass Surveillance - Bescherming tegen overheidsinstellingen, organisaties, websites en diensten die samenwerken om jouw activiteiten te volgen. +- :material-account-cash: Surveillance Capitalism - Jezelf beschermen tegen grote advertentienetwerken zoals Google en Facebook, en een groot aantal andere gegevensverzamelaars van derden +- :material-account-search: Public Exposure - het beperken van de informatie over je die online toegankelijk is voor zoekmachines of het grote publiek. +- :material-close-outline: Censuur - Voorkomen van gecensureerde toegang tot informatie en zelf gecensureerd worden als je online spreekt + +Sommige van deze bedreigingen kunnen zwaarder wegen dan andere, afhankelijk van jouw specifieke zorgen. Een softwareontwikkelaar die toegang heeft tot waardevolle of kritieke gegevens is bijvoorbeeld misschien in de eerste plaats bezorgd over :material-target-account: gerichte aanvallen, maar verder willen zij waarschijnlijk nog steeds hun persoonlijke gegevens beschermen tegen opneming in :material-eye-outline: programma's voor massatoezicht. Op dezelfde manier is de "gemiddelde consument" misschien in de eerste plaats bezorgd over :material-account-search: Public Exposure van zijn persoonsgegevens, maar moet hij toch op zijn hoede zijn voor op beveiliging gerichte zaken zoals :material-bug-outline: Passive Attacks zoals malware die zijn apparaten aantast. + +## Anonimiteit versus privacy + +:material-incognito: Anonimiteit + +Anonimiteit wordt vaak verward met privacy, maar het is een apart concept. Terwijl privacy een reeks keuzes is die je maakt over hoe jouw gegevens worden gebruikt en gedeeld, is anonimiteit het volledig loskoppelen van jouw online activiteiten van jouw echte identiteit. + +Voor klokkenluiders en journalisten, bijvoorbeeld, kan een veel extremer bedreigingsmodel gelden, dat volledige anonimiteit vereist. Dat is niet alleen verbergen wat zij doen, welke gegevens zij hebben, en niet gehackt worden door hackers of overheden, maar ook volledig verbergen wie zij zijn. Zij zullen elke vorm van gemak opofferen als dat betekent dat hun anonimiteit, privacy of veiligheid wordt beschermd, want hun leven kan ervan afhangen. De meeste gewone mensen hoeven niet zo ver te gaan. + +## Veiligheid en privacy + +:material-bug-outline: Passieve aanvallen + +Beveiliging en privacy worden vaak door elkaar gehaald, omdat je beveiliging nodig hebt om enige schijn van privacy te krijgen: Hulpmiddelen gebruiken die privé lijken, is zinloos als ze gemakkelijk door aanvallers kunnen worden misbruikt om jouw gegevens later vrij te geven. Het omgekeerde is echter niet noodzakelijk waar; de veiligste dienst ter wereld *is niet noodzakelijk* privé. Het beste voorbeeld hiervan is het toevertrouwen van gegevens aan Google, dat, gezien zijn omvang, minimale veiligheidsincidenten heeft gekend door vooraanstaande beveiligingsexperts in te zetten om zijn infrastructuur te beveiligen. Hoewel Google een zeer veilige dienst aanbiedt, zouden maar weinigen hun gegevens als privé beschouwen in de gratis consumentenproducten van Google (Gmail, YouTube, enz.). + +Wat de beveiliging van toepassingen betreft, weten we over het algemeen niet (en kunnen we soms niet) weten of de software die we gebruiken kwaadaardig is, of dat op een dag zou kunnen worden. Zelfs bij de meest betrouwbare ontwikkelaars is er meestal geen garantie dat hun software geen ernstige kwetsbaarheid bevat die later kan worden uitgebuit. + +Om de potentiële schade van kwaadaardige software tot een minimum te beperken, moet u beveiliging door compartimentering toepassen. Dit kan in de vorm van het gebruik van verschillende computers voor verschillende taken, het gebruik van virtuele machines om verschillende groepen van gerelateerde toepassingen te scheiden, of het gebruik van een veilig besturingssysteem met een sterke nadruk op sandboxing van toepassingen en verplichte toegangscontrole. + +!!! tip + + Mobiele besturingssystemen zijn over het algemeen veiliger dan desktopbesturingssystemen als het gaat om sandboxing van toepassingen. + + Apps kunnen geen root-toegang krijgen en hebben alleen toegang tot systeembronnen die je hen verleent. Desktop besturingssystemen lopen over het algemeen achter op het gebied van goede sandboxing. Chrome OS heeft vergelijkbare sandboxing-eigenschappen als Android, en macOS heeft volledige controle over systeemtoestemmingen en opt-in (voor ontwikkelaars) sandboxing voor applicaties, maar deze besturingssystemen geven wel identificerende informatie door aan hun respectieve OEM's. Linux heeft de neiging geen informatie door te geven aan systeemverkopers, maar het heeft een slechte bescherming tegen exploits en kwaadaardige apps. Dit kan enigszins worden ondervangen met gespecialiseerde distributies die veel gebruik maken van virtuele machines of containers, zoals Qubes OS. + +:material-target-account: Gerichte aanvallen + +Gerichte aanvallen tegen een specifieke gebruiker zijn moeilijker aan te pakken. Gangbare aanvalsmethoden zijn het verzenden van schadelijke documenten via e-mails, het uitbuiten van kwetsbaarheden in de browser en het besturingssysteem, en fysieke aanvallen. Als dit voor je een punt van zorg is, moet je mogelijk meer geavanceerde strategieën ter beperking van bedreigingen toepassen. + +!!! tip + + **Webbrowsers**, **e-mailclients**, en **kantoorapplicaties** voeren standaard onvertrouwde code uit die je door derden wordt toegestuurd. Het draaien van meerdere virtuele machines om toepassingen als deze te scheiden van uw hostsysteem en van elkaar is een techniek die je kunt gebruiken om te voorkomen dat een exploit in deze toepassingen de rest van jouw systeem aantast. Technologieën als Qubes OS of Microsoft Defender Application Guard op Windows bieden bijvoorbeeld handige methoden om dit naadloos te doen. + +Als je zich zorgen maakt over **fysieke aanvallen** moet je een besturingssysteem gebruiken met een veilige geverifieerde opstartimplementatie, zoals Android, iOS, macOS, [Windows (met TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). Je moet er ook voor zorgen dat jouw schijf versleuteld is, en dat het besturingssysteem een TPM of Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) of [Element](https://developers.google.com/android/security/android-ready-se) gebruikt voor het beperken van de snelheid waarmee pogingen worden gedaan om de wachtwoordzin voor de versleuteling in te voeren. Je moet voorkomen dat je jouw computer deelt met mensen die je niet vertrouwt, omdat de meeste desktopbesturingssystemen gegevens niet afzonderlijk per gebruiker versleutelen. + +## Privacy van dienstverleners + +:material-server-network: Dienstverleners + +Wij leven in een wereld waarin bijna alles met het internet is verbonden. Onze "privé"-berichten, e-mails, sociale interacties worden gewoonlijk ergens op een server opgeslagen. Wanneer je iemand een bericht stuurt, wordt dat bericht opgeslagen op een server en wanneer jouw vriend het bericht wil lezen, zal de server het hem tonen. + +Het voor de hand liggende probleem hierbij is dat de dienstverlener (of een hacker die de server heeft gecompromitteerd) in jouw "privé"-gesprekken kan kijken wanneer en hoe hij maar wil, zonder dat je het ooit te weten komt. Dit geldt voor veel gangbare diensten zoals SMS-berichten, Telegram, Discord, enzovoort. + +Gelukkig kan end-to-end encryptie dit probleem verlichten door de communicatie tussen jou en de gewenste ontvangers te versleutelen voordat ze zelfs maar naar de server worden verzonden. De vertrouwelijkheid van jouw berichten is gewaarborgd, zolang de dienstverlener geen toegang heeft tot de particuliere sleutels van beide partijen. + +!!! note "Opmerking op webgebaseerde encryptie" + + In de praktijk varieert de doeltreffendheid van verschillende implementaties van end-to-end encryptie. Toepassingen zoals [Signal](../real-time-communication.md#signal) draaien op het toestel zelf, en elke kopie van de toepassing is hetzelfde voor verschillende installaties. Als de dienstverlener een backdoor in zijn applicatie zou aanbrengen om te proberen jouw privé-sleutels te stelen, zou dat later met reverse engineering kunnen worden opgespoord. + + Anderzijds vertrouwen webgebaseerde end-to-end encryptie-implementaties, zoals Proton Mail's webmail of Bitwarden's web vault, erop dat de server dynamisch JavaScript-code naar de browser stuurt om cryptografische operaties uit te voeren. Een kwaadwillende server zou zich op een specifieke gebruiker kunnen richten en hem kwaadwillige JavaScript-code sturen om zijn encryptiesleutel te stelen, en het zou uiterst moeilijk zijn voor de gebruiker om zoiets ooit op te merken. Zelfs als de gebruiker de poging om zijn sleutel te stelen opmerkt, zou het ongelooflijk moeilijk zijn om te bewijzen dat het de provider is die dit probeert, omdat de server ervoor kan kiezen om verschillende webclients aan verschillende gebruikers aan te bieden. + + Wanneer je vertrouwt op end-to-end encryptie, moet je daarom waar mogelijk native applicaties verkiezen boven web clients. + +Zelfs met end-to-end encryptie kunnen dienstverleners je nog steeds profileren op basis van **metadata**, die doorgaans niet beschermd zijn. Hoewel de dienstverlener jouw berichten niet kan lezen om te zien wat je zegt, kan hij wel observeren met wie je praat, hoe vaak je hen berichten stuurt en op welke tijden je doorgaans actief bent. Bescherming van metadata is tamelijk ongewoon, en je zou goed moeten opletten in de technische documentatie van de software die je gebruikt om te zien of er überhaupt sprake is van minimalisering of bescherming van metadata, als dat voor je een punt van zorg is. + +## Programma's voor massatoezicht + +:material-eye-outline: Massabewaking + +Massasurveillance is een poging om een groot deel van of een gehele bevolking te surveilleren. Het verwijst vaak naar overheidsprogramma's, zoals de programma's [die in 2013 door Edward Snowden werden onthuld](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). + +!!! abstract "Atlas of Surveillance" + + Als je meer wilt weten over bewakingsmethoden en hoe die in jouw stad worden toegepast, kunt je ook de [Atlas of Surveillance](https://atlasofsurveillance.org/) van de [Electronic Frontier Foundation](https://www.eff.org/) bekijken. + + In Frankrijk kunt u een kijkje nemen op de [Technolopolice website](https://technopolice.fr/villes/) die wordt onderhouden door de non-profit vereniging La Quadrature du Net. + +Regeringen rechtvaardigen massasurveillanceprogramma's vaak als noodzakelijke middelen om terrorisme te bestrijden en misdaad te voorkomen. Het schendt echter de mensenrechten en wordt meestal gebruikt om zich buitenproportioneel te richten op onder andere minderheidsgroepen en politieke dissidenten. + +!!! quote "ACLU: [*De privacyles van 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + Het omzeilen van de censuur zelf is betrekkelijk eenvoudig, maar het feit dat je het censuursysteem omzeilt voor de censoren kan zeer problematisch zijn. Je moet nagaan welke aspecten van het netwerk jouw tegenstander kan waarnemen, en of je jouw acties kunt ontkennen. + +Ondanks de toenemende massasurveillance in de Verenigde Staten heeft de regering vastgesteld dat massasurveillanceprogramma's zoals Section 215 "weinig unieke waarde" hebben gehad wat betreft het stoppen van daadwerkelijke misdaden of terroristische complotten, waarbij de inspanningen grotendeels de eigen gerichte surveillanceprogramma's van de FBI dupliceren.[^2] + +Ondanks de toenemende massasurveillance in de Verenigde Staten is de regering tot de conclusie gekomen dat massasurveillanceprogramma's zoals Sectie 215 "weinig unieke waarde" hebben gehad wat betreft het stoppen van echte misdaden of terroristische complotten, waarbij de inspanningen grotendeels een herhaling zijn van de eigen gerichte surveillanceprogramma's van de FBI.[^1] + +- Jouw IP-adres +- Browser cookies +- Gegevens die je aan websites verstrekt +- Jouw browser of apparaat vingerafdruk +- Correlatie van betalingsmethodes + +\[Deze lijst is niet uitputtend]. + +Als je bezorgd bent over massale surveillance programma's, kun je strategieën gebruiken zoals het opsplitsen van jouw online-identiteiten, je mengen met andere gebruikers of, waar mogelijk, gewoon vermijden om identificerende informatie te geven. + +:material-account-cash: Surveillance kapitalisme + +> Het surveillance kapitalisme is een economisch systeem dat draait om het vastleggen en verhandelen van persoonsgegevens met als hoofddoel het maken van winst.[^2] + +De beste manier om ervoor te zorgen dat jouw gegevens privé blijven, is ze in de eerste plaats gewoon niet openbaar te maken. Het verwijderen van informatie die je online over jezelf vindt, is een van de beste eerste stappen die je kunt nemen om jouw privacy terug te krijgen. Het gebruik van hulpmiddelen zoals content blockers om netwerkverzoeken aan hun servers te beperken, en het lezen van het privacybeleid van de diensten die je gebruikt, kunnen je helpen veel laag hangend fruit te vermijden, maar kunnen je nooit volledig beschermen tegen alle tracking.[^4] + +Op sites waar je informatie deelt, is het heel belangrijk dat je de privacyinstellingen van jouw account controleert om te beperken hoe wijd die gegevens worden verspreid. Als jouw accounts bijvoorbeeld een "privémodus" hebben, schakel deze dan in om ervoor te zorgen dat jouw account niet wordt geïndexeerd door zoekmachines en niet kan worden bekeken door mensen die je niet van tevoren vertrouwd. De sterkste bescherming tegen het verzamelen van bedrijfsgegevens is om jouw gegevens waar mogelijk te versleutelen of te verdoezelen, waardoor het voor verschillende providers moeilijk wordt om gegevens met elkaar te correleren en een profiel op je op te bouwen. + +## Beperking van publieke informatie + +:material-account-search: Publiekelijke bekendheid + +De beste manier om ervoor te zorgen dat jouw gegevens privé blijven, is ze in de eerste plaats gewoon niet openbaar te maken. Het verwijderen van ongewenste informatie die je online over jezelf vindt, is een van de beste eerste stappen die je kunt nemen om jouw privacy te terug te winnen. + +- [Bekijk onze gids over het verwijderen van accounts :material-arrow-right-drop-circle:](account-deletion.md) + +Online-censuur kan in verschillende mate worden uitgeoefend door actoren zoals totalitaire regeringen, netwerkbeheerders en dienstverleners die de meningsuiting van hun gebruikers en de informatie waartoe zij toegang hebben, willen controleren. Deze pogingen om het internet te filteren zullen altijd onverenigbaar zijn met de idealen van vrije meningsuiting. + +Censuur op bedrijfsplatforms komt steeds vaker voor nu platforms als Twitter en Facebook toegeven aan de vraag van het publiek, de druk van de markt en de druk van overheidsinstanties. Overheidsdruk kan bestaan uit heimelijke verzoeken aan bedrijven, zoals het verzoek van het Witte Huis [om een provocerende YouTube-video uit de lucht te halen ](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html), of uit openlijke, zoals de Chinese regering die van bedrijven eist dat zij zich houden aan een streng censuurregime. + +## Censuur vermijden + +:material-close-outline: Censuur + +Censuur online kan (in verschillende mate) worden uitgeoefend door actoren zoals totalitaire regeringen, netwerkbeheerders en dienstverleners. Deze pogingen om de communicatie te controleren en de toegang tot informatie te beperken zullen altijd onverenigbaar zijn met het mensenrecht op vrijheid van meningsuiting.[^5] + +Censuur op bedrijfsplatforms komt steeds vaker voor, nu platforms als Twitter en Facebook toegeven aan de vraag van het publiek, de druk van de markt en de druk van overheidsinstanties. Overheidsdruk kan bestaan uit heimelijke verzoeken aan bedrijven, zoals het verzoek van het Witte Huis [om een provocerende YouTube-video uit de lucht te halen ](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html), of uit openlijke, zoals de Chinese regering die van bedrijven eist dat zij zich houden aan een streng censuurregime. + +Mensen die bezorgd zijn over de dreiging van censuur kunnen technologieën als [Tor](../advanced/tor-overview.md) gebruiken om die te omzeilen, en steun verlenen aan censuurbestendige communicatieplatforms als [Matrix](../real-time-communication.md#element), dat geen gecentraliseerde accountautoriteit heeft die willekeurig accounts kan sluiten. + +!!! tip + + Het ontwijken van censuur kan gemakkelijk zijn, maar het verbergen van het feit dat je het doet kan heel moeilijk zijn. + + Je zou moeten overwegen welke aspecten van het netwerk je tegenstander kan waarnemen en of je plausibele ontkenningsmogelijkheden voor je actie hebt. Het gebruik van [versleutelde DNS](../advanced/dns-overview.md#what-is-encrypted-dns) kan je bijvoorbeeld helpen om rudimentaire, DNS-gebaseerde censuursystemen te omzeilen, maar het kan niet echt verbergen wat je bezoekt bij je ISP. Een VPN of Tor kan helpen verbergen wat je bezoekt voor netwerkbeheerders, maar je kunt niet verbergen dat je deze netwerken als gebruikt. Pluggable transports (zoals Obfs4proxy, Meek of Shadowsocks) kunnen je helpen firewalls te omzeilen die gangbare VPN-protocollen of Tor blokkeren, maar jouw pogingen tot omzeiling kunnen nog steeds worden ontdekt door methoden als probing of [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +Je moet altijd rekening houden met de risico 's van het proberen om censuur te omzeilen, de mogelijke gevolgen en hoe geavanceerd je tegenstander kan zijn. Je moet voorzichtig zijn met jouw software selectie, en een back-up plan hebben voor het geval je betrapt wordt. + +--8<-- "includes/abbreviations.nl.txt" + +[^1]: United States Privacy and Civil Liberties Oversight Board: [Rapport over het telefoongegevens programma, uitgevoerd onder Section 215](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^2]: Wikipedia: [Surveillance kapitalisme](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^3]: Wikipedia: [*Surveillancekapitalisme*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Het opsommen van slechtheid](https://www.ranum.com/security/computer_security/editorials/dumb/)" (of, "het opsommen van alle slechte dingen die we kennen"), zoals veel adblockers en antivirusprogramma's doen, beschermt je niet afdoende tegen nieuwe en onbekende bedreigingen omdat ze nog niet zijn toegevoegd aan de filterlijst. Je moet ook andere mitigatietechnieken gebruiken. +[^5]: Verenigde Naties: [*Universele Verklaring van de Rechten van de Mens*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/nl/basics/email-security.md b/i18n/nl/basics/email-security.md new file mode 100644 index 00000000..29e5c907 --- /dev/null +++ b/i18n/nl/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email beveiliging +icon: material/email +--- + +E-mail is standaard een onveilige vorm van communicatie. Je kunt je e-mailbeveiliging verbeteren met tools als OpenPGP, die end-to-end encryptie toevoegen aan je berichten, maar OpenPGP heeft nog steeds een aantal nadelen in vergelijking met encryptie in andere berichtentoepassingen, en sommige e-mailgegevens kunnen nooit inherent worden versleuteld als gevolg van de manier waarop e-mail is ontworpen. + +Als gevolg hiervan wordt e-mail het beste gebruikt voor het ontvangen van transactionele e-mails (zoals meldingen, verificatie-e-mails, wachtwoordresets, enz.) van de services waarvoor je je online aanmeldt, niet voor het communiceren met anderen. + +## Overzicht van e-mailversleuteling + +De standaardmanier om E2EE toe te voegen aan e-mails tussen verschillende e-mailproviders is door OpenPGP te gebruiken. Er zijn verschillende implementaties van de OpenPGP-standaard, waarvan [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) en [OpenPGP.js](https://openpgpjs.org)de meest voorkomende zijn. + +Er is een andere standaard die populair is bij bedrijven, [S/MIME](https://en.wikipedia.org/wiki/S/MIME), maar deze vereist een certificaat dat is afgegeven door een [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (niet alle instanties geven S/MIME-certificaten af). Het heeft ondersteuning in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) en [Outlook for Web of Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Zelfs als je OpenPGP gebruikt, biedt het geen ondersteuning voor [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), wat betekent dat als jouw privésleutel of die van de ontvanger ooit wordt gestolen, alle eerdere berichten die ermee zijn versleuteld, openbaar worden. Daarom bevelen wij [instant messengers](../real-time-communication.md) aan, die indien mogelijk forward secrecy implementeren in plaats van e-mail voor communicatie van persoon tot persoon. + +### Welke e-mailclients ondersteunen E2EE? + +E-mailproviders die je in staat stellen standaard toegangsprotocollen zoals IMAP en SMTP te gebruiken, kunnen worden gebruikt met elk van de [e-mailclients die wij aanbevelen](../email-clients.md). Afhankelijk van de authenticatiemethode kan dit leiden tot een verminderde veiligheid indien de provider of de e-mailclient OATH of een bridge-toepassing niet ondersteunt, aangezien [multifactor authenticatie](/basics/multi-factor-authentication/) niet mogelijk is met gewone wachtwoordauthenticatie. + +### Hoe bescherm ik mijn private sleutels? + +Een smartcard (zoals een [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) of [Nitrokey](https://www.nitrokey.com)) werkt door een geëncrypteerd e-mailbericht te ontvangen van een apparaat (telefoon, tablet, computer, enz.) waarop een e-mail/webmailclient draait. Het bericht wordt vervolgens door de smartcard ontsleuteld en de ontsleutelde inhoud wordt teruggestuurd naar het apparaat. + +Het is gunstig dat de ontcijfering op de smartcard gebeurt om te voorkomen dat jouw privé-sleutel aan een gecompromitteerd apparaat wordt blootgesteld. + +## Overzicht e-mailmetagegevens + +E-mail metadata wordt opgeslagen in de [message header](https://en.wikipedia.org/wiki/Email#Message_header) van het e-mailbericht en omvat een aantal zichtbare headers die je wellicht hebt gezien, zoals: `Aan`, `Van`, `Cc`, `Datum`, `Onderwerp`. Veel e-mailclients en -providers hebben ook een aantal verborgen headers die informatie over jouw account kunnen onthullen. + +Client-software kan metagegevens over e-mail gebruiken om aan te geven van wie een bericht afkomstig is en hoe laat het werd ontvangen. Servers kunnen het gebruiken om te bepalen waar een e-mailbericht naartoe moet worden gestuurd, naast [andere doeleinden](https://en.wikipedia.org/wiki/Email#Message_header) die niet altijd transparant zijn. + +### Wie kan e-mailmetagegevens bekijken? + +E-mail metadata wordt beschermd tegen externe waarnemers met [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), maar kan nog steeds worden gezien door jouw e-mail client software (of webmail) en alle servers die het bericht van je doorsturen naar alle ontvangers, inclusief jouw e-mail provider. Soms maken e-mailservers ook gebruik van diensten van derden ter bescherming tegen spam, die over het algemeen ook toegang hebben tot jouw berichten. + +### Waarom kan metadata niet E2EE zijn? + +E-mail metadata is van cruciaal belang voor de meest elementaire functionaliteit van e-mail (waar het vandaan komt, en waar het naartoe moet). E2EE was oorspronkelijk niet in de e-mailprotocollen ingebouwd; in plaats daarvan was extra software zoals OpenPGP nodig. Omdat OpenPGP-berichten nog steeds met traditionele e-mailproviders moeten werken, kan het niet de metagegevens van e-mail versleutelen, alleen de inhoud van het bericht zelf. Dat betekent dat zelfs wanneer OpenPGP wordt gebruikt, externe waarnemers veel informatie over jouw berichten kunnen zien, zoals wie je e-mailt, de onderwerpregels, wanneer je e-mailt, enz. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/basics/multi-factor-authentication.md b/i18n/nl/basics/multi-factor-authentication.md new file mode 100644 index 00000000..98000e06 --- /dev/null +++ b/i18n/nl/basics/multi-factor-authentication.md @@ -0,0 +1,210 @@ +--- +title: "Multifactor-authenticatie" +icon: 'material/two-factor-authentication' +--- + +**Multifactorauthenticatie** is een beveiligingsmechanisme dat extra stappen vereist naast het invoeren van jouw gebruikersnaam (of e-mail) en wachtwoord. De meest gebruikelijke methode zijn codes met tijdsbeperking die je via sms of een app kunt ontvangen. + +Als een hacker (of tegenstander) jouw wachtwoord weet te achterhalen, krijgt hij toegang tot de account waar dat wachtwoord bij hoort. Een account met MFA dwingt de hacker om zowel het wachtwoord te hebben (iets wat je *weet*) als een apparaat dat je bezit (iets wat je *hebt*), zoals je telefoon. + +MFA-methoden variëren in beveiliging, maar zijn gebaseerd op de vooronderstelling dat hoe moeilijker het voor een aanvaller is om toegang te krijgen tot uw MFA-methode, hoe beter. Voorbeelden van MFA-methoden (van zwakste naar sterkste) zijn sms, e-mailcodes, app-pushmeldingen, TOTP, Yubico OTP en FIDO. + +## Vergelijking van MFB-methoden + +### SMS of e-mail MFA + +Het ontvangen van OTP-codes via SMS of e-mail is een van de zwakkere manieren om jouw accounts met MFA te beveiligen. Het verkrijgen van een code via e-mail of sms doet afbreuk aan het idee van "iets wat je *hebt*", omdat er verschillende manieren zijn waarop een hacker jouw telefoonnummer + +kan overnemen of toegang tot jouw e-mail kan krijgen zonder fysieke toegang te hebben tot een van jouw apparaten. Als een onbevoegd persoon toegang zou krijgen tot jouw e-mail, zou hij die toegang kunnen gebruiken om zowel jouw wachtwoord te resetten als de verificatiecode te ontvangen, waardoor hij volledige toegang tot jouw account zou krijgen.

+ + + +### Push-meldingen + +Push notification MFA neemt de vorm aan van een bericht dat naar een app op jouw telefoon wordt gestuurd en waarin je wordt gevraagd nieuwe accountlogins te bevestigen. Deze methode is veel beter dan SMS of e-mail, omdat een aanvaller deze pushmeldingen meestal niet kan krijgen zonder een al aangemeld apparaat, wat betekent dat hij eerst een van jouw andere apparaten zou moeten compromitteren. + +We maken allemaal fouten, en het risico bestaat dat u de inlogpoging per ongeluk aanvaardt. Inlogautorisaties via push-notificatie worden doorgaans verzonden naar *alle* jouw apparaten in een keer, waardoor de beschikbaarheid van de MFA-code wordt uitgebreid als je veel apparaten hebt. + +De beveiliging van push notification MFA is afhankelijk van zowel de kwaliteit van de app, de servercomponent als het vertrouwen van de ontwikkelaar die de app maakt. Als je een app installeert, kan het ook zijn dat je moet instemmen met invasieve privileges die toegang verlenen tot andere gegevens op jouw apparaat. . en individuele app vereist ook dat je voor elke dienst een specifieke app hebt, die misschien geen wachtwoord vereist om te openen, in tegenstelling tot een goede TOTP generator app. + + + +### Time-based One-time Password (TOTP) + +TOTP is een van de meest voorkomende vormen van MFB. Wanneer je TOTP instelt, moet je over het algemeen een [QR-code](https://en.wikipedia.org/wiki/QR_code) scannen die een "[gedeeld geheim](https://en.wikipedia.org/wiki/Shared_secret)" tot stand brengt met de dienst die je van plan bent te gebruiken. Het gedeelde geheim is beveiligd in de gegevens van de authenticator-app, en is soms beveiligd met een wachtwoord. + +De in de tijd beperkte code wordt dan afgeleid van het gedeelde geheim en de huidige tijd. Aangezien de code slechts korte tijd geldig is, kan een adversair zonder toegang tot het gedeelde geheim geen nieuwe codes genereren. + +Als je een hardware beveiligingssleutel hebt met TOTP-ondersteuning (zoals een YubiKey met [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), raden wij je aan om jouw "gedeelde geheimen" op de hardware op te slaan. Hardware zoals de YubiKey werd ontwikkeld met de bedoeling het "gedeelde geheim" moeilijk te ontfutselen en te kopiëren te maken. Een YubiKey is ook niet verbonden met het internet, in tegenstelling tot een telefoon met een TOTP-app. + +In tegenstelling tot [WebAuthn](#fido-fast-identity-online)biedt TOTP geen bescherming tegen [phishing](https://en.wikipedia.org/wiki/Phishing) of hergebruikaanvallen. Als een tegenstander een geldige code van je krijgt, mag hij die zo vaak gebruiken als hij wil totdat de code is verlopen (over het algemeen 60 seconden. + +Een tegenstander kan een website opzetten om een officiële dienst te imiteren in een poging om je te verleiden jouw gebruikersnaam, wachtwoord en huidige TOTP-code te geven. Als de tegenstander vervolgens deze vastgelegde gegevens gebruikt, kan hij op de echte dienst inloggen en de account kapen. + +Hoewel niet perfect, is TOTP veilig genoeg voor de meeste mensen, en wanneer [hardware security keys](/multi-factor-authentication/#hardware-security-keys) niet worden ondersteund zijn [authenticator apps](/multi-factor-authentication/#authenticator-apps) nog steeds een goede optie. + + + +### Hardware beveiligingssleutels + +De YubiKey slaat gegevens op een manipulatiebestendige solid-state chip die [onmogelijk is om toegang te krijgen tot](https://security.stackexchange.com/a/245772) niet-destructief zonder een duur proces en een forensisch laboratorium. + +Deze sleutels zijn over het algemeen multifunctioneel en bieden een aantal methoden om zich te authenticeren. Hieronder staan de meest voorkomende. + + + +#### Yubico OTP + +Yubico OTP is een authenticatieprotocol dat typisch wordt geïmplementeerd in hardware beveiligingssleutels. Wanneer je besluit Yubico OTP te gebruiken, zal de sleutel een publiek ID, privaat ID, en een Geheime Sleutel genereren die dan geupload wordt naar de Yubico OTP server. + +Wanneer je inlogt op een website, hoeft je alleen maar de beveiligingssleutel fysiek aan te raken. De beveiligingssleutel zal een toetsenbord emuleren en een eenmalig wachtwoord in het wachtwoordveld afdrukken. + +De dienst zal dan het eenmalige wachtwoord doorsturen naar de Yubico OTP server voor validatie. Zowel op de sleutel als op de validatieserver van Yubico wordt een teller opgehoogd. De OTP kan slechts één keer worden gebruikt, en wanneer een authenticatie met succes plaatsvindt, wordt de teller verhoogd, waardoor hergebruik van de OTP wordt voorkomen. Yubico geeft een [gedetailleerd document](https://developers.yubico.com/OTP/OTPs_Explained.html) over het proces. + +
+ Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +Er zijn enkele voor- en nadelen aan het gebruik van Yubico OTP in vergelijking met TOTP. + +De Yubico validatieserver is een cloud-gebaseerde dienst, en je vertrouwt op Yubico dat zij jouw gegevens veilig opslaan en je niet profileren. De publieke ID die bij Yubico OTP hoort, wordt op elke website hergebruikt en kan voor derden een extra mogelijkheid zijn om je te profileren. Net als TOTP biedt Yubico OTP geen weerstand tegen phishing. + +Als jouw dreigingsmodel vereist dat je verschillende identiteiten op verschillende websites heeft, **gebruik dan geen** Yubico OTP met dezelfde hardware beveiligingssleutel op die websites, aangezien de publieke ID uniek is voor elke beveiligingssleutel. + + + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) omvat een aantal normen, eerst was er U2F en later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) die de webnorm [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn)omvat. + +U2F en FIDO2 verwijzen naar het [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), dat het protocol is tussen de beveiligingssleutel en de computer, zoals een laptop of telefoon. Het is een aanvulling op WebAuthn, de component die wordt gebruikt om je te authenticeren bij de website (de "Betrouwbare Partij") waarop je probeert in te loggen. + +WebAuthn is de meest veilige en private vorm van tweede factor authenticatie. De verificatie-ervaring is vergelijkbaar met Yubico OTP, maar de sleutel drukt geen eenmalig wachtwoord af en valideert niet met een server van een derde partij. In plaats daarvan gebruikt het [openbare sleutel cryptografie](https://en.wikipedia.org/wiki/Public-key_cryptography) voor authenticatie. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +Wanneer je een account aanmaakt, wordt de openbare sleutel naar de dienst gestuurd, en wanneer je inlogt, zal de dienst je vragen bepaalde gegevens te "ondertekenen" met jouw privé-sleutel. Het voordeel hiervan is dat er nooit wachtwoordgegevens door de dienst worden opgeslagen, zodat er voor een adverteerder niets te stelen valt. + +Deze presentatie bespreekt de geschiedenis van wachtwoordauthenticatie, de valkuilen (zoals hergebruik van wachtwoorden), en bespreking van de FIDO2- en [WebAuthn](https://webauthn.guide) -normen. + +
+ +
+ +FIDO2 en WebAuthn hebben superieure beveiligings- en privacy-eigenschappen in vergelijking met andere MFA-methoden. + +Typisch voor webdiensten wordt het gebruikt met WebAuthn dat deel uitmaakt van de [W3C aanbevelingen](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). Het gebruikt publieke sleutelauthenticatie en is veiliger dan gedeelde geheimen die worden gebruikt in de Yubico OTP- en TOTP-methoden, omdat het de oorsprongsnaam (gewoonlijk de domeinnaam) bij de authenticatie betrekt. Attestatie wordt verstrekt om je te beschermen tegen phishing-aanvallen, aangezien het je helpt vast te stellen dat je de authentieke dienst gebruikt en niet een namaakkopie. + +In tegenstelling tot Yubico OTP, gebruikt WebAuthn geen publieke ID, dus de sleutel is **niet** identificeerbaar over verschillende websites. Het maakt ook geen gebruik van een cloud server van derden voor verificatie. Alle communicatie vindt plaats tussen de sleutel en de website waarop je inlogt. FIDO gebruikt ook een teller die bij gebruik wordt opgehoogd om hergebruik van sessies en gekloonde sleutels te voorkomen. + +Als een website of dienst WebAuthn ondersteunt voor de authenticatie, is het sterk aan te bevelen dit te gebruiken boven elke andere vorm van MFA. + + + +## Algemene aanbevelingen + +Wij hebben deze algemene aanbevelingen: + + + +### Welke methode moet ik gebruiken? + +Wanneer je jouw MFA-methode configureert, moet je in gedachten houden dat deze slechts zo veilig is als de zwakste authenticatiemethode die je gebruikt. Dit betekent dat het belangrijk is dat je alleen de beste beschikbare MFA-methode gebruikt. Als je bijvoorbeeld al TOTP gebruikt, moet je e-mail en SMS MFA uitschakelen. Als je al FIDO2/WebAuthn gebruikt, moet je geen Yubico OTP of TOTP gebruiken op jouw account. + + + +### Back-ups + +Je moet altijd back-ups hebben voor jouw MFA-methode. Hardwaresleutels kunnen zoekraken, gestolen worden of na verloop van tijd niet meer werken. Het is aan te bevelen om een paar hardware beveiligingssleutels te hebben met dezelfde toegang tot jouw accounts in plaats van slechts één. + +Wanneer je TOTP gebruikt met een authenticatie app, zorg er dan voor dat je een back-up maakt van jouw herstel sleutels of de app zelf, of kopieer de "gedeelde geheimen" naar een ander exemplaar van de app op een andere telefoon of naar een versleutelde container (bijv. [VeraCrypt](../encryption.md#veracrypt)). + + + +### Eerste installatie + +Wanneer je een beveiligingssleutel koopt, is het belangrijk dat je de standaardgegevens wijzigt, wachtwoordbeveiliging voor de sleutel instelt, en aanraakbevestiging inschakelt als jouw sleutel dit ondersteunt. Producten zoals de YubiKey hebben meerdere interfaces met afzonderlijke referenties voor elk ervan, dus je moet elke interface overlopen en ook bescherming instellen. + + + +### E-mail en SMS + +Als je e-mail moet gebruiken voor MFA, zorg er dan voor dat de e-mailaccount zelf beveiligd is met een goede MFA-methode. + +Als je SMS MFA gebruikt, gebruik dan een provider die jouw telefoonnummer niet zonder accounttoegang naar een nieuwe SIM-kaart wisselt, of gebruik een speciaal VoIP-nummer van een provider met vergelijkbare beveiliging om een [SIM-swapaanval te voorkomen](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools die wij aanbevelen](../multi-factor-authentication.md ""){.md-button} + + + +## Meer plaatsen om MFA op te zetten + +Naast het beveiligen van jouw website logins, kan multifactor authenticatie ook worden gebruikt om jouw lokale logins, SSH sleutels of zelfs wachtwoord databases te beveiligen. + + + +### Windows + +Yubico heeft een speciale [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) die Challenge-Response authenticatie toevoegt voor de gebruikersnaam + wachtwoord login flow voor lokale Windows accounts. Als je een YubiKey hebt met ondersteuning voor Challenge-Response authenticatie, kijk dan eens naar de [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), waarmee je MFA kunt instellen op jouw Windows-computer. + + + +### macOS + +macOS heeft [native ondersteuning](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) voor authenticatie met smartcards (PIV). Indien je een smartcard of een hardware beveiligingssleutel heeft die de PIV interface ondersteunt, zoals de YubiKey, raden wij je aan om de documentatie van jouw smartcard/hardware beveiligingsleverancier te volgen en tweede factor authenticatie voor jouw macOS computer in te stellen. + +Yubico heeft een gids [je YubiKey als Smart Card gebruiken in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) die je kan helpen bij het instellen van jouw YubiKey op macOS. + +Nadat jouw smartcard/security key is ingesteld, raden wij je aan dit commando in de Terminal uit te voeren: + + + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + + +Het commando zal voorkomen dat een tegenstander MFA omzeilt wanneer de computer opstart. + + + +### Linux + +!!! warning + + Als de hostnaam van jouw systeem verandert (bijvoorbeeld door DHCP), zou je niet kunnen inloggen. Het is van vitaal belang dat je een correcte hostnaam instelt voor jouw computer alvorens deze gids te volgen. + + +De `pam_u2f` module op Linux kan twee-factor authenticatie bieden om in te loggen op de meeste populaire Linux distributies. Als je een hardware beveiligingssleutel hebt die U2F ondersteunt, kun je MFA verificatie instellen voor jouw aanmelding. Yubico heeft een gids [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) die zou moeten werken op elke distributie. De commando's van de pakketbeheerder - zoals `apt-get`- en de pakketnamen kunnen echter verschillen. Deze gids is **niet** van toepassing op Qubes OS. + + + +### Qubes OS + +Qubes OS heeft ondersteuning voor Challenge-Response authenticatie met YubiKeys. Als je een YubiKey heeft met ondersteuning voor Challenge-Response authenticatie, kijk dan eens naar de Qubes OS [YubiKey documentatie](https://www.qubes-os.org/doc/yubikey/) als je MFA wilt instellen op Qubes OS. + + + +### SSH + + + +#### Hardware Veiligheidssleutels + +SSH MFA kan worden ingesteld met behulp van meerdere verschillende authenticatiemethoden die populair zijn met hardware beveiligingssleutels. Wij raden je aan om de Yubico documentatie [te raadplegen](https://developers.yubico.com/SSH/) over hoe dit in te stellen. + + + +#### Time-based One-time Password (TOTP) + +SSH MFA kan ook worden ingesteld met TOTP. DigitalOcean heeft een tutorial beschikbaar gesteld [How To Set Up MultiFactor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). De meeste dingen zouden hetzelfde moeten zijn, ongeacht de distributie, maar de commando's van de pakketbeheerder - zoals `apt-get`- en de pakketnamen kunnen verschillen. + + + +### KeePass (en KeePassXC) + +KeePass en KeePassXC databases kunnen worden beveiligd met Challenge-Response of HOTP als een tweede-factor authenticatie. Yubico heeft een document beschikbaar gesteld voor KeePass [Uw YubiKey gebruiken met KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) en er is er ook een op de [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/basics/passwords-overview.md b/i18n/nl/basics/passwords-overview.md new file mode 100644 index 00000000..b4518df7 --- /dev/null +++ b/i18n/nl/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Wachtwoord introductie" +icon: 'material/form-textbox-password' +--- + +Wachtwoorden zijn een essentieel onderdeel van ons dagelijkse digitale leven. We gebruiken ze om onze accounts, onze apparaten en onze geheimen te beschermen. Hoewel ze vaak het enige zijn tussen ons en een tegenstander die uit is op onze privégegevens, wordt er niet veel aandacht aan besteed, wat er vaak toe leidt dat mensen wachtwoorden gebruiken die gemakkelijk geraden of geforceerd kunnen worden. + +## Beste praktijken + +### Gebruik unieke wachtwoorden voor elke dienst + +Stel je voor: je meldt je aan voor een account met dezelfde e-mail en hetzelfde wachtwoord op meerdere online diensten. Als een van die dienstverleners kwaadwillend is, of hun dienst heeft een datalek waardoor uw wachtwoord in een onversleuteld formaat wordt vrijgegeven, hoeft een kwaadwillende alleen maar die combinatie van e-mail en wachtwoord te proberen bij meerdere populaire diensten totdat hij iets vindt. Het maakt niet uit hoe sterk dat ene wachtwoord is, omdat ze het al hebben. + +Dit heet [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), en het is een van de meest voorkomende manieren waarop jouw accounts kunnen worden gecompromitteerd door slechte actoren. Om dit te voorkomen, zorg ervoor dat je je wachtwoorden nooit hergebruikt. + +### Gebruik willekeurig gegenereerde wachtwoorden + +==je moet **nooit** vertrouwen op jezelf om met een goed wachtwoord te komen. = We raden aan om [willekeurig gegenereerde wachtwoorden](#passwords) of [diceware wachtwoord zinnen](#diceware-passphrases) te gebruiken met voldoende entropie om uw accounts en apparaten te beschermen. + +Al onze [aanbevolen wachtwoordmanagers](../passwords.md) bevatten een ingebouwde wachtwoordgenerator die je kunt gebruiken. + +### Roterende wachtwoorden + +Wachtwoorden die je moet onthouden (zoals het hoofdwachtwoord van jouw wachtwoord manager) moet je niet te vaak veranderen, tenzij je reden hebt om aan te nemen dat ze gecompromitteerd zijn, omdat je door ze te vaak te veranderen het risico loopt ze te vergeten. + +Als het gaat om wachtwoorden die je niet hoeft te onthouden (zoals wachtwoorden die zijn opgeslagen in jouw wachtwoordmanager), adviseren wij, als jouw [dreigingsmodel](threat-modeling.md) daarom vraagt, belangrijke accounts door te nemen (vooral accounts die geen multi-factor authenticatie gebruiken) en hun wachtwoord om de paar maanden te wijzigen, voor het geval ze zijn gecompromitteerd in een datalek dat nog niet openbaar is geworden. Bij de meeste wachtwoordbeheerders kunt u een vervaldatum voor uw wachtwoord instellen om dit gemakkelijker te beheren. + +!!! tip "Controleren op datalekken" + + Als je met jouw wachtwoord manager kunt controleren op gecompromitteerde wachtwoorden, doe dat dan en wijzig onmiddellijk alle wachtwoorden die bij een datalek bekend zijn geworden. Je kunt ook de [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) volgen met behulp van een [nieuwsaggregator](../news-aggregators.md). + +## Sterke wachtwoorden maken + +### Wachtwoorden + +Veel diensten leggen bepaalde criteria op voor wachtwoorden, zoals een minimale of maximale lengte, en welke speciale tekens eventueel mogen worden gebruikt. Gebruik de ingebouwde wachtwoordgenerator van uw wachtwoord manager om wachtwoorden te maken die zo lang en complex zijn als de dienst toelaat, met hoofdletters en kleine letters, cijfers en speciale tekens. + +Als je een wachtwoord nodig hebt dat je kunt onthouden, raden wij een [diceware wachtwoord zinnen](#diceware-passphrases) aan. + +### Diceware wachtwoord zinnen + +Diceware is een methode om wachtzinnen te maken die gemakkelijk te onthouden zijn, maar moeilijk te raden. + +Diceware passphrases zijn een geweldige optie wanneer je jouw gegevens uit het hoofd moet leren of handmatig moet invoeren, zoals voor het hoofdwachtwoord van jouw wachtwoord manager of het coderingswachtwoord van jouw apparaat. + +Een voorbeeld van een diceware wachtwoord zin is: `zichtbaar snelheid hond terughoudend zeventien weergegeven potlood`. + +Volg deze stappen om een diceware passphrase te genereren met echte dobbelstenen: + +!!! note + + Deze instructies gaan ervan uit dat je [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) gebruikt om de wachtwoord zin te genereren, waarvoor vijf dobbelsteenworpen per woord nodig zijn. Andere woordenlijsten kunnen meer of minder rollen per woord vereisen, en kunnen een ander aantal woorden nodig hebben om dezelfde entropie te bereiken. + +1. Gooi vijf keer met een zeszijdige dobbelsteen en noteer het getal na elke worp. + +2. Laten we bijvoorbeeld zeggen dat u `2-5-2-6-6`heeft gerold. Zoek in de grote woordenlijst van [EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) naar het woord dat overeenkomt met `25266`. + +3. U vindt het woord `gecodeerd`. Schrijf dat woord op. + +4. Herhaal dit proces totdat jouw wachtwoord zoveel woorden bevat als je nodig hebt, die je moet scheiden met een spatie. + +!!! warning "Belangrijk" + + Je moet **niet** opnieuw woorden rollen totdat je een combinatie van woorden krijgt die je aanspreekt. Het proces moet volledig willekeurig zijn. + +Als je geen toegang hebt tot of liever geen echte dobbelstenen gebruikt, kunt je de ingebouwde wachtwoordgenerator van jouw wachtwoord manager gebruiken, omdat de meeste daarvan de optie hebben om naast gewone wachtwoorden ook diceware wachtwoord zinnen te genereren. + +Wij adviseren het gebruik van [EFF's grote woordenlijst](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) om jouw diceware wachtwoord zinnen te genereren, omdat het exact dezelfde veiligheid biedt als de originele lijst, terwijl het woorden bevat die gemakkelijker te onthouden zijn. Er zijn ook [andere woordenlijsten in verschillende talen](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), als u niet wilt dat uw wachtwoord in het Engels is. + +??? note "Uitleg van entropie en sterkte van diceware wachtwoord zinnen" + + Om aan te tonen hoe sterk diceware wachtwoord zin zijn, gebruiken we de eerder genoemde wachtwoord zin van zeven woorden (`kijkbaar snel terughoudend hond zeventien getoond potlood`) en [EFF's grote woordenlijst](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) als voorbeeld. + + Eén meting om de sterkte van een wachtwoord zin te bepalen is hoeveel entropie het heeft. De entropie per woord in een diceware wachtwoord zin wordt berekend als $\text{log}_2(\text{WordsInList})$ en de totale entropie van de wachtwoord zin wordt berekend als $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Daarom resulteert elk woord in de bovengenoemde lijst in ~12,9 bits entropie ($\text{log}_2(7776)$), en een daarvan afgeleide wachtwoord zin van zeven woorden heeft ~90,47 bits entropie ($\text{log}_2(7776^7)$). + + De [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) bevat 7776 unieke woorden. Om het aantal mogelijke passphrases te berekenen, hoeven we alleen maar $\text{WordsInList}^\text{WordsInPhrase}$, of in ons geval, $7776^7$, uit te rekenen. + + Laten we dit alles in perspectief plaatsen: Een passphrase van zeven woorden met [EFF's grote woordenlijst](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is één van ~1,719,070,799,748,422,500,000,000,000 mogelijke wachtwoord zinnen. + + Gemiddeld duurt het proberen van 50% van alle mogelijke combinaties om uw zin te raden. Met dat in gedachten, zelfs als uw tegenstander in staat is tot ~1.000.000.000.000 raden per seconde, zou het hem nog steeds ~27.255.689 jaar kosten om uw wachtwoord te raden. Zelfs als de volgende dingen waar zijn: + + - Je tegenstander weet dat je de diceware-methode hebt gebruikt. + - Je tegenstander kent de specifieke woordenlijst die je gebruikt hebt. + - Jouw tegenstander weet hoeveel woorden jouw wachtwoord bevat. + +Kortom, diceware wachtzinnen zijn jouw beste optie wanneer je iets nodig hebt dat zowel gemakkelijk te onthouden is *als* uitzonderlijk sterk. + +## Wachtwoorden opslaan + +### Wachtwoord managers + +De beste manier om jouw wachtwoorden op te slaan is met behulp van een wachtwoordmanager. Hiermee kunt je jouw wachtwoorden opslaan in een bestand of in de cloud en ze beschermen met een enkel hoofdwachtwoord. Op die manier hoeft u maar één sterk wachtwoord te onthouden, waarmee je toegang krijgt tot de rest. + +Er zijn veel goede opties om uit te kiezen, zowel cloud-gebaseerd als lokaal. Kies een van onze aanbevolen wachtwoordbeheerders en gebruik deze om sterke wachtwoorden in te stellen voor al jouw accounts. Wij raden je aan om jouw wachtwoord manager te beveiligen met een [diceware wachtwoord zin](#diceware-passphrases) bestaande uit ten minste zeven woorden. + +[Lijst van aanbevolen wachtwoordbeheerders](../passwords.md ""){.md-button} + +!!! warning "Plaats uw wachtwoorden en TOTP-tokens niet in dezelfde wachtwoordmanager" + + Wanneer je TOTP-codes gebruikt als [multi-factor authenticatie](../multi-factor-authentication.md), is de beste beveiligingspraktijk om jouw TOTP-codes in een [aparte app] te bewaren(../multi-factor-authentication.md#authenticator-apps). + + Het opslaan van jouw TOTP-tokens op dezelfde plaats als jouw wachtwoorden is weliswaar handig, maar beperkt de accounts tot één factor in het geval dat een tegenstander toegang krijgt tot jouw wachtwoord manager. + + Verder raden wij af om herstelcodes voor eenmalig gebruik op te slaan in uw wachtwoord manager. Deze moeten apart worden opgeslagen, zoals in een versleutelde container op een offline opslagapparaat. + +### Back-ups + +Je moet een [gecodeerde](../encryption.md) back-up van jouw wachtwoorden opslaan op meerdere opslagapparaten of een cloud-opslagprovider. Dit kan nuttig zijn als er iets gebeurt met jouw toestel of de dienst die je gebruikt. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/basics/threat-modeling.md b/i18n/nl/basics/threat-modeling.md new file mode 100644 index 00000000..b4af4912 --- /dev/null +++ b/i18n/nl/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Bedreiging Modellering" +icon: 'material/target-account' +--- + +Een evenwicht vinden tussen veiligheid, privacy en gebruiksvriendelijkheid is een van de eerste en moeilijkste taken die je op jouw privacyreis tegenkomt. Alles is een afweging: hoe veiliger iets is, hoe beperkter of onhandiger het over het algemeen is, enzovoort. Vaak vinden mensen het probleem met de hulpmiddelen die ze aanbevolen zien, dat ze gewoon te moeilijk zijn om te beginnen gebruiken! + +Als je de **meest** veilige tools wilt gebruiken, moet je *veel* gebruiksgemak opofferen. En zelfs dan, ==niets is ooit volledig veilig.== Er is **hoge** veiligheid, maar nooit **volledige** veiligheid. Daarom zijn dreigingsmodellen belangrijk. + +**Dus, wat zijn deze dreigingsmodellen eigenlijk?** + +==Een bedreigingsmodel is een lijst van de meest waarschijnlijke bedreigingen voor uw veiligheid/privacy inspanningen.== Aangezien het onmogelijk is om jezelf te beschermen tegen **elke** aanval(er), moet je je richten op de **meest waarschijnlijke** bedreigingen. In computerbeveiliging is een bedreiging een potentiële gebeurtenis die jouw inspanningen om privé en veilig te blijven kan ondermijnen. + +Door je te concentreren op de bedreigingen die voor je van belang zijn, kun je beter nadenken over de bescherming die je nodig hebt, zodat je de juiste hulpmiddelen kunt kiezen. + +## Het creëren van jouw dreigingsmodel + +Om na te gaan wat er zou kunnen gebeuren met de dingen die je waardeert en om te bepalen tegen wie je ze moet beschermen, moet je deze vijf vragen beantwoorden: + +1. Wat wil ik beschermen? +2. Tegen wie wil ik het beschermen? +3. Hoe groot is de kans dat ik het zal moeten beschermen? +4. Hoe erg zijn de gevolgen als ik faal? +5. Hoeveel moeite ben ik bereid te doen om mogelijke gevolgen te voorkomen? + +### Wat wil ik beschermen? + +==Een "asset" is iets waar je waarde aan hecht en dat je wilt beschermen.== In de context van digitale beveiliging is een asset meestal een soort informatie. Bijvoorbeeld, uw e-mails, contactlijsten, instant-berichten, locatie en bestanden zijn allemaal mogelijke assets. Jouw apparaten zelf kunnen ook activa zijn. + +*Maak een lijst van jouw assets: gegevens die je bewaart, waar ze worden bewaard, wie er toegang toe heeft en wat anderen ervan weerhoudt er toegang toe te krijgen.* + +### Tegen wie wil ik het beschermen? + +Om deze vraag te beantwoorden, is het belangrijk na te gaan wie je of jouw informatie als doelwit zou willen gebruiken. ==Een persoon of entiteit die een bedreiging vormt voor jouw bezittingen is een "tegenstander".== Voorbeelden van potentiële tegenstanders zijn jouw baas, jouw voormalige partner, jouw zakelijke concurrentie, jouw regering, of een hacker op een openbaar netwerk. + +*Maak een lijst van jouw tegenstanders, of van degenen die jouw bezittingen in handen zouden willen krijgen. Jouw lijst kan personen, een overheidsinstantie of bedrijven omvatten.* + +Afhankelijk van wie ujouw tegenstanders zijn, kan deze lijst onder bepaalde omstandigheden iets zijn dat je wilt vernietigen nadat je klaar bent met de beveiligingsplanning. + +### Hoe groot is de kans dat ik het zal moeten beschermen? + +==Risico is de kans dat een bepaalde dreiging tegen een bepaald goed zich voordoet.== Het gaat hand in hand met vermogen. Hoewel jouw mobiele-telefoonprovider toegang heeft tot al jouw gegevens, is het risico klein dat hij jouw privégegevens online plaatst om jouw reputatie te schaden. + +Het is belangrijk onderscheid te maken tussen wat zou kunnen gebeuren en de waarschijnlijkheid dat het gebeurt. Er bestaat bijvoorbeeld een risico dat jouw gebouw instort, maar het risico dat dit gebeurt is veel groter in San Francisco (waar aardbevingen vaak voorkomen) dan in Stockholm (waar dit niet het geval is). + +Risico's inschatten is zowel een persoonlijk als een subjectief proces. Veel mensen vinden bepaalde bedreigingen onaanvaardbaar, ongeacht de waarschijnlijkheid dat zij zich zullen voordoen, omdat alleen al de aanwezigheid van de bedreiging, ongeacht de waarschijnlijkheid, de kosten niet waard is. In andere gevallen veronachtzamen mensen grote risico's omdat ze de dreiging niet als een probleem zien. + +*Schrijf op welke bedreigingen je serieus gaat nemen, en welke te zeldzaam of te onschuldig zijn (of te moeilijk te bestrijden) om je zorgen over te maken.* + +### Hoe erg zijn de gevolgen als ik faal? + +Er zijn vele manieren waarop een tegenstander toegang tot jouw gegevens kan krijgen. Een tegenstander kan bijvoorbeeld jouw privécommunicatie lezen terwijl die door het netwerk gaat, of hij kan jouw gegevens wissen of beschadigen. + +Een regering die de verspreiding van een video met politiegeweld wil verhinderen, kan ermee volstaan die video te verwijderen of de beschikbaarheid ervan te beperken. Daarentegen kan een politieke tegenstander toegang willen krijgen tot geheime inhoud en die inhoud publiceren zonder dat je dat weet. + +Bij beveiligingsplanning gaat het erom te begrijpen wat de gevolgen kunnen zijn als een tegenstander zich met succes toegang verschaft tot een van jouw bedrijfsmiddelen. Om dit te bepalen, moet je het vermogen van jouw tegenstander in overweging nemen. De provider van jouw mobiele telefoon heeft bijvoorbeeld toegang tot al jouw telefoongegevens. Een hacker op een open Wi-Fi-netwerk kan toegang krijgen tot jouw onversleutelde communicatie. Jouw regering heeft misschien meer mogelijkheden. + +*Schrijf op wat je tegenstander zou willen doen met je privégegevens.* + +### Hoeveel moeite ben ik bereid te doen om mogelijke gevolgen te voorkomen? + +==Er is geen perfecte optie voor beveiliging.== Niet iedereen heeft dezelfde prioriteiten, zorgen, of toegang tot middelen. Aan de hand van jouw risicobeoordeling kun je de juiste strategie voor je uitstippelen, waarbij gemak, kosten en privacy met elkaar in evenwicht worden gebracht. + +Een advocaat die een cliënt vertegenwoordigt in een zaak van nationale veiligheid zal bijvoorbeeld bereid zijn meer moeite te doen om de communicatie over die zaak te beschermen, zoals het gebruik van gecodeerde e-mail, dan een moeder die haar dochter regelmatig grappige kattenvideo's e-mailt. + +*Schrijf op welke opties je hebt om jouw unieke bedreigingen te beperken. Noteer of je financiële, technische of sociale beperkingen hebt.* + +### Probeer het zelf: Bescherm jouw bezittingen + +Deze vragen kunnen van toepassing zijn op een groot aantal situaties, online en offline. Laten we, als algemene demonstratie van hoe deze vragen werken, een plan opstellen om jouw huis en bezittingen veilig te stellen. + +**Wat wil je beschermen? (Of *wat heb je dat de moeite waard is om te beschermen?*)** +: + +Jouw bezittingen kunnen juwelen, elektronica, belangrijke documenten of foto's zijn. + +**Tegen wie wil je het beschermen?** +: + +Jouw tegenstanders kunnen inbrekers, huisgenoten of gasten zijn. + +**Hoe groot is de kans dat je het zult moeten beschermen?** +: + +Heeft jouw buurt een geschiedenis van inbraken? Hoe betrouwbaar zijn jouw huisgenoten/gasten? Wat zijn de capaciteiten van jouw tegenstanders? Wat zijn de risico's waarmee je rekening moet houden? + +**Hoe erg zijn de gevolgen als je faalt?** +: + +Heeft je iets in jouw huis dat je niet kunt vervangen? Heb je de tijd of het geld om deze dingen te vervangen? Heb je een verzekering die goederen dekt die uit jouw huis zijn gestolen? + +**Hoeveel moeite bent je bereid te doen om deze gevolgen te voorkomen?** +: + +Ben je bereid een kluis te kopen voor gevoelige documenten? Kun je je het veroorloven een slot van hoge kwaliteit te kopen? Heb je de tijd om een kluisje te openen bij jouw plaatselijke bank en jouw waardevolle spullen daar te bewaren? + +Pas als je jezelf deze vragen hebt gesteld, zal je kunnen beoordelen welke maatregelen je moet nemen. Als jouw bezittingen waardevol zijn, maar de kans op inbraak klein, dan wil je misschien niet te veel geld investeren in een slot. Maar als de kans op inbraak groot is, wil je het beste slot op de markt en overweeg je een beveiligingssysteem toe te voegen. + +Het opstellen van een beveiligingsplan zal je helpen inzicht te krijgen in de bedreigingen die uniek zijn voor je en een evaluatie te maken van jouw assets, jouw tegenstanders en de mogelijkheden van jouw tegenstanders, samen met de waarschijnlijkheid van de risico's waarmee je wordt geconfronteerd. + +## Meer lezen + +Voor mensen die hun privacy en veiligheid online willen vergroten, hebben we een lijst samengesteld van veelvoorkomende bedreigingen waarmee onze bezoekers te maken krijgen of doelen die onze bezoekers hebben, om je wat inspiratie te geven en de basis van onze aanbevelingen te laten zien. + +- [Gemeenschappelijke doelstellingen en bedreigingen :material-arrow-right-drop-circle:](common-threats.md) + +## Bronnen + +- [EFF Surveillance Zelfverdediging: Jouw Beveiligingsplan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/basics/vpn-overview.md b/i18n/nl/basics/vpn-overview.md new file mode 100644 index 00000000..9d0ff3b5 --- /dev/null +++ b/i18n/nl/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN-overzicht +icon: material/vpn +--- + +Virtual Private Networks zijn een manier om het einde van jouw netwerk uit te breiden tot een uitgang ergens anders in de wereld. Een ISP kan de stroom van internetverkeer zien dat jouw netwerkaansluitapparaat (d.w.z. modem) binnenkomt en verlaat. + +Encryptieprotocollen zoals HTTPS worden algemeen gebruikt op het internet, zodat zij misschien niet precies kunnen zien wat je post of leest, maar zij kunnen wel een idee krijgen van de [domeinen die je opvraagt](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +Een VPN kan helpen omdat het vertrouwen kan verschuiven naar een server ergens anders in de wereld. Het resultaat is dat de ISP dan alleen ziet dat je verbonden bent met een VPN en niets over de activiteit die je erin doorgeeft. + +## Moet ik een VPN gebruiken? + +**Ja**, tenzij je Tor al gebruikt. Een VPN doet twee dingen: het verschuift de risico's van jouw Internet Service Provider naar zichzelf en het verbergt jouw IP voor een dienst van derden. + +VPN's kunnen geen gegevens versleutelen buiten de verbinding tussen jouw toestel en de VPN-server. VPN providers kunnen jouw verkeer zien en wijzigen op dezelfde manier als jouw ISP dat kan. En er is geen enkele manier om het "no logging" beleid van een VPN provider te verifiëren. + +Zij verbergen echter wel jouw werkelijke IP-adres voor een dienst van derden, op voorwaarde dat er geen IP-lekken zijn. Ze helpen je op te gaan in anderen en IP-gebaseerde opsporing te beperken. + +## Wanneer zou ik geen VPN moeten gebruiken? + +Het gebruik van een VPN in gevallen waarin je jouw [bekende identiteit](common-threats.md#common-misconceptions) gebruikt, is waarschijnlijk niet nuttig. + +Dit kan spam- en fraudedetectiesystemen alarmeren, zoals wanneer je zou inloggen op de website van uw bank. + +## Hoe zit het met encryptie? + +De encryptie die door VPN-aanbieders wordt aangeboden, bevindt zich tussen jouw apparaten en hun servers. Het garandeert dat deze specifieke link veilig is. Dit is een stap verder dan het gebruik van onversleutelde proxies, waarbij een tegenstander op het netwerk de communicatie tussen jouw apparaten en deze proxies kan onderscheppen en wijzigen. De versleuteling tussen jouw apps of browsers en de dienstverleners wordt echter niet door deze versleuteling afgehandeld. + +Om wat je doet op de websites die je bezoekt privé en veilig te houden, moet je HTTPS gebruiken. Dit houdt jouw wachtwoorden, sessietokens en zoekopdrachten veilig voor de VPN-provider. Overweeg om "HTTPS everywhere" in jouw browser in te schakelen om downgrade-aanvallen zoals [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf)tegen te gaan. + +## Moet ik versleutelde DNS gebruiken met een VPN? + +Tenzij jouw VPN-provider de versleuteldeDNS-servers host, **nee**. Het gebruik van DOH/DOT (of een andere vorm van versleutelde DNS) met servers van derden zal gewoon meer entiteiten toevoegen om te vertrouwen en doet **absoluut niets** om jouw privacy/veiligheid te verbeteren. Jouw VPN-provider kan nog steeds zien welke websites je bezoekt op basis van de IP-adressen en andere methoden. In plaats van alleen jouw VPN-provider te vertrouwen, vertrouwt je nu zowel de VPN-provider als de DNS-provider. + +Een veelgehoorde reden om versleutelde DNS aan te bevelen is dat het helpt tegen DNS spoofing. Jouw browser zou echter al moeten controleren op [TLS-certificaten](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) met **HTTPS** en je daarvoor moeten waarschuwen. Als je **HTTPS** niet gebruikt, dan kan een tegenstander nog steeds gewoon iets anders dan jouw DNS-query's wijzigen en zal het eindresultaat weinig anders zijn. + +Niet onnodig te zeggen, **dat je geen versleutelde DNS moet gebruiken met Tor**. Dit zou al jouw DNS-verzoeken via één enkel circuit leiden en de gecodeerde DNS-provider in staat stellen je te deanonimiseren. + +## Moet ik Tor *gebruiken en* een VPN? + +Door een VPN met Tor te gebruiken, creëer je in wezen een permanent toegangsknooppunt, vaak met een geldspoor eraan vast. Dit levert je geen enkel extra voordeel op, terwijl het aanvalsoppervlak van jouw verbinding drastisch wordt vergroot. Als je je Tor gebruik wilt verbergen voor je ISP of je overheid, dan heeft Tor daar een ingebouwde oplossing voor: Tor bridges. [Lees meer over Tor bridges en waarom het gebruik van een VPN niet nodig is](../advanced/tor-overview.md). + +## Wat als ik anonimiteit nodig heb? + +VPN's kunnen geen anonimiteit bieden. Jouw VPN-provider ziet nog steeds jouw echte IP-adres, en heeft vaak een geldspoor dat direct naar u kan worden teruggeleid. Je kunt niet vertrouwen op een "no logging"-beleid om jouw gegevens te beschermen. Gebruik in plaats daarvan [Tor](https://www.torproject.org/). + +## Hoe zit het met VPN providers die Tor nodes aanbieden? + +Gebruik die functie niet. Het punt van het gebruik van Tor is dat je je VPN provider niet vertrouwt. Momenteel ondersteunt Tor alleen het [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (gebruikt in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) voor het delen van spraak en video, het nieuwe [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, enz.), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) en andere pakketten zullen worden gedropt. Om dit te compenseren, routeren VPN-aanbieders gewoonlijk alle niet-TCP-pakketten via hun VPN-server (je eerste hop). Dit is het geval met [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Bovendien, wanneer je deze Tor over VPN setup gebruikt, heb je geen controle over andere belangrijke Tor functies zoals [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (een ander Tor circuit gebruiken voor elk domein dat je bezoekt). + +De functie moet gezien worden als een handige manier om toegang te krijgen tot het Tor Netwerk, niet om anoniem te blijven. Gebruik voor echte anonimiteit de Tor Browser, TorSocks of een Tor gateway. + +## Wanneer zijn VPN's nuttig? + +Een VPN kan nog steeds nuttig zijn voor je in een aantal scenario's, zoals: + +1. Het verbergen van jouw verkeer van **is alleen** jouw Internet Service Provider. +1. Het verbergen van je downloads (zoals torrents) voor je ISP en anti-piraterij organisaties. +1. Het verbergen van jouw IP-adres voor websites en diensten van derden, zodat IP-gebaseerde tracering wordt voorkomen. + +Voor dit soort situaties, of als je een andere dwingende reden hebt, zijn de VPN-providers die we hierboven hebben opgesomd volgens ons de meest betrouwbare. Het gebruik van een VPN-provider betekent echter nog steeds dat je *vertrouwt op* de provider. In vrijwel elk ander scenario zou je een veilige **"by-design"** tool zoals Tor moeten gebruiken. + +## Bronnen en verdere lectuur + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) door Dennis Schubert +1. [Tor Netwerk Overzicht](../advanced/tor-overview.md) +1. [IVPN Privacy Gidsen](https://www.ivpn.net/privacy-guides) +1. ["Heb ik een VPN nodig?"](https://www.doineedavpn.com), een tool ontwikkeld door IVPN om agressieve VPN-marketing uit te dagen door mensen te helpen beslissen of een VPN geschikt is voor hen. + +## Verwante VPN-informatie + +- [Het probleem met VPN- en privacybeoordelingssites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Gratis VPN-app onderzoek](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Verborgen VPN-eigenaars onthuld: 101 VPN-producten van slechts 23 bedrijven](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [Dit Chinese bedrijf zit in het geheim achter 24 populaire apps die gevaarlijke toestemmingen zoeken](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/calendar.md b/i18n/nl/calendar.md new file mode 100644 index 00000000..f59a03c4 --- /dev/null +++ b/i18n/nl/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Kalendersynchronisatie" +icon: material/calendar +--- + +Kalenders en contactpersonen bevatten enkele van jouw gevoeligste gegevens; gebruik producten die E2EE in rust implementeren om te voorkomen dat een provider ze kan lezen. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** biedt een gratis en gecodeerde kalender op hun ondersteunde platforms. Functies zijn onder meer: automatische E2EE van alle gegevens, functies voor delen, import-/exportfunctionaliteit, multifactorauthenticatie, en [more](https://tutanota.com/calendar-app-comparison/). + + Meerdere kalenders en uitgebreide functionaliteit voor delen zijn beperkt tot betalende abonnees. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Broncode" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is een versleutelde kalenderdienst die beschikbaar is voor Proton-leden via web- of mobiele clients. Functies zijn onder meer: automatische E2EE van alle gegevens, functies voor delen, import/export-functionaliteit, en [more](https://proton.me/support/proton-calendar-guide). Gratis abonnees krijgen toegang tot één agenda, terwijl betalende abonnees tot 20 agenda's kunnen aanmaken. De uitgebreide functionaliteit voor delen is ook beperkt tot betaalde abonnees. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimum kwalificaties + +- Moet informatie synchroniseren en opslaan met E2EE om ervoor te zorgen dat gegevens niet zichtbaar zijn voor de dienstverlener. + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Moet integreren met native OS agenda en contact management apps indien van toepassing. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/cloud.md b/i18n/nl/cloud.md new file mode 100644 index 00000000..bdc0b66a --- /dev/null +++ b/i18n/nl/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud opslag" +icon: material/file-cloud +--- + +Veel aanbieders van cloud-opslag eisen uw volledige vertrouwen dat zij niet in uw bestanden zullen kijken. De onderstaande alternatieven nemen de behoefte aan vertrouwen weg door u de controle over uw gegevens te geven of door E2EE te implementeren. + +Als deze alternatieven niet aan uw behoeften voldoen, raden wij u aan te kijken naar [Encryptie Software](encryption.md). + +??? question "Op zoek naar Nextcloud?" + + Nextcloud is [nog steeds een aanbevolen tool](productivity.md) voor het zelf hosten van een bestandsbeheersuite, maar we bevelen momenteel geen opslagproviders van derden aan, omdat we de ingebouwde E2EE-functionaliteit van Nextcloud niet aanbevelen voor thuisgebruikers. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is een E2EE algemene bestandsopslagdienst van de populaire versleutelde e-mailprovider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +De mobiele clients van Proton Drive werden in december 2022 uitgebracht en zijn nog niet open-source. Proton heeft in het verleden zijn broncode releases uitgesteld tot na de eerste product releases, en [is van plan om](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) de broncode vrij te geven tegen eind 2023. Proton Drive desktop clients zijn nog in ontwikkeling. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimale vereisten + +- Moet end-to-end encryptie afdwingen. +- Moet een gratis plan of proefperiode aanbieden om te testen. +- Moet TOTP of FIDO2 multi-factor authenticatie ondersteunen, of Passkey-logins. +- Moet een webinterface bieden die basisfuncties voor bestandsbeheer ondersteunt. +- Moet gemakkelijke export van alle bestanden/documenten mogelijk maken. +- Gebruik standaard gecontroleerde versleuteling. + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Clients moeten open-source zijn. +- Clients moeten in hun geheel door een onafhankelijke derde partij worden gecontroleerd. +- Moet native clients aanbieden voor Linux, Android, Windows, macOS en iOS. + - Deze clients moeten integreren met native OS tools voor cloud storage providers, zoals Files app integratie op iOS, of DocumentsProvider functionaliteit op Android. +- Moet het gemakkelijk delen van bestanden met andere gebruikers ondersteunen. +- Moet ten minste een basisfunctionaliteit voor het bekijken en bewerken van bestanden op de webinterface bieden. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/data-redaction.md b/i18n/nl/data-redaction.md new file mode 100644 index 00000000..8ba8764f --- /dev/null +++ b/i18n/nl/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Redactie van gegevens en metagegevens" +icon: material/tag-remove +--- + +Wanneer je bestanden deelt, is het belangrijk om de bijbehorende metadata te verwijderen. Beeldbestanden bevatten gewoonlijk [Exif](https://en.wikipedia.org/wiki/Exif) gegevens. Foto's bevatten soms zelfs GPS-coördinaten in de metagegevens van het bestand. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is gratis software, waarmee de metadata uit beeld-, audio-, torrent- en documentbestanden kan worden verwijderd. Het biedt zowel een opdrachtregelprogramma als een grafische gebruikersinterface via een [extensie voor Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), de standaard bestandsbeheerder van [GNOME](https://www.gnome.org), en [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), de standaard bestandsbeheerder van [KDE](https://kde.org). + + Voor Linux bestaat een grafisch hulpprogramma van derden [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) op basis van MAT2, dat [beschikbaar is op Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentatie} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobiel + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is een moderne, toestemmingsvrije applicatie voor het wissen van beeldmetadata voor Android. + + Het ondersteunt momenteel JPEG-, PNG- en WebP-bestanden. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +De metagegevens die worden gewist, hangen af van het bestandstype van de afbeelding: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources en XMP/ExtendedXMP metadata worden gewist als ze bestaan. +* **PNG**: ICC Profile, Exif en XMP metadata worden gewist als ze bestaan. +* **WebP**: ICC Profile, Exif en XMP metadata zullen worden gewist als ze bestaan. + +Na het verwerken van de afbeeldingen, geeft ExifEraser u een volledig rapport over wat er precies uit elke afbeelding is verwijderd. + +De app biedt meerdere manieren om metadata uit afbeeldingen te wissen. Namelijk: + +* U kunt een afbeelding vanuit een andere toepassing delen met ExifEraser. +* Via de app zelf kunt u een enkele afbeelding, meerdere afbeeldingen tegelijk of zelfs een hele map selecteren. +* Het heeft een "Camera"-optie, die de camera-app van uw besturingssysteem gebruikt om een foto te nemen, en vervolgens de metagegevens ervan verwijdert. +* Hiermee kunt u foto's uit een ander programma naar ExifEraser slepen wanneer beide programma's in split-screen modus geopend zijn. +* Tenslotte kunt u een afbeelding van uw klembord plakken. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + Metapho is een eenvoudige en nette viewer voor foto metadata zoals datum, bestandsnaam, grootte, camera model, sluitertijd, en locatie. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads "Downloaden" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is een gratis app die gevoelige delen van foto's kan vervagen voordat je ze online deelt. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + Je moet **nooit** vervaging gebruiken om [tekst in afbeeldingen](https://bishopfox.com/blog/unredacter-tool-never-pixelation) te redigeren. Als u tekst in een afbeelding wilt redigeren, tekent u een kader over de tekst. Hiervoor stellen wij apps voor zoals [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is de originele perl library en command-line applicatie voor het lezen, schrijven en bewerken van meta-informatie (Exif, IPTC, XMP, en meer) in een groot aantal bestandsformaten (JPEG, TIFF, PNG, PDF, RAW, en meer). + + Het is vaak een onderdeel van andere Exif verwijderingsprogramma's en staat in de repositories van de meeste Linux distributies. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Broncode" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Verwijderen van gegevens uit een map met bestanden" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Apps ontwikkeld voor open-source besturingssystemen moeten open-source zijn. +- Apps moeten gratis zijn en mogen geen advertenties of andere beperkingen bevatten. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/desktop-browsers.md b/i18n/nl/desktop-browsers.md new file mode 100644 index 00000000..22534cb1 --- /dev/null +++ b/i18n/nl/desktop-browsers.md @@ -0,0 +1,264 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +Dit zijn momenteel onze aanbevolen mobiele webbrowsers en configuraties. In het algemeen raden we aan om extensies tot een minimum te beperken: ze hebben geprivilegieerde toegang binnen jouw browser, vereisen dat je de ontwikkelaar vertrouwt, kunnen je [doen opvallen](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), en [verzwakken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-Uchnm34/m/lDaXwQhzBAAJ) site-isolatie. In het algemeen raden wij aan jouw browserextensies tot een minimum te beperken; ze hebben bevoorrechte toegang binnen jouw browser, vereisen dat je de ontwikkelaar vertrouwt, kunnen je [doen opvallen](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), en [verzwakt](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) de site-isolatie. + +## Firefox + +!!! recommendation + + ![Firefox-logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** biedt krachtige privacy-instellingen zoals [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), die kunnen helpen bij het blokkeren van verschillende [soorten tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentatie} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Broncode" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox bevat een uniek [downloadtoken](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads van Mozilla's website en gebruikt telemetrie in Firefox om het token te verzenden. Het token is **niet** opgenomen in uitgaven van de [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Aanbevolen configuratie + +Tor Browser is de enige manier om echt anoniem op het internet te surfen. Wanneer je Firefox gebruikt, raden we je aan de volgende instellingen te wijzigen om jouw privacy tegen bepaalde partijen te beschermen, maar alle browsers anders dan [Tor Browser](tor.md#tor-browser) zijn in sommige opzichten traceerbaar door *iemand*. + +Deze opties zijn te vinden in :material-menu: → **Instellingen** → **Privacy & Beveiliging**. + +##### Verbeterde traceringsbescherming + +- [x] Select **Strict** Verbeterde traceringsbescherming + +Dit beschermt je door het blokkeren van social media trackers, fingerprinting scripts (merk op dat dit je niet beschermt tegen *alle* fingerprinting), cryptominers, cross-site tracking cookies, en sommige andere tracking content. ETP beschermt tegen veel voorkomende bedreigingen, maar blokkeert niet alle tracking-wegen omdat het is ontworpen om de bruikbaarheid van de site zo min mogelijk of helemaal niet te beïnvloeden. + +##### Saneren bij sluiten + +Als je op bepaalde sites aangemeld wilt blijven, kunt je uitzonderingen toestaan in **Cookies en Sitegegevens** → **Uitzonderingen beheren...** + +- [x] Check **Cookies en sitegegevens verwijderen wanneer Firefox wordt afgesloten** + +Dit beschermt je tegen blijvende cookies, maar niet tegen cookies die tijdens een bepaalde surfsessie worden aangemaakt. Wanneer dit is ingeschakeld, wordt het mogelijk om jouw browsercookies gemakkelijk te wissen door Firefox gewoon opnieuw op te starten. Je kunt per site uitzonderingen instellen, als je ingelogd wilt blijven op een bepaalde site die je vaak bezoekt. + +##### Zoeksuggesties + +- [ ] Uncheck **Geef zoeksuggesties** + +Functies voor zoeksuggesties zijn mogelijk niet beschikbaar in jouw regio. + +Zoeksuggesties sturen alles wat je in de adresbalk typt naar de standaardzoekmachine, ongeacht of je een echte zoekopdracht geeft. Door zoeksuggesties uit te schakelen, kun je nauwkeuriger bepalen welke gegevens je naar jouw zoekmachineprovider stuurt. + +##### Telemetrie + +- [ ] Uncheck **Firefox toestaan technische en interactiegegevens naar Mozilla**te sturen +- [ ] Uncheck **Firefox toestaan om studies te installeren en uit te voeren**uit +- [ ] Uncheck **Firefox toestaan om namens je achterstallige crashmeldingen te verzenden uit** + +> Firefox stuurt ons gegevens over jouw Firefox-versie en -taal; besturingssysteem van het apparaat en hardwareconfiguratie; geheugen, basisinformatie over crashes en fouten; resultaat van geautomatiseerde processen zoals updates, veilig browsen en activering. Wanneer Firefox gegevens naar ons verzendt, wordt uw IP-adres tijdelijk verzameld als onderdeel van onze serverlogs. + +Daarnaast verzamelt de Firefox Accounts service [enkele technische gegevens](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). Als je een Firefox-account gebruikt, kun je je afmelden: + +1. Open jouw [profielinstellingen op accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Schakel **Gegevensverzameling en -gebruik uit** > **Help Firefox-accounts verbeteren** + +##### Alleen HTTPS-modus + +- [x] Select **Schakel HTTPS-only modus in alle vensters in** + +Dit voorkomt dat je onbedoeld verbinding maakt met een website in platte HTTP-tekst. Sites zonder HTTPS zijn tegenwoordig zeldzaam, dus dit zou weinig tot geen impact moeten hebben op jouw dagelijkse browsen. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) maakt jouw browsegegevens (geschiedenis, bladwijzers, enz.) toegankelijk op al jouw apparaten en beschermt ze met E2EE. + +### Arkenfox (gevorderd) + +Het [Arkenfox-project](https://github.com/arkenfox/user.js) biedt een reeks zorgvuldig overwogen opties voor Firefox. Als je [besluit](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) om Arkenfox te gebruiken, zijn er een [paar opties](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) die subjectief streng zijn en/of ervoor kunnen zorgen dat sommige websites niet goed werken - [die je gemakkelijk kunt wijzigen](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) om aan jouw behoeften te voldoen. Wij **raden je ten zeerste aan** hun volledige [wiki](https://github.com/arkenfox/user.js/wiki)door te lezen. Arkenfox biedt ook ondersteuning voor [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users). + +## Brave + +!!! recommendation + + ![Brave-logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** bevat een ingebouwde inhoudsblokker en [privacyfuncties](https://brave.com/privacy-features/), waarvan vele standaard zijn ingeschakeld. + + Brave is gebouwd op het Chromium webbrowser project, dus het zou vertrouwd moeten aanvoelen en minimale website compatibiliteitsproblemen moeten hebben. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" }. + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Broncode" } + + ??? downloads annotate "Downloaden" + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We raden af om de Flatpak-versie van Brave te gebruiken, omdat die de sandbox van Chromium vervangt door die van Flatpak, wat minder effectief is. Bovendien wordt het pakket niet onderhouden door Brave Software, Inc. + +### Aanbevolen configuratie + +Tor Browser is de enige manier om echt anoniem op het internet te surfen. Wanneer je Brave gebruikt, raden we je aan de volgende instellingen te wijzigen om jouw privacy tegen bepaalde partijen te beschermen, maar alle browsers behalve de [Tor Browser](tor.md#tor-browser) zijn in sommige opzichten traceerbaar door *iemand*. + +Deze opties zijn te vinden in :material-menu: → **Instellingen**. + +##### Schilden + +Brave bevat enkele anti-vingerafdruk maatregelen in zijn [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) functie. Wij raden aan om deze opties [globaal te configureren](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) voor alle pagina's die je bezoekt. + +De opties van Shields kunnen naar behoefte per site worden gedowngrade, maar standaard raden wij aan de volgende opties in te stellen: + +
+ +- [x] Select **Voorkom dat sites vingerafdrukken van mij nemen op basis van mijn taalvoorkeuren** +- [x] Select **Aggressief** onder Trackers & advertentieblokkering + + ??? warning "Gebruik standaard filter lijsten" + Brave staat je toe om extra inhoud filters te selecteren binnen de interne `brave://adblock` pagina. Wij raden het gebruik van deze functie af; houd in plaats daarvan de standaardfilterlijsten aan. Het gebruik van extra lijsten zorgt ervoor dat u zich onderscheidt van andere Brave gebruikers en kan ook het aanvalsoppervlak vergroten als er een exploit in Brave is en een kwaadaardige regel wordt toegevoegd aan één van de lijsten die je gebruikt. + +- [x] (Optional) Selecteer **Block Scripts** (1) +- [x] Select **Strict, may break sites** onder Block fingerprinting + +
+ +1. Deze optie biedt functionaliteit die vergelijkbaar is met uBlock Origin's geavanceerde [-blokkeringsmodi](https://github.com/gorhill/uBlock/wiki/Blocking-mode) of de [NoScript](https://noscript.net/) -extensie. + +##### Sociale media blokkeren + +- [ ] Uncheck alle sociale media componenten uit + +##### Privacy en veiligheid + +
+ +- [x] Select **Disable non-proxied UDP** onder [WebRTC IP Handling Policy](https://support.brave.com/hc/nl-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Google services gebruiken voor push messaging** +- [ ] Uncheck **Privacy-preserving product analytics (P3A) toestaan** +- [ ] Uncheck **Automatisch dagelijks gebruik ping sturen naar Brave**. +- [ ] Uncheck **Stuur automatisch een dagelijkse gebruiksping naar Brave** +- [ ] Uncheck **Stuur automatisch diagnostische rapporten** +- [x] Select **Gebruik altijd beveiligde verbindingen** in het menu **Veiligheid** +- [ ] Uncheck **Privé venster met Tor** (1) + + !!! tip "Saneren bij sluiten" + - [x] Select **Cookies en sitegegevens wissen bij het sluiten van alle vensters** in het menu *Cookies en andere sitegegevens* + + Als u ingelogd wilt blijven bij een bepaalde site die je vaak bezoekt, kunt u per site uitzonderingen instellen in het gedeelte *Aangepast gedrag*. + +
+ +1. Brave is **niet** zo resistent tegen vingerafdrukken als de Tor Browser en veel minder mensen gebruiken Brave met Tor, dus zal je opvallen. Wanneer [sterke anonimiteit vereist is](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) gebruik dan de [Tor Browser](tor.md#tor-browser). + +##### Extensies + +Ingebouwde extensies die je niet gebruikt uitschakelen in **Extensies** + +- [ ] Uncheck **Hangouts**uit +- [ ] Uncheck **WebTorrent**uit + +##### IPFS + +InterPlanetary File System (IPFS) is een gedecentraliseerd, peer-to-peer netwerk voor het opslaan en delen van gegevens in een gedistribueerd bestandssysteem. Tenzij je de functie gebruikt, schakel hem uit. + +- [x] Select **Uitgeschakeld** op Methode om IPFS-bronnen op te lossen + +##### Extra instellingen + +In het menu *Systeem* + +
+ +- [ ] Uncheck **Doorgaan met draaiende apps als Brave gesloten is** uit om achtergrond apps uit te schakelen (1) + +
+ +1. Deze optie is niet op alle platforms aanwezig. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) maakt jouw surfgegevens (geschiedenis, bladwijzers, enz.) toegankelijk op al jouw apparaten zonder dat je een account nodig hebt en beschermt ze met E2EE. + +## Extra bronnen + +Wij raden over het algemeen af om extensies te installeren omdat ze jouw aanvalsoppervlak vergroten. Ublock Origin of AdGuard kunnen echter nuttig blijken als je waarde hecht aan de functionaliteit voor het blokkeren van inhoud. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is een populaire inhoudsblokker die je kan helpen bij het blokkeren van advertenties, trackers en vingerafdrukscripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +Wij raden aan om de documentatie van de [ontwikkelaar te volgen](https://github.com/gorhill/uBlock/wiki/Blocking-mode) en een van de "modes" te kiezen. Extra filterlijsten kunnen de prestaties beïnvloeden en [kan het aanvalsoppervlak vergroten](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Andere lijsten + +Dit zijn enkele andere [filterlijsten](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) die je zou kunnen overwegen toe te voegen: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Voeg [Actually Legitimatee URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) toe + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimale vereisten + +- Moet open-source software zijn. +- Ondersteunt automatische updates. +- Ontvangt engine updates in 0-1 dagen na upstream release. +- Beschikbaar op Linux, macOS en Windows. +- Wijzigingen die nodig zijn om de browser privacyvriendelijker te maken, mogen de gebruikerservaring niet negatief beïnvloeden. +- Blokkeert standaard cookies van derden. +- Ondersteunt [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) om cross-site tracking tegen te gaan.[^1] + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Beschikt over ingebouwde functionaliteit voor het blokkeren van inhoud. +- Ondersteunt cookie Compartimentalisatie ( à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Ondersteunt Progressive Web Apps. + PWA 's stellen u in staat om bepaalde websites te installeren alsof het native apps op uw computer zijn. Dit kan voordelen hebben ten opzichte van het installeren van op elektronen gebaseerde apps, omdat u profiteert van de regelmatige beveiligingsupdates van uw browser. +- Omvat geen add-onfunctionaliteit (bloatware) die geen invloed heeft op de privacy van gebruikers. +- Verzamelt standaard geen telemetrie. +- Voorziet in de implementatie van de open-source synchronisatieserver. +- Standaard ingesteld op een [privézoekmachine](search-engines.md). + +### Uitbreidings criteria + +- Mag geen ingebouwde browser- of OS-functionaliteit repliceren. +- Moet rechtstreeks van invloed zijn op de privacy van de gebruiker, d.w.z. mag niet gewoon informatie verstrekken. + +--8<-- "includes/abbreviations.nl.txt" + +[^1]: De implementatie van Brave wordt gedetailleerd beschreven op [Brave Privacy Updates: Partitionering van netwerkstatus voor privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/nl/desktop.md b/i18n/nl/desktop.md new file mode 100644 index 00000000..da215503 --- /dev/null +++ b/i18n/nl/desktop.md @@ -0,0 +1,182 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux-distributies worden algemeen aanbevolen voor privacybescherming en softwarevrijheid. Als je nog geen Linux gebruikt, zijn hieronder enkele distributies die we aanraden om uit te proberen, evenals enkele algemene tips om je privacy en veiligheid te verbeteren die op veel Linux-distributies van toepassing zijn. + +- [Algemeen Linux-overzicht :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditionele verdelingen + +### Fedora Werkstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is onze aanbevolen distributie voor mensen die nieuw zijn met Linux. Fedora adopteert over het algemeen nieuwere technologieën dan andere distributies, b.v. [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), en binnenkort. Deze nieuwe technologieën gaan vaak gepaard met verbeteringen op het gebied van veiligheid, privacy en bruikbaarheid in het algemeen. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentatie} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Bijdragen} + +Fedora heeft een semi-rollende release cyclus. Terwijl sommige pakketten zoals [GNOME](https://www.gnome.org) bevroren worden tot de volgende Fedora uitgave, worden de meeste pakketten (inclusief de kernel) regelmatig bijgewerkt gedurende de levensduur van de uitgave. Elke Fedora release wordt een jaar lang ondersteund, met elke 6 maanden een nieuwe versie. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is een stabiele distributie met rollende release. + + openSUSE Tumbleweed heeft een [transactionele update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) systeem dat gebruik maakt van [Btrfs](https://en.wikipedia.org/wiki/Btrfs) en [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) om ervoor te zorgen dat snapshots kunnen worden teruggerold mocht er een probleem zijn. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentatie} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Bijdragen} + +Tumbleweed volgt een rollend release-model waarbij elke update wordt vrijgegeven als een momentopname van de distributie. Wanneer je jouw systeem upgrade, wordt een nieuwe momentopname gedownload. Elke momentopname wordt door [openQA](https://openqa.opensuse.org) aan een reeks geautomatiseerde tests onderworpen om de kwaliteit ervan te verzekeren. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is een lichtgewicht, doe-het-zelf (DIY) distributie, wat betekent dat u alleen krijgt wat u installeert. Zie voor meer informatie hun [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentatie} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Bijdragen} + +Arch Linux heeft een doorlopende uitgavecyclus. Er is geen vast releaseschema en pakketten worden zeer frequent bijgewerkt. + +Omdat het een doe-het-zelf distributie is, wordt van je verwacht [dat je jouw systeem zelf opzet en onderhoudt](#arch-based-distributions). Arch heeft een [officiële installer](https://wiki.archlinux.org/title/Archinstall) om het installatieproces wat gemakkelijker te maken. + +Een groot deel van [Arch Linux's pakketten](https://reproducible.archlinux.org) zijn [reproduceerbaar](https://reproducible-builds.org). + +## Immutable distributies + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** en **Fedora Kinoite** zijn immutable varianten van Fedora met een sterke focus op container workflows. Silverblue wordt geleverd met de [GNOME](https://www.gnome.org/) desktop omgeving terwijl Kinoite wordt geleverd met [KDE](https://kde.org/). Silverblue en Kinoite volgen hetzelfde release schema als Fedora Workstation, profiteren van dezelfde snelle updates en blijven zeer dicht bij de upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentatie} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Bijdragen} + +Silverblue (en Kinoite) verschillen van Fedora Workstation doordat ze de [DNF](https://fedoraproject.org/wiki/DNF) pakketbeheerder vervangen door een veel geavanceerder alternatief genaamd [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). De `rpm-ostree` pakketbeheerder werkt door een basis image voor het systeem te downloaden, en er dan pakketten overheen te leggen in een [git](https://en.wikipedia.org/wiki/Git)-achtige commit tree. Wanneer het systeem wordt bijgewerkt, wordt een nieuw basisbeeld gedownload en worden de overlays op dat nieuwe beeld toegepast. + +Nadat de update is voltooid, start je het systeem opnieuw op in de nieuwe versie. `rpm-ostree` houdt twee versies van het systeem bij, zodat je gemakkelijk kunt terugdraaien als er iets kapot gaat in de nieuwe versie. Er is ook de mogelijkheid om meer versies vast te pinnen als dat nodig is. + +[Flatpak](https://www.flatpak.org) is de primaire pakketinstallatiemethode op deze distributies, aangezien `rpm-ostree` alleen bedoeld is om pakketten die niet in een container kunnen blijven bovenop de basisafbeelding te plaatsen. + +Als alternatief voor Flatpaks is er de optie [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) om [Podman](https://podman.io) containers te maken met een gedeelde home directory met het gast-besturingssysteem en een traditionele Fedora omgeving na te bootsen, wat een [nuttige eigenschap is](https://containertoolbx.org) voor de veeleisende ontwikkelaar. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is een onafhankelijke distributie gebaseerd op de Nix pakketbeheerder met een focus op reproduceerbaarheid en betrouwbaarheid. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentatie} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Bijdragen} + +De pakketbeheerder van NixOS bewaart elke versie van elk pakket in een andere map in de **Nix store**. Hierdoor kun je verschillende versies van hetzelfde pakket op jouw systeem geïnstalleerd hebben. Nadat de inhoud van het pakket naar de map is geschreven, wordt de map alleen-lezen gemaakt. + +NixOS biedt ook atomaire updates; het downloadt (of bouwt) eerst de pakketten en bestanden voor de nieuwe systeemgeneratie en schakelt daar dan naar over. Er zijn verschillende manieren om over te schakelen naar een nieuwe generatie; je kunt NixOS vertellen deze te activeren na reboot of je kunt er tijdens runtime naar overschakelen. Je kunt ook *testen* de nieuwe generatie door er tijdens runtime naar over te schakelen, maar het niet in te stellen als de huidige systeemgeneratie. Als iets in het updateproces stuk gaat, kunt je gewoon opnieuw opstarten en automatisch terugkeren naar een werkende versie van jouw systeem. + +Nix de pakketbeheerder gebruikt een zuiver functionele taal - die ook Nix wordt genoemd - om pakketten te definiëren. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (de belangrijkste bron van pakketten) zijn opgenomen in een enkele GitHub repository. Je kan ook je eigen packages definiëren in dezelfde taal en ze dan gemakkelijk opnemen in je config. + +Nix is een source-based package manager; als er geen pre-built beschikbaar is in de binaire cache, zal Nix het pakket gewoon vanaf de broncode bouwen met behulp van zijn definitie. Het bouwt elk pakket in een sandboxed *pure* omgeving, die zo onafhankelijk mogelijk is van het hostsysteem, waardoor binaries reproduceerbaar zijn. + +## Op anonimiteit gerichte distributies + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is gebaseerd op [Kicksecure](https://www.whonix.org/wiki/Kicksecure), een op beveiliging gerichte vork van Debian. Het is gefocust op privacy, veiligheid en anonimiteit op het internet te bieden. Whonix wordt het best gebruikt in combinatie met [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentatie} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Dragen bij } + +Whonix is bedoeld om te draaien als twee virtuele machines: een "Workstation" en een Tor "Gateway" Alle communicatie van het werkstation moet via de Tor-gateway gaan. Dit betekent dat zelfs als het werkstation wordt gecompromitteerd door malware, het ware IP-adres verborgen blijft. + +Enkele van de functies zijn Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), en een hardened memory allocator. + +Toekomstige versies van Whonix zullen waarschijnlijk [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) en een [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) bevatten om alle processen op het systeem volledig in te perken. + +Whonix wordt het best gebruikt [in combinatie met Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix heeft diverse [nadelen](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) in vergelijking met andere hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is een live besturingssysteem gebaseerd op Debian dat alle communicatie via Tor laat lopen. Hij kan op bijna elke computer opstarten vanaf een DVD, USB-stick of SD-kaart. + + Het is bedoeld om de privacy en anonimiteit te bewaren, censuur te omzeilen en geen sporen achter te laten op de computer waarop het wordt gebruikt. + +Het is de bedoeling dat Tails zichzelf reset na elke reboot. Versleutelde [persistente opslag](https://tails. boum. org/doc/first_steps/persistence/index. en. html) kan worden geconfigureerd om bepaalde gegevens op te slaan. Een Tails-systeem dat door malware is aangetast, kan de transparante proxy omzeilen, waardoor de gebruiker kan worden gedeanonimiseerd. + +Tails bevat standaard [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser, wat het voor tegenstanders mogelijk gemakkelijker maakt om Tails-gebruikers te identificeren. [Whonix](desktop.md#whonix) virtuele machines zijn misschien lekbestendiger, maar ze zijn niet amnesisch, wat betekent dat gegevens kunnen worden teruggehaald van jouw opslagapparaat. + +Het is de bedoeling dat Tails zichzelf volledig reset na elke herstart. Een versleutelde [persistente opslag](https://tails.boum.org/doc/persistent_storage/index.en.html) kan worden geconfigureerd om bepaalde gegevens tussen reboots op te slaan. + +## Op veiligheid gerichte distributies + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is een open-source besturingssysteem ontworpen om sterke beveiliging te bieden voor desktop computergebruik. Qubes is gebaseerd op Xen, het X Window System, en Linux, en kan de meeste Linux-toepassingen draaien en de meeste Linux-stuurprogramma's gebruiken. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" }. + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentatie }. + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Broncode" }. + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Bijdragen } + +Qubes OS is een op Xen gebaseerd besturingssysteem dat bedoeld is om sterke beveiliging te bieden voor desktopcomputers via beveiligde virtuele machines (VM's), ook bekend als *Qubes*. + +Het besturingssysteem Qubes beveiligt de computer door subsystemen (bijv. netwerken, USB, enz.) en applicaties in afzonderlijke VM 's te isoleren. Als een deel van het systeem wordt gecompromitteerd, zal de extra isolatie waarschijnlijk de rest van het systeem beschermen. Zie voor meer details de Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +Onze aanbevolen besturingssystemen: + +- Moet open-source zijn. +- Moet regelmatig software en Linux kernel updates ontvangen. +- Linux-distributies moeten [Wayland](os/linux-overview.md#Wayland) ondersteunen. +- Moet tijdens de installatie volledige schijfversleuteling ondersteunen. +- Mag regelmatige releases niet langer dan 1 jaar bevriezen. Wij [raden](os/linux-overview.md#release-cycle) "Long Term Support" of "stabiele" distro-uitgaven niet aan voor desktopgebruik. +- Moet een grote verscheidenheid aan hardware ondersteunen. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/dns.md b/i18n/nl/dns.md new file mode 100644 index 00000000..98113d23 --- /dev/null +++ b/i18n/nl/dns.md @@ -0,0 +1,143 @@ +--- +title: "DNS-resolvers" +icon: material/dns +--- + +!!! question "Moet ik versleutelde DNS gebruiken?" + + Versleutelde DNS met servers van derden mag alleen worden gebruikt om basis [DNS-blokkering](https://en.wikipedia.org/wiki/DNS_blocking) te omzeilen als u er zeker van kunt zijn dat er geen gevolgen zullen zijn. Versleutelde DNS zal je niet helpen jouw surfactiviteiten te verbergen. + + [Leer meer over DNS](advanced/dns-overview.md){ .md-button } + +## Aanbevolen Providers + +| DNS-aanbieder | Privacybeleid | Protocollen | Loggen | ECS | Filteren | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | ------------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH
DoT
DNSCrypt | Sommige[^1] | Nee | Gebaseerd op server keuze. De filterlijst die wordt gebruikt, is hier te vinden. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH
DoT | Sommige[^2] | Nee | Gebaseerd op server keuze. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH
DoT
DNSCrypt | Optioneel[^3] | Nee | Gebaseerd op server keuze. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | Geen[^4] | Nee | Gebaseerd op server keuze. De filterlijst die wordt gebruikt, is hier te vinden. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH
DoT | Optioneel[^5] | Optioneel | Gebaseerd op server keuze. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Sommige[^6] | Optioneel | Gebaseerd op server keuze, Malware blokkering standaard. | + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md) hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Moet [DNSSEC](advanced/dns-overview.md#what-is-dnssec) ondersteunen. +- [QNAME Minimalisatie](advanced/dns-overview.md#what-is-qname-minimization). +- Toestaan dat [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) wordt uitgeschakeld. +- Voorkeur voor [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) ondersteuning of geo-steering ondersteuning. + +## Ondersteuning voor besturingssystemen + +### Android + +Android 9 en hoger ondersteunen DNS over TLS. De instellingen kunnen worden gevonden in: **Instellingen** → **Netwerk & Internet** → **Private DNS**. + +### Apple apparaten + +De nieuwste versies van iOS, iPadOS, tvOS en macOS ondersteunen zowel DoT als DoH. Beide protocollen worden ondersteund via [configuratieprofielen](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) of via de [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +Apple biedt geen native interface voor het aanmaken van gecodeerde DNS-profielen. Als een VPN actief is, zal de resolutie binnen de VPN-tunnel de DNS-instellingen van het VPN gebruiken en niet uw systeembrede instellingen. + +#### Ondertekende Profielen + +Apple biedt geen native interface voor het maken van versleutelde DNS-profielen. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is een onofficiële tool voor het maken van uw eigen versleutelde DNS-profielen, die echter niet worden ondertekend. Ondertekende profielen hebben de voorkeur; ondertekening valideert de oorsprong van een profiel en helpt de integriteit van de profielen te waarborgen. Een groen "Geverifieerd" label wordt gegeven aan ondertekende configuratieprofielen. Voor meer informatie over het ondertekenen van codes, zie [Over het ondertekenen van codes](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Ondertekende profielen** worden aangeboden door [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), en [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved, die veel Linux distributies gebruiken om hun DNS lookups te doen, ondersteunt nog niet [DoH](https://github.com/systemd/systemd/issues/8639)). Als je DoH wilt gebruiken, moet je een proxy installeren zoals [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) en [configureren](https://wiki.archlinux.org/title/Dnscrypt-proxy) om alle DNS queries van je systeem-resolver te nemen en ze over HTTPS door te sturen. + + +## Versleutelde DNS-proxy + +Versleutelde DNS proxy software biedt een lokale proxy voor de [onversleutelde DNS](advanced/dns-overview.md#unencrypted-dns) resolver om naar door te sturen. Typisch wordt het gebruikt op platformen die [versleutelde DNS](advanced/dns-overview.md#what-is-encrypted-dns)niet ond ersteunen. + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is een open-source Android client met ondersteuning voor [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) en DNS Proxy samen met het cachen van DNS antwoorden, lokaal loggen van DNS queries en kan ook gebruikt worden als firewall. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: Web](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is een DNS-proxy met ondersteuning voor [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), en [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "De geanonimiseerde DNS-functie anonimiseert [**niet**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) ander netwerkverkeer." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Broncode" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Bijdrage leveren } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Zelf gehoste oplossingen + +Een zelf gehoste DNS-oplossing is handig voor het bieden van filtering op gecontroleerde platforms, zoals Smart TV's en andere IoT-apparaten, omdat er geen client-side software nodig is. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is een open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) die gebruik maakt van [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) om ongewenste webinhoud, zoals advertenties, te blokkeren. + + AdGuard Home beschikt over een gepolijste webinterface om inzicht te kijken en geblokkeerde inhoud te beheren. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Broncode" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is een open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) die [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) gebruikt om ongewenste webinhoud, zoals advertenties, te blokkeren. + + Pi-hole is ontworpen om te worden gehost op een Raspberry Pi, maar het is niet beperkt tot dergelijke hardware. De software beschikt over een vriendelijke webinterface om inzichten te bekijken en geblokkeerde inhoud te beheren. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Broncode" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Bijdragen } + +--8<-- "includes/abbreviations.nl.txt" + +[^1]: AdGuard slaat geaggregeerde prestatiecijfers van hun DNS-servers op, namelijk het aantal volledige verzoeken aan een bepaalde server, het aantal geblokkeerde verzoeken, en de snelheid waarmee verzoeken worden verwerkt. Zij houden ook de database bij van domeinen die in de laatste 24 uur zijn aangevraagd. "We hebben deze informatie nodig om nieuwe trackers en bedreigingen te identificeren en te blokkeren." "We houden ook bij hoe vaak deze of gene tracker geblokkeerd is. We hebben deze informatie nodig om verouderde regels uit onze filters te verwijderen." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare verzamelt en bewaart alleen de beperkte DNS-querygegevens die naar de 1.1.1.1 resolver worden gestuurd. De 1.1.1.1 resolver dienst logt geen persoonsgegevens, en het grootste deel van de beperkte niet-persoonlijk identificeerbare query-gegevens wordt slechts 25 uur bewaard. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D logt alleen voor Premium resolvers met aangepaste DNS-profielen. Vrije resolvers loggen geen gegevens. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: De DNS-service van Mullvad is beschikbaar voor zowel abonnees als niet-abonnees van Mullvad VPN. Hun privacybeleid beweert expliciet dat zij op geen enkele manier DNS-verzoeken loggen. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS kan inzichten en loggingfuncties bieden op een opt-in basis. U kunt retentietijden en opslaglocaties kiezen voor de logs die je wilt bewaren. Als er niet specifiek om gevraagd wordt, worden er geen gegevens gelogd. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 verzamelt sommige gegevens ten behoeve van de monitoring van en reactie op bedreigingen. Die gegevens kunnen vervolgens opnieuw worden gemengd en gedeeld, bijvoorbeeld ten behoeve van veiligheidsonderzoek. Quad9 verzamelt of registreert geen IP-adressen of andere gegevens die zij als persoonlijk identificeerbaar beschouwt. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/nl/email-clients.md b/i18n/nl/email-clients.md new file mode 100644 index 00000000..5ba3959f --- /dev/null +++ b/i18n/nl/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email clients" +icon: material/email-open +--- + +Onze aanbevelingslijst bevat e-mailcliënten die zowel [OpenPGP](encryption.md#openpgp) als sterke authenticatie ondersteunen, zoals [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). Met OAuth kunt u [Multi-Factor Authentication](basics/multi-factor-authentication.md) gebruiken en accountdiefstal voorkomen. + +??? warning "E-mail biedt geen forward secrecy" + + Bij gebruik van end-to-end encryptie (E2EE) technologie zoals OpenPGP, zal e-mail nog steeds [enkele metadata](email.md#email-metadata-overzicht) bevatten die niet versleuteld zijn in de header van de e-mail. + + OpenPGP ondersteunt ook geen [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), wat betekent dat als uw of de geadresseerde's private sleutel ooit wordt gestolen, alle voorgaande berichten die ermee zijn versleuteld zullen worden blootgelegd: [How do I protect my private keys?](basics/email-security.md) Overweeg het gebruik van een medium dat forward secrecy biedt: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird-logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is een gratis, open-source, cross-platform email, nieuwsgroep, nieuwsfeed, en chat (XMPP, IRC, Twitter) client ontwikkeld door de Thunderbird gemeenschap, en voorheen door de Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentatie} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Aanbevolen configuratie + +We raden aan om sommige van deze instellingen te wijzigen om Thunderbird een beetje meer privé te maken. + +Deze opties zijn te vinden in :material-menu: → **Instellingen** → **Privacy & Beveiliging**. + +##### Web Content + +- [ ] Deselecteer **Onthoud websites en links die ik heb bezocht** +- [ ] Deselecteer **Accepteer cookies van sites** + +##### Telemetrie + +- [ ] Deselecteer **Toestaan dat Thunderbird technische en interactiegegevens naar Mozilla stuurt** + +#### Thunderbird-user.js (geavanceerd) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is een set van configuratie-opties die erop gericht is zoveel mogelijk van de web-browsing functies binnen Thunderbird uit te schakelen om de aanvals oppervlakte te verkleinen en de privacy te behouden. let op + +## Platform specifiek + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail-logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is opgenomen in macOS en kan worden uitgebreid met OpenPGP-ondersteuning met [GPG Suite](/encryption/#gpg-suite), waarmee de mogelijkheid wordt toegevoegd om versleutelde e-mail te versturen. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentatie} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail-logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is een betaalde e-mailclient die is ontworpen om end-to-end versleuteling naadloos te laten verlopen met beveiligingsfuncties zoals een biometrische app-vergrendeling. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentatie} + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail heeft pas onlangs een Windows- en Android-client uitgebracht, hoewel die volgens ons niet zo stabiel zijn als hun iOS- en Mac-tegenhangers. + +Canary Mail is closed-source. We raden het aan omdat er maar weinig keuzes zijn voor e-mailclients op iOS die PGP E2EE ondersteunen. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is een minimale, open-source e-mail app, die gebruik maakt van open standaarden (IMAP, SMTP, OpenPGP) met een laag data- en batterijverbruik. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Broncode" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### Gnome evolutie (Gnome) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is een applicatie voor het beheer van persoonlijke informatie die geïntegreerde mail-, agenda- en adresboekfuncties biedt. Evolution heeft uitgebreide [documentation](https://help.gnome.org/users/evolution/stable/) om u op weg te helpen. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentatie} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is een onafhankelijke mail-applicatie die zowel POP3 als IMAP mailboxen ondersteunt, maar alleen push mail voor IMAP ondersteunt. + + In de toekomst zal K-9 Mail de [officieel gemerkte](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client voor Android zijn. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Broncode" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + Bij het beantwoorden van iemand op een mailinglijst kan de optie "beantwoorden" ook de mailinglijst omvatten. Zie voor meer informatie [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is een persoonlijke informatiemanager (PIM) applicatie van het [KDE](https://kde.org) project. Het biedt een mail client, adresboek, organizer en RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentatie} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Broncode" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is een browser extensie die de uitwisseling van versleutelde e-mails mogelijk maakt volgens de OpenPGP encryptie standaard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Broncode} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Bijdragen" } + + ??? downloads "Downloaden" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is een open-source command line mail reader (of MUA) voor Linux en BSD. Het is een vork van [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) met toegevoegde mogelijkheden. + + NeoMutt is een tekst-gebaseerde client die een steile leercurve heeft. Het is echter zeer aanpasbaar. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimum kwalificaties + +- Apps ontwikkeld voor open-source besturingssystemen moeten open-source zijn. +- Mag geen telemetrie verzamelen, of een gemakkelijke manier hebben om alle telemetrie uit te schakelen. +- Moet OpenPGP-berichtversleuteling ondersteunen. + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Moet open-source zijn. +- Moet cross-platform zijn. +- Verzamelt standaard geen telemetrie. +- Moet OpenPGP native ondersteunen, dat wil zeggen zonder extensies. +- Moet ondersteuning bieden voor het lokaal opslaan van OpenPGP-versleutelde e-mails. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/email.md b/i18n/nl/email.md new file mode 100644 index 00000000..a65dab09 --- /dev/null +++ b/i18n/nl/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Diensten" +icon: material/email +--- + +E-mail is bijna een noodzaak voor het gebruik van elke online dienst, maar wij raden het niet aan voor gesprekken van persoon tot persoon. In plaats van e-mail te gebruiken om met andere mensen in contact te komen, kun je overwegen een instant messenger te gebruiken dat forward secrecy ondersteunt. + +[Aanbevolen Instant Messengers](real-time-communication.md ""){.md-button} + +Voor al het andere raden wij verschillende e-mailproviders aan op basis van duurzame bedrijfsmodellen en ingebouwde beveiligings- en privacyfuncties. + +## OpenPGP compatibele diensten + +Deze providers ondersteunen native OpenPGP-encryptie/decryptie, waardoor provider-agnostische E2EE-e-mails mogelijk zijn. Een Proton Mail-gebruiker zou bijvoorbeeld een E2EE-bericht kunnen sturen naar een Mailbox.org-gebruiker, of je zou OpenPGP-versleutelde meldingen kunnen ontvangen van internetdiensten die dit ondersteunen. + +!!! warning + + Wanneer gebruik wordt gemaakt van E2EE-technologie zoals OpenPGP, zullen e-mailberichten nog steeds metagegevens bevatten die niet in de header van het e-mailbericht zijn gecodeerd. Lees meer over [e-mail metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP ondersteunt ook geen Forward secrecy, wat betekent dat als uw of de geadresseerde's private sleutel ooit wordt gestolen, alle eerdere berichten die ermee zijn versleuteld, openbaar worden. [Hoe bescherm ik mijn privé sleutels?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is een e-maildienst met de nadruk op privacy, encryptie, veiligheid en gebruiksgemak. Ze zijn al actief sinds **2013**. Proton AG is gevestigd in Genève, Zwitserland. Accounts beginnen met 500 MB opslagruimte met hun gratis plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" }. + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Gratis accounts hebben enkele beperkingen, zoals het niet kunnen doorzoeken van bodytekst en geen toegang tot [Proton Mail Bridge](https://proton.me/mail/bridge), die nodig is om een [aanbevolen desktop e-mailclient](email-clients.md) (bv. Thunderbird) te gebruiken. Betaalde accounts bevatten functies zoals Proton Mail Bridge, extra opslagruimte en ondersteuning voor aangepaste domeinen. Een [attestatiebrief](https://proton.me/blog/security-audit-all-proton-apps) werd op 9 november 2021 verstrekt voor de apps van Proton Mail door [Securitum](https://research.securitum.com). + +Als je Proton Unlimited, Business of Visionary hebt, krijg je ook [SimpleLogin](#simplelogin) Premium gratis. + +Proton Mail heeft interne crash rapporten die ze **niet** delen met derden. Dit kan worden uitgeschakeld in: **Instellingen** > **Ga naar Instellingen** > **Account** > **Beveiliging en privacy** > **Crashmeldingen versturen**. + +??? success "Aangepaste domeinen en aliassen" + + Betalende Proton Mail-abonnees kunnen hun eigen domein bij de dienst gebruiken of een [catch-all](https://proton.me/support/catch-all) adres. Proton Mail ondersteunt ook [subaddressing](https://proton.me/support/creating-aliases), wat handig is voor mensen die geen domein willen kopen. + +??? success "Privé betaalmethoden" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin en contant geld per post naast de standaard credit/debetkaart en PayPal-betalingen. + +??? success "Account beveiliging" + + Proton Mail ondersteunt alleen TOTP [tweefactorauthenticatie](https://proton.me/support/two-factor-authentication-2fa). Het gebruik van een U2F beveiligingssleutel wordt nog niet ondersteund. Proton Mail is van plan U2F te implementeren na voltooiing van hun [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Gegevens beveiliging" + + Proton Mail heeft [zero-access encryption](https://proton.me/blog/zero-access-encryption) in rust voor jouw e-mails en [calendars](https://proton.me/news/protoncalendar-security-model). Gegevens die zijn beveiligd met zero access encryptie zijn alleen voor jouw toegankelijk. + + Bepaalde in [Proton Contacts](https://proton.me/support/proton-contacts) opgeslagen informatie, zoals namen en e-mailadressen, zijn niet beveiligd met zero access encryptie. Contact velden die zero-access encryptie ondersteunen, zoals telefoonnummers, worden aangegeven met een hangslot pictogram. + +??? success "Email Encryptiie" + + Proton Mail heeft [geïntegreerde OpenPGP-encryptie](https://proton.me/support/how-to-use-pgp) in hun webmail. E-mails naar andere Proton Mail-accounts worden automatisch versleuteld, en versleuteling naar niet-Proton Mail-adressen met een OpenPGP-sleutel kan eenvoudig worden ingeschakeld in jouw accountinstellingen. Zij laten u ook toe [berichten te coderen naar niet-Proton Mail adressen](https://proton.me/support/password-protected-emails) zonder dat zij zich moeten aanmelden voor een Proton Mail account of software zoals OpenPGP moeten gebruiken. + + Proton Mail ondersteunt ook de ontdekking van openbare sleutels via HTTP vanuit hun [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Hierdoor kunnen mensen die geen Proton Mail gebruiken de OpenPGP sleutels van Proton Mail accounts gemakkelijk vinden, voor cross-provider E2EE. + +??? warning "Digitale erfgoed" + + Proton Mail biedt geen digitale erfenisfunctie. + +??? info "Account beëindiging" + + Als je een betaalde account hebt en je [rekening is onbetaald](https://proton.me/support/delinquency) na 14 dagen, krijg je geen toegang tot je gegevens. Na 30 dagen wordt uw account delinquent en ontvangt u geen inkomende e-mail. Tijdens deze periode wordt u nog steeds gefactureerd. + +??? info "Aanvullende Functionaliteit" + + Proton Mail biedt een "Unlimited" account voor €9,99/maand, die ook toegang geeft tot Proton VPN, naast meerdere accounts, domeinen, aliassen en 500GB opslagruimte. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is een e-maildienst die gericht is op veiligheid, reclamevrij is en voor 100% wordt gevoed door milieuvriendelijke energie. Ze zijn al actief sinds **2014. Mailbox.org is gevestigd in Berlijn, Duitsland. Accounts beginnen met 2 GB opslagruimte, die naar behoefte kan worden uitgebreid. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentatie} + + ??? downloads "Downloaden" + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Aangepaste domeinen en aliassen" + + Mailbox.org staat je toe jouw eigen domein te gebruiken, en zij ondersteunen [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) adressen. Mailbox.org ondersteunt ook [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), wat handig is als je geen domein wilt kopen. + +??? info "Privé betaalmethoden" + + Mailbox.org accepteert geen Bitcoin of andere cryptocurrencies als gevolg van het feit dat hun betalingsverwerker BitPay zijn activiteiten in Duitsland heeft opgeschort. Zij aanvaarden echter wel Contant geld per post, contante betaling op bankrekening, bankoverschrijving, kredietkaart, PayPal en een paar Duits-specifieke verwerkers: paydirekt en Sofortüberweisung. + +??? success "Account beveiliging" + + Mailbox.org ondersteunt [tweefactorauthenticatie](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) alleen voor hun webmail. U kunt zowel TOTP als een [Yubikey](https://en.wikipedia.org/wiki/YubiKey) gebruiken via de [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Webstandaarden zoals [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) worden nog niet ondersteund. + +??? info "Gegevens beveiliging" + + Mailbox.org maakt versleuteling van inkomende mail mogelijk door gebruik te maken van hun [versleutelde mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). Nieuwe berichten die je ontvangt, worden dan onmiddellijk versleuteld met jouw openbare sleutel. + + [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), het softwareplatform dat door Mailbox.org wordt gebruikt, [ondersteunt echter niet](https://kb.mailbox.org/display/BMBOKBEN/Encryption+van+kalender+en+adres+boek) de encryptie van jouw adresboek en agenda. Een [standalone optie](calendar.md) is misschien meer geschikt voor die informatie. + +??? success "Email Encryptiie" + + Mailbox.org heeft [geïntegreerde encryptie](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in hun webmail, wat het verzenden van berichten naar mensen met openbare OpenPGP-sleutels vereenvoudigt. Zij staan ook [ontvangers op afstand toe een e-mail te ontsleutelen](https://kb.mailbox.org/display/MBOKBEN/My+ontvanger+gebruikt+geen+PGP) op de servers van Mailbox.org. Deze functie is nuttig wanneer de ontvanger op afstand geen OpenPGP heeft en geen kopie van de e-mail in zijn eigen mailbox kan ontsleutelen. + + Mailbox.org ondersteunt ook de ontdekking van openbare sleutels via HTTP vanuit hun [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Hierdoor kunnen mensen buiten Mailbox.org gemakkelijk de OpenPGP sleutels van Mailbox.org accounts vinden, voor cross-provider E2EE. + +??? success "Digitale erfgoed" + + Mailbox.org heeft een digitale erfenis voor alle plannen. Je kunt kiezen of je wilt dat jouw gegevens worden doorgegeven aan jouw erfgenamen, mits zij een aanvraag indienen en jouw testament overleggen. Je kunt ook een persoon nomineren met naam en adres. + +??? info "Account beëindiging" + + Jouw account zal worden ingesteld op een beperkte gebruikersaccount wanneer jouw contract eindigt, na [30 dagen zal het onherroepelijk worden verwijderd](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Aanvullende Functionaliteit" + + Je kunt toegang krijgen tot jouw Mailbox.org account via IMAP/SMTP door gebruik te maken van hun [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+van+mailbox.org). Hun webmailinterface is echter niet toegankelijk via hun .onion dienst en je kunt TLS-certificaatfouten ondervinden. + + Alle accounts worden geleverd met beperkte cloudopslag die [kan worden versleuteld](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org biedt ook de alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), die de TLS-encryptie afdwingt op de verbinding tussen mailservers, anders wordt het bericht helemaal niet verzonden. Mailbox.org ondersteunt ook [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync), naast standaard toegangsprotocollen zoals IMAP en POP3. + +### StartMail + +!!! recommendation + + ![StartMail-logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail-logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is een e-maildienst met de nadruk op veiligheid en privacy door het gebruik van standaard OpenPGP-versleuteling. StartMail is sinds 2014 actief en is gevestigd in Boulevard 11, Zeist Nederland. Accounts beginnen met 10GB. Ze bieden een 30 dagen proefperiode. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentatie} + + ??? downloads "Downloaden" + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Aangepaste domeinen en aliassen" + + Persoonlijke accounts kunnen [Custom of Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliassen gebruiken. [Eigen domeinen](https://support.startmail.com/hc/nl-nl/articles/4403911432209-Setup-a-custom-domain) zijn ook beschikbaar. + +??? warning "Privé betaalmethoden" + + StartMail accepteert Visa, MasterCard, American Express en Paypal. StartMail heeft ook andere [betalingsopties](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) zoals Bitcoin (momenteel alleen voor Persoonlijke accounts) en SEPA Direct Debit voor accounts ouder dan een jaar. + +??? success "Account beveiliging" + + StartMail ondersteunt TOTP tweefactorauthenticatie [alleen voor webmail](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). Zij staan geen U2F-authenticatie met beveiligingssleutel toe. + +??? info "Gegevens beveiliging" + + StartMail heeft [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), met behulp van hun "user vault" systeem. Wanneer je inlogt, wordt de kluis geopend, en de e-mail wordt dan uit de wachtrij naar de kluis verplaatst, waar hij wordt ontsleuteld met de bijbehorende privésleutel. + + StartMail ondersteunt het importeren van [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts), maar deze zijn alleen toegankelijk in de webmail en niet via protocollen zoals [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacten worden ook niet opgeslagen met behulp van zero knowledge encryptie. + +??? success "Email Encryptiie" + + StartMail heeft [geïntegreerde encryptie](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in hun webmail, wat het verzenden van versleutelde berichten met openbare OpenPGP-sleutels vergemakkelijkt. + +??? warning "Digitale erfgoed" + + StartMail biedt geen digitale erfenisfunctie. + +??? info "Account beëindiging" + + Bij afloop van de account zal StartMail jouw account definitief verwijderen na [6 maanden in 3 fasen](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Aanvullende Functionaliteit" + + StartMail maakt proxying van afbeeldingen in e-mails mogelijk. Als je toestaat dat het beeld op afstand wordt geladen, weet de verzender niet wat jouw IP-adres is. + +## Meer providers + +Deze providers slaan jouw e-mails op met zero-knowledge encryptie, waardoor ze geweldige opties zijn om jouw opgeslagen e-mails veilig te houden. Zij ondersteunen echter geen interoperabele versleutelingsnormen voor E2EE-communicatie tussen aanbieders. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is een e-maildienst met de nadruk op veiligheid en privacy door het gebruik van encryptie. Tutanota is actief sinds **2011** en is gevestigd in Hannover, Duitsland. Accounts beginnen met 1GB opslagruimte met hun gratis plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Broncode" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota ondersteunt het [IMAP protocol](https://tutanota.com/faq/#imap) em het gebruik van e-mailclients van derden niet[](email-clients.md), en je zult ook niet in staat zijn om [externe e-mailaccounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) toe te voegen aan de Tutanota app. Beide [E-mail import](https://github.com/tutao/tutanota/issues/630) of [submappen](https://github.com/tutao/tutanota/issues/927) worden momenteel ondersteund, hoewel dit binnenkort [zal worden gewijzigd](https://tutanota.com/blog/posts/kickoff-import). E-mails kunnen [individueel of per bulk selectie](https://tutanota.com/howto#generalMail) per map worden geëxporteerd, wat onhandig kan zijn als je veel mappen hebt. + +??? success "Aangepaste domeinen en aliassen" + + Betaalde Tutanota accounts kunnen tot 5 [aliases](https://tutanota.com/faq#alias) en [aangepaste domeinen](https://tutanota.com/faq#custom-domain) gebruiken. Tutanota staat geen [subadressering (plus adressen)](https://tutanota.com/faq#plus) toe, maar je kunt een [catch-all](https://tutanota.com/howto#settings-global) gebruiken met een aangepast domein. + +??? warning "Privé betaalmethoden" + + Tutanota accepteert alleen rechtstreeks creditcards en PayPal, maar Bitcoin en Monero kunnen worden gebruikt om cadeaubonnen te kopen via hun [partnership](https://tutanota.com/faq/#cryptocurrency) met Proxystore. + +??? success "Account beveiliging" + + Tutanota ondersteunt [twee factor authenticatie](https://tutanota.com/faq#2fa) met TOTP of U2F. + +??? success "Gegevens beveiliging" + + Tutanota heeft [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) voor jouw emails, [adresboek contacten](https://tutanota.com/faq#encrypted-address-book), en [calendars](https://tutanota.com/faq#calendar). Dit betekent dat de berichten en andere gegevens die in jouw account zijn opgeslagen, alleen door je kunnen worden gelezen. + +??? warning "Email Encryptie" + + Tutanota [gebruikt geen OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts kunnen alleen versleutelde e-mails ontvangen van niet-Tutanota e-mail accounts wanneer deze worden verzonden via een [tijdelijke Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digitale erfgoed" + + Tutanota biedt geen digitale erfenis functie. + +??? info "Account beëindiging" + + Tutanota zal [inactieve gratis accounts verwijderen](https://tutanota.com/faq#inactive-accounts) na zes maanden. Je kunt een gedeactiveerd gratis account opnieuw gebruiken als je betaalt. + +??? info "Aanvullende Functionaliteit" + + Tutanota biedt de zakelijke versie van [Tutanota gratis of met zware korting aan organisaties zonder winstoogmerk](https://tutanota.com/blog/posts/secure-email-for-non-profit). + + Tutanota heeft ook een zakelijke functie genaamd [Secure Connect](https://tutanota.com/secure-connect/). Dit zorgt ervoor dat het klantcontact met het bedrijf gebruik maakt van E2EE. De functie kost €240/j. + +## E-mail aliasing diensten + +Met een e-mail aliasing dienst kun je gemakkelijk een nieuw e-mailadres genereren voor elke website waarvoor je je aanmeldt. De e-mailaliassen die je aanmaakt worden dan doorgestuurd naar een e-mailadres vanjouw keuze, waardoor zowel jouw "hoofd"-e-mailadres als de identiteit van jouw e-mailprovider wordt verborgen. Echte e-mailaliasing is beter dan de door veel providers gebruikte en ondersteunde plus-adressering, waarmee je aliassen kunt maken als jouwnaam+[anythinghere]@voorbeeld.com, omdat websites, adverteerders en traceringsnetwerken triviaal alles na het +-teken kunnen verwijderen om jouw echte e-mailadres te ontdekken. + +E-mailaliasing kan fungeren als een waarborg voor het geval jouw e-mailprovider ooit ophoudt te werken. In dat scenario kun je jouw aliassen gemakkelijk omleiden naar een nieuw e-mailadres. Op zijn beurt stelt je echter vertrouwen in de aliasingdienst om te blijven functioneren. + +Het gebruik van een speciale e-mail aliasing dienst heeft ook een aantal voordelen ten opzichte van een catch-all alias op een aangepast domein: + +- Aliassen kunnen individueel worden in- en uitgeschakeld wanneer je ze nodig hebt, zodat websites je niet willekeurig e-mailen. +- Antwoorden worden verzonden vanaf het aliasadres, waardoor jouw echte e-mailadres wordt afgeschermd. + +Ze hebben ook een aantal voordelen ten opzichte van "tijdelijke e-mail" diensten: + +- Aliassen zijn permanent en kunnen weer worden ingeschakeld als je iets moet ontvangen zoals een wachtwoord-reset. +- E-mails worden naar jouw vertrouwde mailbox gestuurd in plaats van opgeslagen door de alias provider. +- Tijdelijke e-maildiensten hebben doorgaans openbare mailboxen die voor iedereen die het adres kent toegankelijk zijn, aliassen zijn privé. + +Onze aanbevelingen voor e-mailaliassen zijn providers waarmee je aliassen kunt aanmaken op domeinen die zij beheren, en op jouw eigen aangepaste domein(en) voor een bescheiden jaarlijks bedrag. Ze kunnen ook zelf worden gehost als je maximale controle wilt. Het gebruik van een eigen domein kan echter ook nadelen hebben voor de privacy: Als je de enige persoon bent die ouw aangepaste domein gebruikt, kunnen jouw acties op verschillende websites gemakkelijk worden getraceerd door simpelweg naar de domeinnaam in het e-mailadres te kijken en alles voor het at (@) teken te negeren. + +Het gebruik van een aliasingdienst vereist dat je zowel jouw e-mailprovider als jouw aliasingprovider vertrouwt met jouw onversleutelde berichten. Sommige aanbieders verzachten dit enigszins met automatische PGP-versleuteling, die het aantal partijen dat je moet vertrouwen terugbrengt van twee naar één door inkomende e-mails te versleutelen voordat ze bij je uiteindelijke postbusaanbieder worden afgeleverd. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** laat je gratis 20 domein aliassen aanmaken op een gedeeld domein, of onbeperkt "standaard" aliassen die minder anoniem zijn. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Broncode" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +Het aantal gedeelde aliassen (die eindigen op een gedeeld domein zoals @anonaddy.me) dat je kunt aanmaken is beperkt tot 20 op het gratis plan van AnonAddy en 50 op hun $12/maand plan. Je kunt onbeperkt standaard aliassen aanmaken (die eindigen op een domein zoals @[username].anonaddy.com of een aangepast domein op betaalde plannen), echter, zoals eerder vermeld, kan dit nadelig zijn voor de privacy omdat mensen uw standaard aliassen triviaal aan elkaar kunnen linken op basis van de domeinnaam alleen. Onbeperkte gedeelde aliassen zijn beschikbaar voor $36/jaar. + +Opmerkelijke gratis functies: + +- [x] 20 Gedeelde Aliassen +- [x] Onbeperkt aantal standaard aliassen +- [ ] Geen uitgaande antwoorden +- [x] 2 Ontvanger Mailboxen +- [x] Automatische PGP-versleuteling + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is een gratis dienst die e-mailaliassen op verschillende gedeelde domeinnamen biedt, en optioneel betaalde functies zoals onbeperkte aliassen en aangepaste domeinen. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin werd [overgenomen door Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) met ingang van 8 april 2022. Als je Proton Mail gebruikt voor uw primaire mailbox, is SimpleLogin een goede keuze. Aangezien beide producten nu eigendom zijn van hetzelfde bedrijf, hoeft je nog maar op één entiteit te vertrouwen. Wij verwachten ook dat SimpleLogin in de toekomst nauwer zal worden geïntegreerd met het aanbod van Proton. SimpleLogin blijft forwarding naar elke e-mailprovider van jouw keuze ondersteunen. Securitum [heeft begin 2022 een audit uitgevoerd op](https://simplelogin.io/blog/security-audit/) SimpleLogin en alle problemen [zijn aangepakt](https://simplelogin.io/audit2022/web.pdf). + +Je kunt jouw SimpleLogin account in de instellingen koppelen aan jouw Proton account. Als je Proton Unlimited, Business of Visionary Plan hebt, heb je SimpleLogin Premium gratis. + +Opmerkelijke gratis functies: + +- [x] 10 Gedeelde Aliassen +- [x] Onbeperkt antwoorden +- [x] 1 Ontvanger Mailbox + +## Onze criteria + +Gevorderde systeembeheerders kunnen overwegen hun eigen e-mailserver op te zetten. Mailservers vereisen aandacht en voortdurend onderhoud om de zaken veilig te houden en de mailbezorging betrouwbaar. + +### Gecombineerde softwareoplossingen + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is een meer geavanceerde mailserver, perfect voor mensen met wat meer Linux ervaring. Het heeft alles wat je nodig hebt in een Docker container: Een mailserver met DKIM-ondersteuning, antivirus- en spammonitoring, webmail en ActiveSync met SOGo, en webgebaseerd beheer met 2FA-ondersteuning. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Bijdrage leveren } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is een geautomatiseerd setup script voor het implementeren van een mailserver op Ubuntu. Het doel ervan is om het voor mensen gemakkelijker te maken om hun eigen mailserver op te zetten. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Broncode" } } + +Voor een meer handmatige aanpak hebben we deze twee artikelen uitgekozen: + +- [Een mailserver opzetten met OpenSMTPD, Dovecot en Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [Hoe run je je eigen mailserver](https://www.c0ffee.net/blog/mail-server-guide/) (augustus 2017) + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaard criteria](about/criteria.md) hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +### Technologie + +Wij beschouwen deze kenmerken als belangrijk om een veilige en optimale dienst te kunnen verlenen. Je zou moeten nagaan of de provider de functies heeft die je nodig hebt. + +**Minimum om in aanmerking te komen:** + +- Versleutelt e-mail accountgegevens in rust met zero-access encryptie. +- Exportmogelijkheid als [Mbox](https://en.wikipedia.org/wiki/Mbox) of individuele .eml met [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standaard. +- Sta gebruikers toe hun eigen [domeinnaam te gebruiken](https://en.wikipedia.org/wiki/Domain_name). Aangepaste domeinnamen zijn belangrijk voor gebruikers omdat ze zo hun agentschap van de dienst kunnen behouden, mocht het slecht aflopen of overgenomen worden door een ander bedrijf dat privacy niet hoog in het vaandel heeft staan. +- Werkt op eigen infrastructuur, d.w.z. niet gebaseerd op e-mail service providers van derden. + +**Beste geval:** + +- Versleutelt alle accountgegevens (Contacten, Agenda's, etc) in rust met zero-access encryptie. +- Geïntegreerde webmail E2EE/PGP-codering voor het gemak. +- Ondersteuning voor [WKD](https://wiki.gnupg.org/WKD) om een verbeterde ontdekking van publieke OpenPGP sleutels via HTTP mogelijk te maken. GnuPG-gebruikers kunnen een sleutel krijgen door te typen: `gpg --locate-key example_user@example.com` +- Ondersteuning voor een tijdelijke mailbox voor externe gebruikers. Dit is handig wanneer je een versleutelde e-mail wilt verzenden, zonder een echte kopie naar jouw ontvanger te sturen. Deze e-mails hebben meestal een beperkte levensduur en worden daarna automatisch verwijderd. Zij vereisen ook niet dat de ontvanger cryptografie configureert zoals OpenPGP. +- Beschikbaarheid van de diensten van de e-mailprovider via een [onion service](https://en.wikipedia.org/wiki/.onion). +- [Ondersteuning voor subadressering](https://en.wikipedia.org/wiki/Email_address#Subaddressing). +- Catch-all of alias functionaliteit voor diegenen die hun eigen domeinen bezitten. +- Gebruik van standaard e-mail toegangsprotocollen zoals IMAP, SMTP of [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standaard toegangsprotocollen zorgen ervoor dat klanten al hun e-mail gemakkelijk kunnen downloaden, mochten zij naar een andere provider willen overstappen. + +### Privacy + +Wij geven er de voorkeur aan dat de door ons aanbevolen aanbieders zo weinig mogelijk gegevens verzamelen. + +**Minimum om in aanmerking te komen:** + +- Beschermt het IP adres van de afzender. Filter het uit de weergave in het `Received` header veld. +- Vereisen geen persoonlijk identificeerbare informatie (PII) naast een gebruikersnaam en een wachtwoord. +- Privacybeleid dat voldoet aan de vereisten van de GDPR. +- Mag niet in de VS worden gehost wegens [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) die [nog moet worden hervormd](https://epic.org/ecpa/). + +**Beste geval:** + +- Accepteert Bitcoin, contant geld en andere vormen van cryptocurrency en/of anonieme betalingsopties (cadeaubonnen, enz.) + +### Veiligheid + +Email servers verwerken veel zeer gevoelige gegevens. We verwachten dat providers de beste praktijken in de branche zullen toepassen om hun gebruikers te beschermen. + +**Minimum om in aanmerking te komen:** + +- Bescherming van webmail met 2FA, zoals TOTP. +- Zero access encryptie, bouwt voort op encryptie in rust. De provider heeft geen decryptiesleutels voor de gegevens die ze hebben. Dit voorkomt dat een malafide werknemer gegevens lekt waartoe hij toegang heeft, of dat een tegenstander op afstand gegevens vrijgeeft die hij heeft gestolen door ongeoorloofde toegang tot de server te verkrijgen. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) ondersteuning. +- Geen [TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) fouten/kwetsbaarheden bij profilering door tools zoals [Hardenize](https://www.hardenize.com), [testssl.sh](https://testssl.sh) of [Qualys SSL Labs](https://www.ssllabs.com/ssltest), dit omvat certificaatgerelateerde fouten, slechte of zwakke ciphersuites, zwakke DH-parameters zoals die welke hebben geleid tot [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- Een geldig [MTA-STS](https://tools.ietf.org/html/rfc8461) en [TLS-RPT](https://tools.ietf.org/html/rfc8460) beleid. +- Geldig [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Geldige [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) en [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Geldige [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) en [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Zorg voor een correct [DMARC](https://en.wikipedia.org/wiki/DMARC) record en beleid of gebruik [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) voor verificatie. Als DMARC-authenticatie wordt gebruikt, moet het beleid worden ingesteld op `reject` of `quarantine`. +- Een voorkeur voor een server suite van TLS 1.2 of later en een plan voor [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) indiening, ervan uitgaande dat SMTP wordt gebruikt. +- Beveiligingsnormen voor websites, zoals: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subbron Integriteit](https://en.wikipedia.org/wiki/Subresource_Integrity) als dingen van externe domeinen worden geladen. +- Moet het bekijken van [Message headers](https://en.wikipedia.org/wiki/Email#Message_header)ondersteunen, aangezien dit een cruciale forensische functie is om te bepalen of een e-mail een phishing-poging is. + +**Beste geval:** + +- Ondersteuning voor hardware-authenticatie, d.w.z. U2F en [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F en WebAuthn zijn veiliger omdat zij een privésleutel gebruiken die is opgeslagen op een hardware-apparaat aan de clientzijde om mensen te authenticeren, in tegenstelling tot een gedeeld geheim dat is opgeslagen op de webserver en aan de clientzijde wanneer TOTP wordt gebruikt. Bovendien zijn U2F en WebAuthn beter bestand tegen phishing omdat hun authenticatierespons gebaseerd is op de geauthenticeerde [domeinnaam](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certificatie Autoriteit Autorisatie (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in aanvulling op DANE ondersteuning. +- Implementatie van [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), dit is nuttig voor mensen die posten naar mailinglijsten [RFC8617](https://tools.ietf.org/html/rfc8617). +- Programma's voor bug-bounty's en/of een gecoördineerd proces voor de openbaarmaking van kwetsbaarheden. +- Beveiligingsnormen voor websites, zoals: + - [Inhoud beveiligingsbeleid (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Verwacht-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Vertrouwen + +Je zou je financiën niet toevertrouwen aan iemand met een valse identiteit, dus waarom zou je hen je e-mail toevertrouwen? Wij eisen van onze aanbevolen aanbieders dat zij hun eigendom of leiderschap openbaar maken. Wij zouden ook graag zien dat regelmatig verslag wordt uitgebracht over de transparantie, met name wat betreft de wijze waarop verzoeken van de overheid worden behandeld. + +**Minimum om in aanmerking te komen:** + +- Publiekelijk leiderschap of eigendom. + +**Beste geval:** + +- Publieksgericht leiderschap. +- Frequente transparantieverslagen. + +### Marketing + +Bij de e-mail providers die we aanbevelen zien we graag verantwoorde marketing. + +**Minimum om in aanmerking te komen:** + +- Moet zelf analytics hosten (geen Google Analytics, Adobe Analytics, etc). De site van de aanbieder moet ook voldoen aan [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) voor degenen die zich willen afmelden. + +Mag geen marketing hebben die onverantwoord is: + +- Claims van "onbreekbare encryptie." Encryptie moet worden gebruikt met de bedoeling dat zij in de toekomst niet meer geheim is wanneer de technologie bestaat om haar te kraken. +- Garanties van 100% bescherming van de anonimiteit. Wanneer iemand beweert dat iets 100% is, betekent dit dat er geen zekerheid is voor mislukking. We weten dat mensen zichzelf vrij gemakkelijk kunnen deanonimiseren op een aantal manieren, bv.: + +- Hergebruik van persoonlijke informatie, bijv. (e-mailaccounts, unieke pseudoniemen, enz.) waartoe zij toegang hadden zonder anonimiteitssoftware (Tor, VPN, enz.) +- [Browser vingerafdrukken](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Beste geval:** + +- Duidelijke en gemakkelijk te lezen documentatie. Dit omvat zaken als het instellen van 2FA, e-mailclients, OpenPGP, enz. + +### Extra functionaliteit + +Hoewel het geen strikte vereisten zijn, zijn er nog enkele andere factoren met betrekking tot gemak of privacy die wij in aanmerking hebben genomen bij het bepalen van de aan te bevelen providers. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/encryption.md b/i18n/nl/encryption.md new file mode 100644 index 00000000..bfd914ed --- /dev/null +++ b/i18n/nl/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Encryptie Software" +icon: material/file-lock +--- + +Encryptie van gegevens is de enige manier om te controleren wie er toegang toe heeft. Als je momenteel geen encryptiesoftware gebruikt voor jouw harde schijf, e-mails of bestanden, moet je hier een optie kiezen. + +## Multi-platform + +De hier genoemde opties zijn multiplatform en zeer geschikt voor het maken van versleutelde back-ups van jouw gegevens. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is een encryptie-oplossing die is ontworpen voor het privé opslaan van bestanden bij elke cloudprovider. Hiermee kunt u kluizen maken die worden opgeslagen op een virtuele schijf, waarvan de inhoud wordt gecodeerd en gesynchroniseerd met uw cloudopslagprovider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Broncode" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator maakt gebruik van AES-256 encryptie om zowel bestanden als bestandsnamen te versleutelen. Cryptomator kan geen metadata versleutelen, zoals tijdstempels voor toegang, wijziging en creatie, noch het aantal en de grootte van bestanden en mappen. + +Sommige cryptografische bibliotheken van Cryptomator zijn [geaudit](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) door Cure53. De reikwijdte van de gecontroleerde bibliotheken omvat: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) en [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). De controle strekte zich niet uit tot [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), een bibliotheek die door Cryptomator voor iOS wordt gebruikt. + +In de documentatie van Cryptomator worden de beoogde [beveiligingsdoelstelling](https://docs.cryptomator.org/en/latest/security/security-target/), [beveiligingsarchitectuur](https://docs.cryptomator.org/en/latest/security/architecture/), en [beste praktijken](https://docs.cryptomator.org/en/latest/security/best-practices/) voor gebruik nader toegelicht. + +### Picocrypt (Bestand) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is een klein en eenvoudig encryptieprogramma dat moderne encryptie biedt. Picocrypt gebruikt het veilige XChaCha20-cijfer en de Argon2id-sleutelafleidingsfunctie om een hoog niveau van veiligheid te bieden. Het gebruikt Go's standaard x/crypto modules voor zijn versleutelingsfuncties. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Schijf) + +!!! recommendation + + ![VeraCrypt-logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt-logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is een met broncode beschikbaar freeware hulpprogramma dat wordt gebruikt voor on-the-fly encryptie. Het kan een virtuele versleutelde schijf binnen een bestand maken, een partitie versleutelen of het gehele opslagapparaat versleutelen met pre-boot verificatie. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Broncode" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is een vork van het beëindigde TrueCrypt-project. Volgens de ontwikkelaars zijn er beveiligingsverbeteringen doorgevoerd en zijn de problemen die bij de eerste controle van de TrueCrypt-code aan het licht zijn gekomen, aangepakt. + +Bij het versleutelen met VeraCrypt heb je de keuze uit verschillende [hashfuncties](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). Wij raden je aan **alleen** [SHA-512](https://en.wikipedia.org/wiki/SHA-512) te selecteren en vast te houden aan het [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) blokcijfer. + +Truecrypt is [een aantal keer gecontroleerd](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), en VeraCrypt is ook [apart gecontroleerd](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Volledige Schijfversleuteling + +Moderne besturingssystemen omvatten [FDE](https://en.wikipedia.org/wiki/Disk_encryption) en zullen gebruik maken van een [beveiligde cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker-logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is de oplossing voor volledige volume-encryptie die met Microsoft Windows wordt meegeleverd. De belangrijkste reden waarom wij het aanbevelen is vanwege zijn [gebruik van TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), een forensisch bedrijf, heeft er over geschreven in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentatie} + +BitLocker is [alleen ondersteund](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) op Pro, Enterprise en Education edities van Windows. Het kan worden ingeschakeld op Home-edities, mits deze aan de voorwaarden voldoen. + +??? example "BitLocker inschakelen op Windows Home" + + Om BitLocker in te schakelen op "Home"-edities van Windows, moet je partities hebben die zijn geformatteerd met een [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) en beschikken over een speciale TPM-module (v1.2, 2.0+). + + 1. Open een opdrachtprompt en controleer de indeling van de partitietabel van jouw schijf met het volgende commando. Je zou "**GPT**" moeten zien staan onder "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Voer dit commando uit (in een admin commando prompt) om jouw TPM versie te controleren. Je zou `2.0` of `1.2` moeten zien staan naast `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Ga naar de [Geavanceerde opstartopties](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). Je moet opnieuw opstarten terwijl je op de F8-toets drukt voordat Windows start en naar de *opdrachtprompt* gaat in **Problemen oplossen** → **Geavanceerde opties** → **Opdrachtprompt**. + + 4. Log in met jouw admin-account en typ dit in de opdrachtprompt om de versleuteling te starten: + + ``` + manage-bde -on c: -used + ``` + + 5. Sluit de opdrachtprompt en en start verder op naar de gewone Windows installatie. + + 6. Open een admin commando prompt en voer de volgende commando's uit: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Back-up de `BitLocker-Recovery-Key.txt` op uw bureaublad naar een apart opslagapparaat. Het verlies van deze herstelcode kan leiden tot verlies van gegevens. + +### FileVault + +!!! recommendation + + ![FileVault-logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is de in macOS ingebouwde oplossing voor volumeversleuteling tijdens het filteren. FileVault wordt aanbevolen omdat het [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware beveiligingsmogelijkheden biedt die aanwezig zijn op een Apple silicium SoC of T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentatie} + +Wij raden je aan een lokale herstelsleutel op een veilige plaats op te slaan in plaats van uw iCloud-account te gebruiken voor herstel. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS-logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is de standaard FDE-methode voor Linux. Het kan worden gebruikt om volledige volumes of partities te versleutelen, of om versleutelde containers te maken. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentatie} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Broncode" } + +??? example "Creëren en openen van versleutelde containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Versleutelde containers openen + We raden aan om containers en volumes te openen met `udisksctl`, omdat dit gebruik maakt van [Polkit](https://en.wikipedia.org/wiki/Polkit). De meeste bestandsbeheerders, zoals die van populaire desktopomgevingen, kunnen versleutelde bestanden ontgrendelen. Hulpprogramma's zoals [udiskie](https://github.com/coldfix/udiskie) kunnen in het systeemvak draaien en een nuttige gebruikersinterface bieden. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Vergeet niet een back-up te maken van de volumekoppen" + + Wij raden je aan altijd [een back-up te maken van uw LUKS-headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in geval van een gedeeltelijke schijfstoring. Dit kan gedaan worden met: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-gebaseerd + +Versleuteling via de browser kan handig zijn als je een bestand moet versleutelen, maar geen software of apps op jouw apparaat kunt installeren. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is een webapplicatie die veilige client-side versleuteling van bestanden in jouw browser biedt. Het kan ook zelf worden gehost en is handig als je een bestand moet versleutelen, maar geen software op jouw apparaat kunt installeren vanwege organisatorisch beleid. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donatiemogelijkheden vindt u onderaan de website" } + +## Command-line + +Tools met command-line interfaces zijn handig voor het integreren van [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is een gratis en open-source programma voor het versleutelen en ondertekenen van bestanden dat gebruik maakt van moderne en veilige cryptografische algoritmen. Het beoogt een betere versie te zijn van [age](https://github.com/FiloSottile/age) en [Minisign](https://jedisct1.github.io/minisign/) om een eenvoudig, gemakkelijker alternatief voor GPG te bieden. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is een is een command-line shell wrapper voor LUKS. Het ondersteunt steganografie via [hulpprogramma's van derden](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Bijdragen} + +## OpenPGP + +OpenPGP is soms nodig voor specifieke taken zoals het digitaal ondertekenen en versleutelen van e-mail. PGP heeft veel mogelijkheden en is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) omdat het al heel lang bestaat. Voor taken zoals het ondertekenen of versleutelen van bestanden, raden wij de bovenstaande opties aan. + +Bij het versleutelen met PGP, heb je de optie om verschillende opties te configureren in het `gpg.conf` bestand. We raden aan om de standaard opties te gebruiken zoals gespecificeerd in de [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Gebruik toekomstige standaardwaarden bij het genereren van een sleutel" + + Bij het [genereren van sleutels](https://www.gnupg.org/gph/en/manual/c14.html) raden we aan het `future-default` commando te gebruiken omdat dit GnuPG zal instrueren moderne cryptografie te gebruiken zoals [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) en [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is een GPL-gelicenseerd alternatief voor de PGP-suite van cryptografische software. GnuPG is in overeenstemming met [RFC 4880](https://tools.ietf.org/html/rfc4880), de huidige IETF-specificatie van OpenPGP. Het GnuPG-project heeft gewerkt aan een [bijgewerkt ontwerp](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in een poging OpenPGP te moderniseren. GnuPG is een onderdeel van het GNU-softwareproject van de Free Software Foundation en heeft van de Duitse regering het belangrijke [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) ontvangen. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win-logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is een pakket voor Windows van [Intevation en g10 Code](https://gpg4win.org/impressum.html). Het bevat [diverse hulpmiddelen](https://gpg4win.org/about.html) die je kunnen helpen bij het gebruik van GPG op Microsoft Windows. Het project is in 2005 opgezet en oorspronkelijk [gefinancierd door](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) het Bundesamt für Informationssicherheit (BSI) van Duitsland. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Broncode" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We raden [Canary Mail](email-clients.md#canary-mail) aan voor het gebruik van PGP met e-mail op iOS-apparaten. + +!!! recommendation + + ![GPG Suite-logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** biedt OpenPGP-ondersteuning voor [Apple Mail](email-clients.md#apple-mail) en macOS. + + Wij raden aan een kijkje te nemen in hun [Eerste stappen pagina](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) en [Kennisbank](https://gpgtools.tenderapp.com/kb) voor ondersteuning. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain-logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is een Android implementatie van GnuPG. Het wordt algemeen vereist door mail clients zoals [K-9 Mail](email-clients.md#k-9-mail) en [FairEmail](email-clients.md#fairemail) en andere Android apps om encryptie ondersteuning te bieden. Cure53 voltooide een [beveiligingsaudit](https://www.openkeychain.org/openkeychain-3-6) van OpenKeychain 3.6 in oktober 2015. Technische details over de audit en OpenKeychain's oplossingen zijn te vinden op [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimum kwalificaties + +- Cross-platform encryptie apps moeten open-source zijn. +- Apps voor bestandsversleuteling moeten ontsleuteling ondersteunen op Linux, macOS en Windows. +- Apps voor externe schijfversleuteling moeten ontsleuteling ondersteunen op Linux, macOS en Windows. +- Interne (OS) schijfversleutelingsapps moeten platformonafhankelijk zijn of ingebouwd zijn in het besturingssysteem. + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Toepassingen voor versleuteling van het besturingssysteem (FDE) moeten gebruik maken van hardwarebeveiliging zoals een TPM of Secure Enclave. +- Bestandsversleutelingsapps moeten ondersteuning van eerste of derde partijen hebben voor mobiele platforms. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/file-sharing.md b/i18n/nl/file-sharing.md new file mode 100644 index 00000000..5f33a9a0 --- /dev/null +++ b/i18n/nl/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "Bestanden delen en synchroniseren" +icon: material/share-variant +--- + +Ontdek hoe je jouw bestanden privé kunt delen tussen jouw apparaten, met jouw vrienden en familie, of anoniem online. + +## Bestanden Delen + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is een vork van Mozilla 's beëindigde Firefox Send-service waarmee je bestanden naar anderen kunt verzenden met een link. Bestanden worden op jouw apparaat versleuteld zodat ze niet door de server kunnen worden gelezen, en ze kunnen optioneel ook met een wachtwoord worden beveiligd. De maintainer van Send hosts een [openbare instantie](https://send.vis.ee/). Je kunt andere openbare instanties gebruiken, of je kunt Send zelf hosten. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Bijdragen } + +Send kan worden gebruikt via de webinterface of via de [ffsend](https://github.com/timvisee/ffsend) CLI. Als je vertrouwd bent met de commandline en vaak bestanden verstuurt, raden wij je aan de CLI-client te gebruiken om versleuteling op basis van JavaScript te vermijden. Je kunt de vlag `--host` opgeven om een specifieke server te gebruiken: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is een open-source tool waarmee je veilig en anoniem een bestand van elke grootte kunt delen. Het werkt door een webserver te starten die toegankelijk is als een Tor onion service, met een onleesbare URL die je met de ontvangers kunt delen om bestanden te downloaden of te verzenden. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Mag geen gedecodeerde gegevens op een externe server opslaan. +- Moet open-source software zijn. +- Moet clients hebben voor Linux, macOS en Windows; of een webinterface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is een besturingssysteem ontworpen om te draaien op een [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). Het doel is om het gemakkelijk te maken om servertoepassingen op te zetten die je misschien zelf wilt hosten. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentatie} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Broncode" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Bijdrage leveren } + +## Bestandssynchronisatie + +### Nextcloud (client-server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is een suite van gratis en open-source client-server software voor het creëren van jouw eigen bestandshosting diensten op een prive-server die jij controleert. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Broncode" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "Gevaar" + + Wij raden het gebruik van de [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) voor Nextcloud af, omdat dit kan leiden tot gegevensverlies; het is zeer experimenteel en niet van productiekwaliteit. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is een open-source peer-to-peer continue bestandssynchronisatie hulpprogramma. Het wordt gebruikt om bestanden te synchroniseren tussen twee of meer toestellen via het lokale netwerk of het internet. Syncthing gebruikt geen gecentraliseerde server; het gebruikt het [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) om gegevens tussen apparaten over te dragen. Alle gegevens worden versleuteld met behulp van TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Broncode" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Bijdrage leveren } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +#### Minimale vereisten + +- Mag geen externe/cloudserver van derden vereisen. +- Moet open-source software zijn. +- Moet clients hebben voor Linux, macOS en Windows; of een webinterface. + +#### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Heeft mobiele clients voor iOS en Android, die tenminste document previews ondersteunen. +- Ondersteunt back-up van foto's van iOS en Android, en ondersteunt optioneel synchronisatie van bestanden/mappen op Android. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/frontends.md b/i18n/nl/frontends.md new file mode 100644 index 00000000..3def0440 --- /dev/null +++ b/i18n/nl/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Soms proberen diensten je te dwingen zich aan te melden voor een account door de toegang tot inhoud te blokkeren met vervelende popups. Ze kunnen ook breken zonder JavaScript. Met deze frontends kunt je deze beperkingen omzeilen. + +## Cliënten + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is een gratis en open-source frontend voor de [Odysee](https://odysee.com/) (LBRY) video sharing netwerk dat ook zelf te hosten is. + + Er zijn een aantal openbare instanties, waarvan sommige instanties [Tor](https://www.torproject.org) .onion diensten ondersteunen. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Broncode" } + +!!! warning + + Librarian proxied standaard geen videos. Video's die bekeken worden via Librarian zullen nog steeds directe verbindingen maken naar de servers van Odysee (bv. `odycdn.com`); sommige instanties kunnen echter proxying inschakelen, wat gedetailleerd wordt beschreven in het privacybeleid van de instantie. + +!!! tip + + Librarian is handig als je LBRY content op mobiel wilt bekijken zonder verplichte telemetrie en als je JavaScript in je browser wilt uitschakelen, zoals het geval is met [Tor Browser](https://www.torproject.org/) op het veiligheidsniveau Safest. + +Bij zelf-hosting is het belangrijk dat er ook andere mensen gebruik maken van uw instantie, zodat je op kunt gaan in de menigte. U moet voorzichtig zijn met waar en hoe je Librarian host, aangezien het gebruik van anderen gelinkt zal worden aan jouw instantie. + +Wanneer je een librarian instantie gebruikt, moet je het privacybeleid van die specifieke instantie lezen. Librarian instances kunnen door hun eigenaars gewijzigd worden en geven daarom mogelijk niet het standaardbeleid weer. Librarian instances hebben een "privacy voedingslabel" om een overzicht te geven van hun beleid. Sommige instanties hebben Tor .onion adressen die enige privacy kunnen bieden zolang jouw zoekopdrachten geen PII (Personally Identifiable Information) bevat. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is een gratis en open-source frontend voor [Twitter](https://twitter.com) dat ook zelf te hosten is. + + Er zijn een aantal openbare instanties, waarvan sommige instanties [Tor](https://www.torproject.org) .onion diensten ondersteunen. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Bijdragen } + +!!! tip + + Nitter is handig als u de inhoud van Twitter wilt bekijken zonder in te loggen en als je JavaScript in jouw browser wilt uitschakelen, zoals het geval is met [Tor Browser](https://www.torproject.org/) op beveiligingsniveau safest. Je kunt er ook [RSS feeds voor Twitter mee maken](news-aggregators.md#twitter). + +Bij zelf-hosting is het belangrijk dat er ook andere mensen gebruik maken van uw instantie, zodat je op kunt gaan in de menigte. U moet voorzichtig zijn met waar en hoe u Nitter host, want het gebruik van andere mensen wordt gekoppeld aan jouw instantie. + +Wanneer je een Nitter-instantie gebruikt, moet je het privacybeleid van die specifieke instantie lezen. Nitter instanties kunnen door hun eigenaars worden gewijzigd en weerspiegelen daarom mogelijk niet het standaardbeleid. Sommige instanties hebben Tor .onion adressen die enige privacy kunnen bieden zolang jouw zoekopdrachten geen PII (Personally Identifiable Information) bevat. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is een open source frontend voor de [TikTok](https://www.tiktok.com) website die ook zelf te hosten is. + + Er zijn een aantal openbare instanties, waarvan sommige instanties [Tor](https://www.torproject.org) .onion diensten ondersteunen. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Broncode" } + +!!! tip + + ProxiTok is handig als je JavaScript wilt uitschakelen in jouw browser, zoals [Tor Browser](https://www.torproject.org/) op beveiligingsniveau safest. + +Bij zelf-hosting is het belangrijk dat er ook andere mensen gebruik maken van uw instantie, zodat je op kunt gaan in de menigte. U moet voorzichtig zijn met waar en hoe je ProxiTok host, want het gebruik van andere mensen wordt gekoppeld aan jouw instance. + +Als u een ProxiTok-instantie gebruikt, moet je het privacybeleid van die specifieke instantie lezen. ProxiTok-instanties kunnen door hun eigenaars worden gewijzigd en geven daarom mogelijk niet het bijbehorende privacybeleid weer. Sommige instanties hebben Tor .onion adressen die enige privacy kunnen bieden zolang jouw zoekopdrachten geen PII (Personally Identifiable Information) bevat. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is een gratis en open-source desktop applicatie voor [YouTube](https://youtube.com). Bij gebruik van FreeTube worden je abonnementenlijst en afspeellijsten lokaal op je toestel opgeslagen. + + Standaard blokkeert FreeTube alle YouTube-advertenties. Bovendien integreert FreeTube optioneel met [SponsorBlock](https://sponsor.ajay.app) om u te helpen gesponsorde videosegmenten over te slaan. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Broncode" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Bijdragen } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + Als je FreeTube gebruikt, kan je IP-adres nog steeds bekend zijn bij YouTube, [Invidious](https://instances.invidious.io) of [SponsorBlock](https://sponsor.ajay.app/), afhankelijk van je configuratie. Overweeg het gebruik van een [VPN](vpn.md) of [Tor](https://www.torproject.org) als jouw [bedreigingsmodel](basics/threat-modeling.md) het verbergen van jouw IP-adres vereist. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is een gratis en open-source privacy georiënteerde videospeler voor iOS, tvOS en macOS voor [YouTube](https://youtube.com). Wanneer je Yattee gebruikt, wordt je abonnementenlijst lokaal op je toestel opgeslagen. + + Je zult een paar [extra stappen](https://gonzoknows.com/posts/Yattee/) moeten nemen voordat je Yattee kunt gebruiken om YouTube te kijken, vanwege beperkingen in de App Store. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Bijdragen } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + Wanneer je Yattee gebruikt, is jouw IP-adres mogelijk nog steeds bekend bij YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) of [SponsorBlock](https://sponsor.ajay.app/), afhankelijk van jouw configuratie. Overweeg het gebruik van een [VPN](vpn.md) of [Tor](https://www.torproject.org) als jouw [bedreigingsmodel](basics/threat-modeling.md) het verbergen van jouw IP-adres vereist. + +Yattee blokkeert standaard alle YouTube-advertenties. Bovendien integreert Yattee optioneel met [SponsorBlock](https://sponsor.ajay.app) om u te helpen gesponsorde videosegmenten over te slaan. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube-logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is een gratis en open-source Android applicatie voor [YouTube](https://youtube.com) die gebruik maakt van de [Piped](#piped) API. + + Met LibreTube kunt u uw abonnementenlijst en afspeellijsten lokaal op uw Android-toestel opslaan, of in een account op uw Piped-instantie naar keuze, waardoor u er ook op andere toestellen naadloos toegang toe hebt. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + Wanneer u LibreTube gebruikt, is uw IP-adres zichtbaar voor de door u gekozen instantie [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) en/of [SponsorBlock](https://sponsor.ajay.app/), afhankelijk van uw configuratie. Overweeg het gebruik van een [VPN](vpn.md) of [Tor](https://www.torproject.org) als jouw [bedreigingsmodel](basics/threat-modeling.md) het verbergen van jouw IP-adres vereist. + +LibreTube blokkeert standaard alle YouTube-advertenties. Bovendien gebruikt Libretube [SponsorBlock](https://sponsor.ajay.app) om u te helpen gesponsorde videosegmenten over te slaan. U kunt de soorten segmenten die SponsorBlock zal overslaan volledig configureren, of volledig uitschakelen. Er is ook een knop op de videospeler zelf om deze desgewenst voor een specifieke video uit te schakelen. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is een gratis en open-source Android applicatie voor [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), en [PeerTube](https://joinpeertube.org/) (1). + + Uw abonnementenlijst en afspeellijsten worden lokaal op uw Android toestel opgeslagen. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Broncode" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Bijdragen } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. De standaard instantie is [FramaTube](https://framatube.org/), maar er kunnen er meer worden toegevoegd via **Instellingen** → **Inhoud** → **PeerTube instanties** + +!!! Warning + + Wanneer je NewPipe gebruikt, is jouw IP-adres zichtbaar voor de gebruikte videoproviders. Overweeg het gebruik van een [VPN](vpn.md) of [Tor](https://www.torproject.org) als jouw [bedreigingsmodel](basics/threat-modeling.md) het verbergen van jouw IP-adres vereist. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is een gratis en open-source frontend voor [YouTube](https://youtube.com) dat ook zelf te hosten is. + + Er zijn een aantal openbare instanties, waarvan sommige instanties [Tor](https://www.torproject.org) .onion diensten ondersteunen. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Broncode" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Bijdragen } + +!!! warning + + Invidious proxied standaard geen videos. Video's die bekeken worden via Invidious zullen nog steeds directe verbindingen maken met Google's servers (bijv. `googlevideo.com`); sommige instanties ondersteunen echter video proxying- Activeer *Proxy videos* binnen de instellingen van de instanties of voeg `&local=true` toe aan de URL. + +!!! tip + + Invidious is handig als je JavaScript wilt uitschakelen in je browser, zoals [Tor Browser](https://www.torproject.org/) op het beveiligingsniveau safest. Het biedt op zichzelf geen privacy, en wij raden niet aan in te loggen op een account. + +Bij zelf-hosting is het belangrijk dat er ook andere mensen gebruik maken van uw instantie, zodat je op kunt gaan in de menigte. U moet voorzichtig zijn met waar en hoe je Invidious host, omdat het gebruik van anderen gekoppeld zal worden aan jouw instantie. + +Als u een Invidious-instantie gebruikt, moet je het privacybeleid van die specifieke instantie lezen. Invidious instanties kunnen door hun eigenaren worden gewijzigd en weerspiegelen daarom mogelijk niet hun bijbehorende privacybeleid. Sommige instanties hebben Tor .onion adressen die enige privacy kunnen bieden zolang jouw zoekopdrachten geen PII (Personally Identifiable Information) bevat. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is een gratis en open-source frontend voor [YouTube](https://youtube.com) dat ook zelf te hosten is. + + Piped vereist JavaScript om te kunnen functioneren en er zijn een aantal openbare instanties. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Bijdragen } + +!!! tip + + Piped is handig als je [SponsorBlock](https://sponsor.ajay.app) wilt gebruiken zonder een extensie te installeren of als je zonder account toegang wilt krijgen tot inhoud met leeftijdsbeperkingen. Het biedt op zichzelf geen privacy, en wij raden niet aan in te loggen op een account. + +Bij zelf-hosting is het belangrijk dat er ook andere mensen gebruik maken van uw instantie, zodat je op kunt gaan in de menigte. U moet voorzichtig zijn met waar en hoe je Piped host, omdat het gebruik van andere mensen aan jouw instantie wordt gekoppeld. + +Wanneer je een Piped-instantie gebruikt, moet je het privacybeleid van die specifieke instantie lezen. Piped instanties kunnen worden gewijzigd door hun eigenaren en daarom kunnen niet hun bijbehorende privacybeleid weerspiegelen. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +Aanbevolen frontends... + +- Moet open-source software zijn. +- Moet zelf te hosten zijn. +- Moet alle basisfuncties van de website beschikbaar stellen aan anonieme gebruikers. + +We overwegen alleen frontends voor websites die... + +- Niet normaal toegankelijk zonder JavaScript. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/index.md b/i18n/nl/index.md new file mode 100644 index 00000000..bffb8618 --- /dev/null +++ b/i18n/nl/index.md @@ -0,0 +1,40 @@ +--- +template: overrides/home.nl.html +hide: + - navigation + - toc + - feedback +--- + + +## Waarom zou ik me daar zorgen over maken? + +##### "Ik heb niets te verbergen. Waarom zou ik me zorgen maken over mijn privacy?" + +Net zoals het recht op interraciale huwelijken, het kiesrecht voor vrouwen, de vrijheid van meningsuiting en vele andere, hadden wij niet altijd recht op privacy. In verschillende dictaturen hebben velen dat nog steeds niet. Generaties voor ons vochten voor ons recht op privacy. ==Privacy is een mensenrecht, inherent aan ons allen, == waar we recht op hebben (zonder discriminatie). + +Je moet privacy niet verwarren met geheimzinnigheid. We weten wat er in de badkamer gebeurt, maar je doet nog steeds de deur dicht. Dat is omdat je privacy wilt, geen geheimzinnigheid. **Iedereen** heeft iets te beschermen. Privacy is iets wat ons menselijk maakt. + +[:material-target-account: Veel voorkomende internetbedreigingen](basics/common-threats.md ""){.md-button.md-button--primary} + +## Wat moet ik doen? + +##### Eerst moet je een plan maken + +Het is onpraktisch, duur en vermoeiend om te proberen al jouw gegevens altijd tegen iedereen te beschermen. Maar maak je geen zorgen! Veiligheid is een proces, en door vooruit te denken kun je een plan samenstellen die voor jou geschikt is. Veiligheid gaat niet alleen over de tools die je gebruikt of de software die je downloadt. Integendeel, het begint met het begrijpen van de unieke bedreigingen waarmee je wordt geconfronteerd en hoe je deze kunt beperken. + +==Dit proces van het identificeren van bedreigingen en het vaststellen van tegenmaatregelen wordt **bedreigingsmodellering** genoemd==, en het vormt de basis van elk goed beveiligings- en privacyplan. + +[:material-book-outline: Meer informatie over dreigingsmodellering](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We hebben je nodig! Zo kan je betrokken raken: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Word lid van ons forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Volg ons op Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Draag bij aan deze website" } } [:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help deze website vertalen" } } [:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat met ons op Matrix" } } [:material-information-outline:](about/index.md){ title="Meer informatie over ons" } } [:material-hand-coin-outline:](about/donate.md){ title="Steun het project" } } + +Het is belangrijk voor een website zoals Privacy Guides om altijd up-to-date te blijven. Ons publiek moet software-updates in de gaten houden voor de toepassingen die op onze site staan en recent nieuws volgen over aanbieders die wij aanbevelen. Het is moeilijk om het hoge tempo van het internet bij te houden, maar we doen ons best. Als je een fout ziet, denkt dat een provider niet in de lijst thuishoort, merkt dat een gekwalificeerde provider ontbreekt, denkt dat een browserplugin niet langer de beste keuze is, of een ander probleem ontdekt, laat het ons dan weten. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/kb-archive.md b/i18n/nl/kb-archive.md new file mode 100644 index 00000000..b04675f9 --- /dev/null +++ b/i18n/nl/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archief +icon: material/archive +--- + +# Pagina's verplaatst naar Blog + +Sommige pagina's die vroeger in onze kennisbank stonden, staan nu op onze blog: + +- [GrapheneOS vs CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signalconfiguratie en hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Applicatie Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Veilig wissen van gegevens](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integreren van metadata verwijdering](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS configuratiegids](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/meta/brand.md b/i18n/nl/meta/brand.md new file mode 100644 index 00000000..1629aa85 --- /dev/null +++ b/i18n/nl/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Richtlijnen voor merknamen +--- + +De naam van de website is **Privacy Guides** en moet **niet** worden veranderd in: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +De naam van de subreddit is **r/PrivacyGuides** of **the Privacy Guides Subreddit**. + +Aanvullende merkrichtlijnen zijn te vinden op [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Handelsmerk + +"Privacy Guides" en het schild logo zijn handelsmerken eigendom van Jonah Aragon, onbeperkt gebruik is toegekend aan de Privacy Guides project. + +Zonder af te zien van zijn rechten, adviseren Privacy Guides niet anderen over de reikwijdte van zijn intellectuele-eigendomsrechten. Privacy Guides staat geen gebruik van haar handelsmerken toe op een manier die verwarring kan veroorzaken door associatie met of sponsoring door Privacy Guides te impliceren, en geeft daar ook geen toestemming voor. Als u op de hoogte bent van dergelijk gebruik, neem dan contact op met Jonah Aragon via jonah@privacyguides.org. Raadpleeg uw juridisch adviseur als u vragen hebt. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/meta/git-recommendations.md b/i18n/nl/meta/git-recommendations.md new file mode 100644 index 00000000..c11fb3e7 --- /dev/null +++ b/i18n/nl/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +Als je veranderingen aan deze website direct op de web editor van GitHub.com maakt, zou je je hier geen zorgen over moeten maken. Als je lokaal ontwikkelt en/of een ervaren website-editor bent (die waarschijnlijk lokaal zou moeten ontwikkelen!), overweeg dan deze aanbevelingen. + +## SSH Key Commit Signing inschakelen + +U kunt een bestaande SSH-sleutel gebruiken voor ondertekening, of [een nieuwe aanmaken](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configureer je Git client om standaard commits en tags te ondertekenen (verwijder `--global` om alleen standaard te ondertekenen voor deze repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Kopieer bijvoorbeeld jouw SSH publieke sleutel naar jouw klembord: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Stel je SSH sleutel in voor ondertekening in Git met het volgende commando, waarbij je de laatste string tussen aanhalingstekens vervangt door de publieke sleutel in je klembord: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Zorg ervoor dat je [je SSH sleutel toevoegt aan je GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **als een Signing Key** (in tegenstelling tot of in aanvulling op als een Authentication Key). + +## Rebase op Git pull + +Gebruik `git pull --rebase` in plaats van `git pull` als je wijzigingen van GitHub naar je lokale machine trekt. Op deze manier zullen je lokale wijzigingen altijd "bovenop" de laatste wijzigingen op GitHub staan, en je vermijdt merge commits (die niet zijn toegestaan in deze repo). + +Je kunt dit als standaard gedrag instellen: + +``` +git config --global pull.rebase true +``` + +## Rebase van `main` voor het indienen van een PR + +Als je aan jouw eigen branch werkt, voer dan deze commando's uit voordat je een PR indient: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/meta/uploading-images.md b/i18n/nl/meta/uploading-images.md new file mode 100644 index 00000000..79b6a59c --- /dev/null +++ b/i18n/nl/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Afbeeldingen uploaden +--- + +Hier zijn een paar algemene regels voor het bijdragen aan Privacy Guides: + +## Afbeeldingen + +- Wij geven **de voorkeur aan** SVG-afbeeldingen, maar als die niet bestaan, kunnen we PNG-afbeeldingen gebruiken + +Bedrijfslogo's hebben canvas grootte van: + +- 128x128px +- 384x128px + +## Optimalisatie + +### PNG + +Gebruik [OptiPNG](https://sourceforge.net/projects/optipng/) om de PNG-afbeelding te optimaliseren: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) alle SVG-afbeeldingen. + +In Inkscape: + +1. Bestand Opslaan Als.. +2. Type instellen op Geoptimaliseerde SVG (*.svg) + +In het tabblad **Opties**: + +- **Aantal significante cijfers voor coördinaten** > **5** +- [x] Zet aan **Kleurwaarden inkorten** +- [x] Zet **aan Zet CSS-attributen om in XML-attributen** +- [x] Zet **aan Samengevoegde groepen** +- [x] Zet **aan Maak groepen voor vergelijkbare kenmerken** +- [ ] Schakel **Bewaar bewerkingsgegevens** uit +- [ ] Schakel **uit zonder verwijzing gedefinieerde definities** +- [x] Zet **Werk rond renderbugs** aan + +In het tabblad **SVG-uitvoer** onder **Documentopties**: + +- [ ] Schakel **Verwijder de XML declaratie** uit +- [x] Zet **Metadata verwijderen** aan +- [x] Schakel **Reacties verwijderen** in +- [x] Schakel **ingevoegde rasterafbeeldingen** in +- [x] Zet **'viewboxen' aan** + +In de **SVG Output** onder **Pretty-printing**: + +- [ ] Schakel **Formatteer uitvoer uit met regeleinden en inspringen** +- **Inspringing tekens** > Selecteer **spatie** +- **Inspringing** > **1** +- [ ] Schakel **Strip het kenmerk "xml:space" uit het hoofdSVG-element** + +In het **IDs** tabblad: + +- [x] Schakel in **Ongebruikte ID's verwijderen** +- [ ] Schakel **Korte ID's** uit +- **Voorvoegsel verkorte IDs met** > `leeg laten` +- [x] Zet **Handmatig aangemaakte IDs aan die niet eindigen met cijfers** +- **Behoud de volgende IDs** > `laat leeg` +- **Behoud ID's beginnend met** > `laat leeg` + +#### CLI + +Hetzelfde kan worden bereikt met het commando [Scour](https://github.com/scour-project/scour): + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/meta/writing-style.md b/i18n/nl/meta/writing-style.md new file mode 100644 index 00000000..9ceb6b7b --- /dev/null +++ b/i18n/nl/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Schrijfstijl +--- + +Privacy Guides is geschreven in Amerikaans Engels, en je dient bij twijfel de [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) te raadplegen. + +In het algemeen bieden de [Amerikaanse federale richtlijnen inzake klare taal](https://www.plainlanguage.gov/guidelines/) een goed overzicht van hoe duidelijk en beknopt te schrijven. Wij belichten hieronder enkele belangrijke opmerkingen uit deze richtsnoeren. + +## Schrijven voor ons publiek + +Het beoogde [publiek van Privacy Guides](https://www.plainlanguage.gov/guidelines/audience/) is voornamelijk gemiddelde, technologie gebruikende volwassenen. Verlaag de inhoud niet alsof je een middelbare schoolklas toespreekt, maar gebruik niet te veel ingewikkelde terminologie over concepten waarmee de gemiddelde computergebruiker niet vertrouwd is. + +### Ga alleen in op wat mensen willen weten + +Mensen hebben geen behoefte aan al te complexe artikelen die weinig relevant voor hen zijn. Zoek uit wat je wilt dat mensen bereiken als je een artikel schrijft, en neem alleen die details op. + +> Vertel je publiek waarom het materiaal belangrijk voor hen is. Zeg, "Als je een onderzoeksbeurs wilt, is dit wat je moet doen." Of, "Als je federale steenkool wilt ontginnen, is dit wat je moet weten." Of, "Als je een reis naar Rwanda plant, lees dit dan eerst." + +### Spreek mensen rechtstreeks aan + +We schrijven *voor* een grote verscheidenheid aan mensen, maar we schrijven *voor* de persoon die het daadwerkelijk leest. Gebruik "je" om de lezer rechtstreeks aan te spreken. + +> Meer dan enige andere techniek, trekt het gebruik van "jij" gebruikers in de informatie en maakt het deze relevant voor hen. +> +> Wanneer je "je" gebruikt om gebruikers aan te spreken, zullen zij eerder begrijpen wat hun verantwoordelijkheid is. + +Bron: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Vermijd "gebruikers" + +Vermijd om mensen "gebruikers" te noemen, in plaats van "mensen", of een meer specifieke beschrijving van de groep mensen waarvoor je schrijft. + +## Organiseren van content + +Organisatie is de sleutel. De inhoud moet stromen van de belangrijkste naar de minst belangrijke informatie, en gebruik zoveel koppen als nodig is om verschillende ideeën logisch van elkaar te scheiden. + +- Beperk het document tot ongeveer vijf of zes secties. Lange documenten moeten waarschijnlijk worden opgesplitst in afzonderlijke pagina's. +- Markeer belangrijke ideeën met **vet** of *cursief*. + +Bron: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin met een onderwerpzin + +> Als je jouw lezer vertelt waarover hij gaat lezen, is de kans kleiner dat hij jouw alinea opnieuw moet lezen. Rubrieken helpen, maar zijn niet genoeg. Stel een context vast voor jouw publiek voordat je hen de details verstrekt. +> +> We schrijven vaak de manier waarop we denken, waarbij we onze uitgangspunten eerst plaatsen en dan onze conclusie. Het is misschien de natuurlijke manier om gedachten te ontwikkelen, maar we eindigen met de onderwerpzin aan het eind van de alinea. Verplaats het naar voren en laat gebruikers weten waar je naartoe gaat. Laat de lezers niet te veel informatie in hun hoofd houden voordat ze ter zake komen. + +Bron: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Kies je woorden zorgvuldig + +> Woorden zijn belangrijk. Het zijn de meest elementaire bouwstenen van geschreven en gesproken communicatie. Maak het niet ingewikkeld door jargon, technische termen of afkortingen te gebruiken die mensen niet zullen begrijpen. + +We moeten proberen afkortingen waar mogelijk te vermijden, maar de technologie zit vol afkortingen. In het algemeen, schrijf de afkorting/acroniem de eerste keer dat het wordt gebruikt op een pagina, en voeg de afkorting toe aan de afkorting woordenlijst bestand wanneer het herhaaldelijk wordt gebruikt. + +> Kathy McGinty geeft met een knipoog aanwijzingen om je eenvoudige, directe zinnen op te leuken: +> +> > Er valt niet aan te ontkomen dat het van groot belang wordt geacht op te merken dat in een aantal verschillende beschikbare toepasselijke studies ipso facto in het algemeen is vastgesteld dat aanvullende passende nachtarbeid gewoonlijk jeugdige adolescenten tijdens de nachtelijke uren, met inbegrip van maar niet beperkt tot de tijd vóór middernacht op weeknachten en/of 2 uur 's nachts, van de verkeersaders kan weren. in het weekend. +> +> En het origineel, met sterkere, eenvoudigere woorden: +> +> > Meer nachtwerk zou jongeren van de straat houden. + +## Wees beknopt + +> Onnodige woorden verspillen de tijd van je publiek. Goed schrijven is als een gesprek. Laat informatie weg die het publiek niet hoeft te weten. Dit kan moeilijk zijn als een expert op het gebied van onderwerpen, dus het is belangrijk dat iemand naar de informatie kijkt vanuit het perspectief van het publiek. + +Bron: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Tekst conversatief houden + +> Werkwoorden zijn de brandstof van het schrijven. Ze geven je zinnen kracht en richting. Ze verlevendigen je schrijven en maken het interessanter. +> +> Werkwoorden vertellen je publiek wat ze moeten doen. Zorg dat het duidelijk is wie wat doet. + +### Gebruik de actieve stem + +> De actieve stem maakt duidelijk wie wat moet doen. Het neemt onduidelijkheid over verantwoordelijkheden weg. Niet "Het moet gebeuren," maar "Je moet het doen." + +Bron: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Gebruik "must" voor vereisten + +> - "moet" voor een verplichting +> - "mag niet" voor een verbod +> - "kan" voor een discretionaire actie +> - “zou moeten” voor een aanbeveling + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/mobile-browsers.md b/i18n/nl/mobile-browsers.md new file mode 100644 index 00000000..3728c037 --- /dev/null +++ b/i18n/nl/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobiele browsers" +icon: material/cellphone-information +--- + +Dit zijn onze momenteel aanbevolen mobiele webbrowsers en configuraties voor standaard/niet-anoniem internetten. In het algemeen raden we aan om extensies tot een minimum te beperken: ze hebben geprivilegieerde toegang binnen jouw browser, vereisen dat je de ontwikkelaar vertrouwt, kunnen je [doen opvallen](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), en [verzwakken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-Uchnm34/m/lDaXwQhzBAAJ) site-isolatie. In het algemeen raden we aan om extensies tot een minimum te beperken: ze hebben geprivilegieerde toegang binnen jouw browser, vereisen dat u de ontwikkelaar vertrouwt, kunnen je [doen opvallen](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), en [verzwakken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site-isolatie. + +## Android + +Op Android is Firefox nog steeds minder veilig dan op Chromium gebaseerde alternatieven: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), moet nog [site-isolatie](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) ondersteunen of [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196) inschakelen. + +### Brave + +!!! recommendation + + ![Brave-logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** bevat een ingebouwde inhoudsblokker en [privacyfuncties](https://brave.com/privacy-features/), waarvan vele standaard zijn ingeschakeld. + + Brave is gebouwd op het Chromium webbrowser project, dus het zou vertrouwd moeten aanvoelen en minimale website compatibiliteitsproblemen moeten hebben. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" }. + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Broncode" } + + ??? downloads annoteren "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Aanbevolen configuratie + +Tor Browser is de enige manier om echt anoniem op het internet te surfen. Wanneer je Brave gebruikt, raden we je aan de volgende instellingen te wijzigen om jouw privacy tegen bepaalde partijen te beschermen, maar alle browsers behalve de [Tor Browser](tor.md#tor-browser) zijn in sommige opzichten traceerbaar door *iemand*. + +Deze opties zijn te vinden in :material-menu: → **Instellingen** → **Dappere schilden & privacy** + +##### Schilden + +Brave bevat enkele anti-vingerafdruk maatregelen in zijn [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) functie. Wij raden aan om deze opties [globaal te configureren](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) voor alle pagina's die je bezoekt. + +##### Brave shields global defaults + +De opties van Shields kunnen naar behoefte per site worden gedowngrade, maar standaard raden wij aan de volgende opties in te stellen: + +
+ +- [x] Selecteer **Aggressief** onder Trackers & advertenties blokkeren + + ??? warning "Gebruik standaard filter lijsten" + Brave staat je toe om extra inhoud filters te selecteren binnen de interne `brave://adblock` pagina. Wij raden het gebruik van deze functie af; houd in plaats daarvan de standaardfilterlijsten aan. Het gebruik van extra lijsten zorgt ervoor dat u zich onderscheidt van andere Brave gebruikers en kan ook het aanvalsoppervlak vergroten als er een exploit in Brave is en een kwaadaardige regel wordt toegevoegd aan één van de lijsten die je gebruikt. + +- [x] Selecteer **Upgrade verbindingen naar HTTPS** +- [x] (Optioneel) Selecteer **Block Scripts** (1) +- [x] Selecteer **Streng, kan sites breken** onder **Block fingerprinting** + +
+ +1. Deze optie biedt functionaliteit die vergelijkbaar is met uBlock Origin's geavanceerde [-blokkeringsmodi](https://github.com/gorhill/uBlock/wiki/Blocking-mode) of de [NoScript](https://noscript.net/) -extensie. + +##### Browserdata opschonen + +- [x] Selecteer **Gegevens wissen bij het sluiten van de browser** + +##### Altijd-aan Incognito modus + +- [ ] Uncheck alle sociale media componenten uit + +##### Privacyrapport + +
+ +- [x] Selecteer **Disable non-proxied UDP** onder [WebRTC IP Handling Policy](https://support.brave.com/hc/nl-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Selecteer **Sites toestaan te controleren of je betaalmethoden hebt opgeslagen** +- [ ] Selecteer **IPFS Gateway** uit (1) +- [ ] Selecteer **Het vinkje uit. [x] Selecteer **Tabbladen sluiten bij afsluiten** +- [ ] Uitvinken **Privacy-preserving product analytics (P3A) toestaan** +- [ ] Uitvinken **Automatisch diagnoserapporten versturen** +- [ ] Uitvinken **Dagelijkse gebruiksping automatisch naar Brave sturen** + +1. [ ] Uitvinken. InterPlanetary File System (IPFS) is een gedecentraliseerd, peer-to-peer netwerk voor het opslaan en delen van gegevens in een gedistribueerd bestandssysteem. Tenzij je de functie gebruikt, schakel hem uit. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) maakt jouw surfgegevens (geschiedenis, bladwijzers, enz.) toegankelijk op al jouw apparaten zonder dat je een account nodig hebt en beschermt ze met E2EE. + +## iOS + +Op iOS is elke app die op het web kan surfen beperkt tot [](https://developer.apple.com/app-store/review/guidelines) het door Apple geleverde [WebKit framework](https://developer.apple.com/documentation/webkit), dus er is weinig reden om een webbrowser van een derde partij te gebruiken. + +### Safari + +!!! recommendation + + ![Safari-logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is de standaardbrowser in iOS. Het bevat [privacyfuncties](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) zoals Intelligent Tracking Protection, Privacy Report, geïsoleerde tabbladen voor privénavigatie, iCloud Private Relay, en automatische HTTPS-upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentatie} + +#### Aanbevolen configuratie + +Deze opties zijn te vinden onder :gear: **Instellingen** → **Safari** → **Privacy en beveiliging**. + +##### Preventie van Cross-Site Tracking + +- [x] Activeer **Voorkom Cross-Site Tracking** + +Dit maakt WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp)mogelijk. De functie helpt beschermen tegen ongewenste tracking door gebruik te maken van on-device machine learning om trackers te stoppen. ITP beschermt tegen veel voorkomende bedreigingen, maar blokkeert niet alle tracking-wegen omdat het is ontworpen om de bruikbaarheid van websites niet te hinderen. + +##### Privacyrapport + +Privacyrapport biedt een momentopname van cross-site trackers die u momenteel niet kunnen profileren op de website die u bezoekt. Het kan ook een wekelijks rapport weergeven om te laten zien welke trackers in de loop van de tijd zijn geblokkeerd. + +Privacyrapport is toegankelijk via het menu Pagina-instellingen. + +##### Privacybehoudende advertentiemeting + +- [ ] Schakel **Privacy Preserving Ad Measurement**uit + +Bij het meten van advertentieklikken wordt van oudsher gebruik gemaakt van trackingtechnologie die inbreuk maakt op de privacy van de gebruiker. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is een WebKit-functie en een voorgestelde webstandaard die adverteerders in staat moet stellen de doeltreffendheid van webcampagnes te meten zonder afbreuk te doen aan de privacy van de gebruiker. + +De functie heeft op zichzelf weinig privacyproblemen, dus hoewel je ervoor kunt kiezen om hem ingeschakeld te laten, beschouwen wij het feit dat hij automatisch is uitgeschakeld in Privénavigatie als een aanwijzing om de functie uit te schakelen. + +##### Altijd privé browsen + +Open Safari en tik op de knop Tabbladen, rechtsonder. Vouw vervolgens de lijst Tabbladgroepen uit. + +- [x] Selecteer **Privé** + +Safari's Privénavigatie modus biedt extra bescherming van de privacy. Private Browsing gebruikt een nieuwe [kortstondige](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) sessie voor elk tabblad, wat betekent dat tabbladen van elkaar geïsoleerd zijn. Als er een [kwetsbaarheid is in uBlock Origin](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css) kan een filter van een derde partij kwaadaardige regels toevoegen die mogelijk gebruikersgegevens kunnen stelen. + +Houd er rekening mee dat privénavigatie geen cookies en gegevens opslaat, zodat het niet mogelijk is om ingelogd te blijven op sites. Dit kan een ongemak zijn. + +##### iCloud Synchronisatie + +De synchronisatie van de Safari-geschiedenis, tabbladgroepen, iCloud-tabbladen en opgeslagen wachtwoorden verloopt via E2EE. Standaard zijn bladwijzers dat echter [niet](https://support.apple.com/en-us/HT202303). Apple kan ze ontsleutelen en openen in overeenstemming met hun [privacybeleid](https://www.apple.com/legal/privacy/en-ww/). + +Je kunt E2EE inschakelen voor jouw Safari bladwijzers en downloads door [Geavanceerde gegevensbescherming](https://support.apple.com/en-us/HT212520)in te schakelen. Ga naar jouw **Apple ID naam → iCloud → Geavanceerde gegevensbescherming**. + +- [x] Zet **Geavanceerde gegevensbescherming aan** + +Als je iCloud gebruikt terwijl Geavanceerde gegevensbescherming is uitgeschakeld, raden we je ook aan te controleren of de standaard downloadlocatie van Safari is ingesteld op lokaal op jouw apparaat. Extra filterlijsten kunnen de prestaties beïnvloeden en het aanvalsoppervlak vergroten, dus pas alleen toe wat u nodig hebt. + +### AdGuard + +!!! recommendation + + ![AdGuard-logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard voor iOS** is een gratis en open-source uitbreiding voor het blokkeren van inhoud voor Safari die gebruikmaakt van de eigen [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard voor iOS heeft enkele premium functies, maar standaard Safari-inhoud blokkeren is gratis. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Extra filterlijsten vertragen de zaken en kunnen uw aanvalsoppervlak vergroten, dus pas alleen toe wat u nodig hebt. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimale vereisten + +- Moet automatische updates ondersteunen. +- Moet engine updates ontvangen binnen 0-1 dagen na upstream release. +- Wijzigingen die nodig zijn om de browser privacyvriendelijker te maken, mogen de gebruikerservaring niet negatief beïnvloeden. +- Android-browsers moeten de Chromium-engine gebruiken. + - Helaas is Mozilla GeckoView nog steeds minder veilig dan Chromium op Android. + - iOS-browsers zijn beperkt tot WebKit. + +### Uitbreidings criteria + +- Mag geen ingebouwde browser- of OS-functionaliteit repliceren. +- Moet rechtstreeks van invloed zijn op de privacy van de gebruiker, d.w.z. mag niet gewoon informatie verstrekken. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/multi-factor-authentication.md b/i18n/nl/multi-factor-authentication.md new file mode 100644 index 00000000..77bf7c3b --- /dev/null +++ b/i18n/nl/multi-factor-authentication.md @@ -0,0 +1,143 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Veiligheidssleutels + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + De **YubiKeys** behoren tot de meest populaire beveiligingssleutels. Sommige YubiKey modellen hebben een breed scala aan functies, zoals: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 en WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP en HOTP](https://developers.yubico.com/OATH) verificatie. + + Een van de voordelen van de YubiKey is dat één sleutel bijna alles kan (YubiKey 5), wat je van een hardware beveiligingssleutel mag verwachten. Wij raden je aan om vóór de aankoop de [quiz](https://www.yubico.com/quiz/) te nemen om er zeker van te zijn dat je de juiste keuze maakt. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentatie} + +Deze [vergelijkingstabel](https://www.yubico.com/store/compare/) toont de kenmerken en hoe de YubiKeys zich tot elkaar verhouden. Wij raden je ten zeerste aan om sleutels uit de YubiKey 5-serie te kiezen. + +YubiKeys kunnen worden geprogrammeerd met behulp van de [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) of [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). Voor het beheer van TOTP-codes kunt je de [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)gebruiken. Alle Yubico's clients zijn open source. + +Voor modellen die HOTP en TOTP ondersteunen, zijn er 2 slots in de OTP-interface die kunnen worden gebruikt voor HOTP en 32 slots om TOTP geheimen op te slaan. Deze geheimen worden versleuteld opgeslagen op de sleutel en worden nooit blootgesteld aan de apparaten waarop ze zijn aangesloten. Zodra een "seed" ( het gedeeld geheim) aan de Yubico Authenticator is gegeven, zal deze alleen de zescijferige codes geven, maar nooit de seed. Dit beveiligingsmodel beperkt wat een aanvaller kan doen als hij een van de apparaten waarop de Yubico Authenticator draait, in gevaar brengt en maakt de YubiKey bestand tegen een fysieke aanvaller. + +!!! warning + De firmware van YubiKey is niet open-source en kan niet worden geüpdatet. Als je functies in nieuwere firmwareversies wilt, of als er een kwetsbaarheid is in de firmwareversie die je gebruikt, moet je een nieuwe sleutel kopen. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** heeft een beveiligingssleutel die geschikt is voor [FIDO2 en WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) genaamd de **Nitrokey FIDO2**. Voor PGP-ondersteuning moet je een van hun andere sleutels kopen, zoals de **Nitrokey Start**, **Nitrokey Pro 2** of de **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentatie} + +De [vergelijkingstabel](https://www.nitrokey.com/#comparison) toont de kenmerken en hoe de Nitrokey-modellen zich verhouden. De genoemde **Nitrokey 3** zal een gecombineerde functieset hebben. + +Nitrokey-modellen kunnen worden geconfigureerd met behulp van de [Nitrokey-app](https://www.nitrokey.com/download). + +Voor de modellen die HOTP en TOTP ondersteunen, zijn er 3 slots voor HOTP en 15 voor TOTP. Sommige Nitrokeys kunnen functioneren als een wachtwoord manager. Ze kunnen 16 verschillende inloggegevens opslaan en deze versleutelen met hetzelfde wachtwoord als de OpenPGP-interface. + +!!! warning + + Hoewel Nitrokeys de HOTP/TOTP geheimen niet vrijgeven aan het apparaat waar ze op aangesloten zijn, is de HOTP en TOTP opslag **niet** versleuteld en is kwetsbaar voor fysieke aanvallen. Als je deze geheimen HOTP of TOTP wilt bewaren, raden we je ten zeerste aan om in plaats daarvan een Yubikey te gebruiken. + +!!! warning + + Het resetten van de OpenPGP interface op een Nitrokey zal ook de wachtwoord database [inaccessible]maken (https://docs.nitrokey.com/pro/linux/factory-reset). + + De Nitrokey Pro 2, Nitrokey Storage 2 en de komende Nitrokey 3 ondersteunen systeemintegriteitscontrole voor laptops met de [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is een rebranded NitroKey Pro 2 met gelijkaardige firmware en kan ook voor dezelfde doeleinden worden gebruikt. + +Nitrokey's firmware is open-source, in tegenstelling tot de YubiKey. De firmware op moderne NitroKey-modellen (behalve de **NitroKey Pro 2**) kan worden bijgewerkt. + +!!! tip + + De Nitrokey app, hoewel compatibel met Librem Keys, vereist `libnitrokey` versie 3.6 of hoger om ze te herkennen. Op dit moment is het pakket verouderd in de repository van Windows, macOS en de meeste Linux distributies, dus u zult waarschijnlijk zelf de Nitrokey app moeten compileren om deze te laten werken met de Librem Key. Onder Linux kunt u een bijgewerkte versie verkrijgen op [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +#### Minimale vereisten + +- Moet gebruik maken van hoogwaardige, fraudebestendige hardwarebeveiligingsmodules. +- Moet de meest recente FIDO2-specificatie ondersteunen. +- Mag geen extractie van de private sleutel toestaan. +- Apparaten die meer dan 35 dollar kosten, moeten OpenPGP en S/MIME aankunnen. + +#### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Zou beschikbaar moeten zijn in USB-C vorm-factor. +- Zou beschikbaar moeten zijn met NFC. +- Moet TOTP opslag ondersteunen. +- Moet veilige firmware-updates ondersteunen. + +## Authenticator Apps + +Authenticator Apps implementeren een beveiligingsstandaard die is aangenomen door de Internet Engineering Task Force (IETF), genaamd **Time-based One-time Passwords**, of **TOTP**. Dit is een methode waarbij websites een geheim met je delen dat door jouw authenticator-app wordt gebruikt om een code van zes (meestal) cijfers te genereren op basis van de huidige tijd, die je invoert terwijl je inlogt om de website te controleren. Deze codes worden gewoonlijk om de 30 seconden geregenereerd, en zodra een nieuwe code is gegenereerd, wordt de oude nutteloos. Zelfs als een hacker één zescijferige code bemachtigt, is er geen manier om die code om te keren om het oorspronkelijke geheim te bemachtigen of om anderszins te kunnen voorspellen wat eventuele toekomstige codes zouden kunnen zijn. + +Wij raden je ten zeerste aan om mobiele TOTP apps te gebruiken in plaats van desktop alternatieven, aangezien Android en IOS een betere beveiliging en app isolatie hebben dan de meeste desktop besturingssystemen. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is een gratis, veilige en open-source app om jouw 2-staps verificatie tokens voor uw online diensten te beheren. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is een native, lichtgewicht en veilige time-based (TOTP) & counter-based (HOTP) password client voor iOS. Raivo OTP biedt optionele iCloud back-up & sync. Raivo OTP is ook beschikbaar voor macOS in de vorm van een statusbalkapplicatie, maar de Mac-app werkt niet onafhankelijk van de iOS-app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Broncode" }. [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Moet open-source software zijn. +- Moet geen internetverbinding vereisen. +- Mag niet synchroniseren met een cloud sync/backup service van derden. + - **Optioneel is** E2EE sync-ondersteuning met OS-native tools aanvaardbaar, bv. versleutelde sync via iCloud. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/news-aggregators.md b/i18n/nl/news-aggregators.md new file mode 100644 index 00000000..9f043911 --- /dev/null +++ b/i18n/nl/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "Nieuws Aggregators" +icon: material/rss +--- + +Een [nieuwsaggregator](https://en.wikipedia.org/wiki/News_aggregator) is een manier om op de hoogte te blijven van jouw favoriete blogs en nieuwssites. + +## Aggregator-cliënts + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is een nieuwsfeedlezer die deel uitmaakt van het [KDE](https://kde.org) project. Het wordt geleverd met een snelle zoekfunctie, geavanceerde archiveringsfunctionaliteit en een interne browser voor het gemakkelijk lezen van nieuws. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentatie} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Broncode" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is een moderne RSS-client voor Android die veel [features](https://gitlab.com/spacecowboy/Feeder#features) heeft en goed werkt met het mappen van RSS-feeds. Het ondersteunt [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) en [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) en [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is een veilige cross-platform nieuwsaggregator met handige privacy-functies, zoals het verwijderen van cookies bij afsluiten, strikte [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) en proxy-ondersteuning, wat betekent dat je het kunt gebruiken via [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### Gnome Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is een [RSS](https://en.wikipedia.org/wiki/RSS) en [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) nieuwslezer voor [GNOME](https://www.gnome.org). Het heeft een eenvoudige interface en is vrij snel. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Broncode" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux-logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux-logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is een webgebaseerde nieuwsaggregator die je zelf kunt hosten. Het ondersteunt [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) en [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) en [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Broncode" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Bijdragen} + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** een gratis en open-source feedlezer voor macOS en iOS met een focus op een native ontwerp en functieset. Het ondersteunt de typische feedformaten naast ingebouwde ondersteuning voor Twitter- en Reddit-feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is een RSS/Atom feed lezer voor de tekstconsole. Het is een actief onderhouden vork van [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). Het is zeer licht, en ideaal voor gebruik via [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Broncode" } + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Moet open-source software zijn. +- Moet lokaal werken, d.w.z. mag geen clouddienst zijn. + +## RSS-ondersteuning voor sociale media + +Sommige socialemediadiensten ondersteunen ook RSS, hoewel dat niet vaak wordt geadverteerd. + +### Reddit + +Met Reddit kun je je abonneren op subreddits via RSS. + +!!! Voorbeeld + Vervang `subreddit_name` door de subreddit waarop je je wilt abonneren. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Met behulp van een van de Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) kunt je je gemakkelijk abonneren via RSS. + +!!! Voorbeeld + 1. Kies een instantie en stel `nitter_instance`in. + 2. Vervang `twitter_account` door de accountnaam. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +Je kunt zich abonneren op YouTube-kanalen zonder in te loggen en gebruiksinformatie te koppelen aan jouw Google-account. + +!!! Voorbeeld + + Om je te abonneren op een YouTube kanaal met een RSS client, zoek je eerst je [channel code](https://support.google.com/youtube/answer/6180214), vervang `channel_id` hieronder: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/notebooks.md b/i18n/nl/notebooks.md new file mode 100644 index 00000000..a0afcb58 --- /dev/null +++ b/i18n/nl/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notitieboekjes" +icon: material/notebook-edit-outline +--- + +Houd jouw notities en aantekeningen bij zonder ze aan derden te geven. + +Als je momenteel een toepassing zoals Evernote, Google Keep of Microsoft OneNote gebruikt, raden wij je aan hier een alternatief te kiezen dat E2EE ondersteunt. + +## Cloud-gebaseerd + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is een gratis, open-source, en volledig uitgeruste applicatie voor het maken van notities en to-do's die een groot aantal markdown notities kan verwerken, georganiseerd in notitieblokken en tags. Het biedt E2EE en kan synchroniseren via Nextcloud, Dropbox, en meer. Het biedt ook een gemakkelijke import vanuit Evernote en notities in gewone tekst. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Broncode" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin ondersteunt geen wachtwoord/PIN beveiliging voor de [applicatie zelf of individuele notities en notebooks](https://github.com/laurent22/joplin/issues/289). Gegevens worden nog steeds versleuteld tijdens het transport en op de synchronisatielocatie met behulp van jouw hoofdsleutel. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + Standard Notes is een eenvoudige en persoonlijke notitie app die jouw notities gemakkelijk en overal beschikbaar maakt. Het biedt E2EE op elk platform, en een krachtige desktop-ervaring met thema's en aangepaste editors. Het is ook [door een onafhankelijke instantie gecontroleerd (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Broncode" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is een web-gebaseerde, versleutelde, veilige foto opslag service en documenten editor. Cryptee is een PWA, wat betekent dat het naadloos werkt op alle moderne apparaten zonder dat er native apps voor elk platform nodig zijn. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee biedt gratis 100MB opslag, met betaalde opties als je meer nodig hebt. Aanmelden vereist geen e-mail of andere persoonlijk identificeerbare informatie. + +## Lokale notitieblokken + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is een [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) voor GNU Emacs. Org-mode is voor het bijhouden van notities, het bijhouden van TODO lijsten, het plannen van projecten, en het schrijven van documenten met een snel en effectief plain-text systeem. Synchronisatie is mogelijk met [bestandssynchronisatie](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Broncode" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Bijdrage leveren } + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Clients moeten open-source zijn. +- Elke cloud-synchronisatiefunctionaliteit moet E2EE zijn. +- Moet het exporteren van documenten naar een standaardformaat ondersteunen. + +### Beste geval + +- De lokale backup/sync-functie moet encryptie ondersteunen. +- Cloud-platforms moeten het delen van documenten ondersteunen. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/os/android-overview.md b/i18n/nl/os/android-overview.md new file mode 100644 index 00000000..55243cf3 --- /dev/null +++ b/i18n/nl/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overzicht +icon: simple/android +--- + +Android is een veilig besturingssysteem met sterke [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), en een robuust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Het kiezen van een Android distributie + +Wanneer je een Androidtelefoon koopt, wordt het standaardbesturingssysteem van het toestel vaak geleverd met een indringende integratie met apps en diensten die geen deel uitmaken van het [Android Open-Source Project](https://source.android.com/). Een voorbeeld hiervan zijn Google Play Services, die onherroepelijke rechten heeft om toegang te krijgen tot jouw bestanden, contactenopslag, oproeplogs, sms-berichten, locatie, camera, microfoon, hardware-identificaties, enzovoort. Deze apps en diensten vergroten het aanvalsoppervlak van jouw toestel en zijn de bron van diverse privacyproblemen met Android. + +Dit probleem kan worden opgelost door een aangepaste Android-distributie te gebruiken die niet met een dergelijke invasieve integratie komt. Helaas schenden veel aangepaste Android-distributies vaak het Android-beveiligingsmodel door cruciale beveiligingsfuncties zoals AVB, terugdraaibeveiliging, firmware-updates, enzovoort, niet te ondersteunen. Sommige distributies leveren ook [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds die root blootstellen via [ADB](https://developer.android.com/studio/command-line/adb) en [meer permissieve](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies vereisen om debug-functies te accommoderen, wat resulteert in een verder verhoogd aanvalsoppervlak en een verzwakt beveiligingsmodel. + +Idealiter, wanneer je een aangepaste Android distributie kiest, moet je ervoor zorgen dat het het Android beveiligingsmodel handhaaft. Op zijn minst zou de distributie productie builds moeten hebben, ondersteuning voor AVB, rollback bescherming, tijdige firmware en besturingssysteem updates, en SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). Al onze aanbevolen Android distributies voldoen aan deze criteria. + +[Onze Android Systeemaanbevelingen :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Rooting vermijden + +[Rooten van](https://en.wikipedia.org/wiki/Rooting_(Android)) Android-telefoons kan de veiligheid aanzienlijk verminderen omdat het het volledige [Android beveiligingsmodel verzwakt](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). Dit kan de privacy verminderen mocht er een exploit zijn die door de verminderde beveiliging wordt geholpen. Bij veelgebruikte rootingmethoden wordt rechtstreeks met de opstartpartitie geknoeid, waardoor het onmogelijk is om een succesvolle Verified Boot uit te voeren. Apps die root vereisen zullen ook de systeempartitie wijzigen, wat betekent dat Verified Boot uitgeschakeld zou moeten blijven. Als root direct in de gebruikersinterface wordt blootgesteld, wordt ook het [aanvalsoppervlak](https://en.wikipedia.org/wiki/Attack_surface) van jouw apparaat vergroot en kan het helpen bij [privilege-escalatie](https://en.wikipedia.org/wiki/Privilege_escalation) kwetsbaarheden en omzeilen van SELinux-beleidslijnen. + +Adblockers, die het [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) wijzigen en firewalls (AFWall+) die voortdurend root-toegang vereisen, zijn gevaarlijk en mogen niet worden gebruikt. Zij zijn ook niet de juiste manier om het beoogde doel te bereiken. Voor Adblocking stellen wij versleutelde [DNS](../dns.md) of [VPN](../vpn.md) serverblokkeringsoplossingen voor. RethinkDNS, TrackerControl en AdAway in niet-root modus zullen het VPN-slot innemen (door gebruik te maken van een lokale loopback VPN) waardoor je geen privacy verhogende diensten zoals Orbot of een echte VPN-server kunt gebruiken. + +AFWall+ werkt op basis van de [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) benadering en kan in sommige situaties omzeild worden. + +Wij geloven niet dat de veiligheidsoffers die gemaakt worden door het rooten van een telefoon, de twijfelachtige privacyvoordelen van die apps waard zijn. + +## Geverifieerde boot + +[Geverifieerde Boot](https://source.android.com/security/verifiedboot) is een belangrijk onderdeel van het Android-beveiligingsmodel. Het biedt bescherming tegen [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) aanvallen, malware persistentie, en zorgt ervoor dat beveiligingsupdates niet kunnen worden gedowngraded met [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 en hoger is overgestapt van volledige schijfversleuteling naar meer flexibele [bestandsgebaseerde versleuteling](https://source.android.com/security/encryption/file-based). Jouw gegevens worden versleuteld met unieke encryptiesleutels, en de bestanden van het besturingssysteem blijven onversleuteld. + +Verified Boot garandeert de integriteit van de besturingssysteembestanden en voorkomt zo dat een tegenstander met fysieke toegang kan knoeien of malware op het apparaat kan installeren. In het onwaarschijnlijke geval dat malware in staat is om andere delen van het systeem te misbruiken en hogere geprivilegieerde toegang te verkrijgen, zal Verified Boot veranderingen aan de systeempartitie voorkomen en terugdraaien bij het herstarten van het apparaat. + +OEM's zijn helaas alleen verplicht om de verspreiding van geverifieerde Boot op hun voorraad Android te ondersteunen. Slechts enkele OEM's, zoals Google, ondersteunen aangepaste AVB key enrollment op hun toestellen. Bovendien ondersteunen sommige AOSP afgeleiden zoals LineageOS of /e/ OS Verified Boot niet, zelfs niet op hardware met Verified Boot-ondersteuning voor besturingssystemen van derden. Wij raden je aan te controleren of er ondersteuning is op **voordat je** een nieuw apparaat aanschaft. AOSP-derivaten die geen Geverifieerde Boot ondersteunen, worden **niet** aanbevolen. + +Veel OEM's hebben ook een gebroken uitvoering van Verified Boot waar je je bewust van moet zijn buiten hun marketing. De Fairphone 3 en 4 zijn bijvoorbeeld standaard niet veilig, aangezien de [standaard bootloader vertrouwt op de publieke AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). Dit breekt geverifieerd opstarten op een standaard Fairphone toestel, omdat het systeem alternatieve Android besturingssystemen zoals (zoals /e/) [zal opstarten zonder enige waarschuwing](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) over aangepast besturingssysteem gebruik. + +## Firmware-updates + +Firmware-updates zijn van cruciaal belang voor het behoud van de veiligheid en zonder deze updates kan uw toestel niet veilig zijn. OEM's hebben ondersteuningsovereenkomsten met hun partners om de closed-source componenten voor een beperkte ondersteuningsperiode te leveren. Deze worden gedetailleerd beschreven in de maandelijkse [Android Security Bulletins](https://source.android.com/security/bulletin). + +Aangezien de onderdelen van de telefoon, zoals de processor en de radiotechnologieën, afhankelijk zijn van closed-source componenten, moeten de updates door de respectieve fabrikanten worden verstrekt. Daarom is het belangrijk dat u een toestel koopt binnen een actieve ondersteuningscyclus. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) en [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) ondersteunen hun toestellen gedurende 4 jaar, terwijl goedkopere producten vaak kortere ondersteuningscycli hebben. Met de introductie van de [Pixel 6](https://support.google.com/pixelphone/answer/4457705) maakt Google nu hun eigen SoC en zullen ze minimaal 5 jaar ondersteuning bieden. + +EOL-apparaten die niet langer door de SoC-fabrikant worden ondersteund, kunnen geen firmware-updates ontvangen van OEM-verkopers of aftermarket-distributeurs van Android. Dit betekent dat beveiligingsproblemen met die apparaten onopgelost zullen blijven. + +Fairphone, bijvoorbeeld, brengt hun toestellen op de markt met een ondersteuning van 6 jaar. De SoC (Qualcomm Snapdragon 750G op de Fairphone 4) heeft echter een aanzienlijk kortere EOL-datum. Dit betekent dat de firmware-beveiligingsupdates van Qualcomm voor de Fairphone 4 in september 2023 aflopen, ongeacht of Fairphone doorgaat met het uitbrengen van software-beveiligingsupdates. + +## Android-versies + +Het is belangrijk om geen [end-of-life](https://endoflife.date/android) versie van Android te gebruiken. Nieuwere versies van Android krijgen niet alleen beveiligingsupdates voor het besturingssysteem, maar ook belangrijke updates die privacy verbeteren. Bijvoorbeeld, [vóór Android 10](https://developer.android.com/about/versions/10/privacy/changes) konden alle apps met de toestemming [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) toegang krijgen tot gevoelige en unieke serienummers van uw telefoon, zoals [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), en uw SIM-kaart [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity). Nu moeten dat systeem-apps zijn om dit te kunnen doen. Systeem-apps worden alleen geleverd door de OEM of de Android-distributie. + +## Android-machtigingen + +[Machtigingen op Android](https://developer.android.com/guide/topics/permissions/overview) geven je controle over welke apps toegang krijgen. Google brengt regelmatig [verbeteringen aan](https://developer.android.com/about/versions/11/privacy/permissions) in het toestemmingssysteem in elke opeenvolgende versie. Alle apps die je installeert zijn strikt [sandboxed](https://source.android.com/security/app-sandbox), daarom is het niet nodig om antivirus apps te installeren. Een smartphone met de nieuwste versie van Android zal altijd veiliger zijn dan een oude smartphone met een antivirus waarvoor je betaald heeft. Het is beter om niet te betalen voor antivirussoftware en geld te sparen om een nieuwe smartphone te kopen, zoals een Google Pixel. + +Als je een app wilt gebruiken waar je niet zeker van bent, kun je overwegen een gebruikers- of werkprofiel te gebruiken. + +## Mediatoegang + +Heel wat toepassingen laten je toe een bestand te "delen" met hen voor het uploaden van media. Als je bijvoorbeeld een foto naar Twitter wilt tweeten, geef Twitter dan geen toegang tot jouw "media en foto's", want dan heeft het toegang tot al jouw foto's. Ga in plaats daarvan naar je bestandsbeheerder (documentsUI), houd de foto vast en deel hem dan met Twitter. + +## Gebruikers Profielen + +Meervoudige gebruikersprofielen zijn te vinden in **Instellingen** → **Systeem** → **Meervoudige gebruikers** en zijn de eenvoudigste manier om te isoleren in Android. + +Met gebruikersprofielen kun je beperkingen opleggen aan een specifiek profiel, zoals: bellen, sms'en of apps installeren op het toestel. Elk profiel wordt versleuteld met zijn eigen versleutelingscode en heeft geen toegang tot de gegevens van andere profielen. Zelfs de eigenaar van het apparaat kan de gegevens van andere profielen niet bekijken zonder hun wachtwoord te kennen. Meervoudige gebruikersprofielen zijn een veiligere methode van isolatie. + +## Werkprofiel + +[Werkprofielen](https://support.google.com/work/android/answer/6191949) zijn een andere manier om afzonderlijke apps te isoleren en kunnen handiger zijn dan afzonderlijke gebruikersprofielen. + +Een **apparaatcontroller** zoals [Shelter](#recommended-apps) is vereist, tenzij je CalyxOS gebruikt die er een bevat. + +Het werkprofiel is afhankelijk van een apparaatcontroller om te kunnen functioneren. Functies zoals *File Shuttle* en *contact zoeken blokkeren* of enige vorm van isolatiefuncties moeten door de controller worden geïmplementeerd. Je moet de apparaatcontroller-app ook volledig vertrouwen, aangezien deze volledige toegang heeft tot jouw gegevens binnen het werkprofiel. + +Deze methode is over het algemeen minder veilig dan een secundair gebruikersprofiel; het biedt je echter wel het gemak dat je tegelijkertijd apps kunt uitvoeren in zowel het werk- als het persoonlijke profiel. + +## VPN Killswitch + +Android 7 en hoger ondersteunt een VPN killswitch en het is beschikbaar zonder de noodzaak om apps van derden te installeren. Deze functie kan lekken voorkomen als de VPN wordt verbroken. Het kan gevonden worden in :gear: **Instellingen** → **Netwerk & internet** → **VPN** → :gear: → **Blokkeer verbindingen zonder VPN**. + +## Globale schakelaars + +Moderne Android-toestellen hebben globale toggles voor het uitschakelen van Bluetooth en locatiediensten. Android 12 introduceerde toggles voor de camera en microfoon. Wanneer u deze functies niet gebruikt, raden wij je aan ze uit te schakelen. Apps kunnen geen gebruik maken van uitgeschakelde functies (zelfs niet als daarvoor individuele toestemming is verleend) totdat ze weer zijn ingeschakeld. + +## Google + +Als je een apparaat gebruikt met Google-diensten, hetzij ujouw standaard besturingssysteem of een besturingssysteem dat Google Play Services veilig sandboxed zoals GrapheneOS, zijn er een aantal extra wijzigingen die je kunt aanbrengen om jouw privacy te verbeteren. We raden nog steeds aan om Google diensten volledig te vermijden, of om Google Play diensten te beperken tot een specifiek gebruiker/werkprofiel door een apparaatcontroller zoals *Shelter* te combineren met GrapheneOS's Sandboxed Google Play. + +### Geavanceerd beschermingsprogramma + +Als je een Google-account hebt, raden wij je aan je in te schrijven voor het [Advanced Protection Program](https://landing.google.com/advancedprotection/). Het is gratis beschikbaar voor iedereen met twee of meer hardware beveiligingssleutels met [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) ondersteuning. + +Het geavanceerde beschermingsprogramma biedt verbeterde controle op bedreigingen en maakt het mogelijk: + +- Strengere tweefactorauthenticatie; bv. dat [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **moet worden gebruikt** en dat het gebruik van [SMS OTP's](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) en [OAuth](https://en.wikipedia.org/wiki/OAuth)niet is toegestaan +- Alleen Google en geverifieerde apps van derden hebben toegang tot accountgegevens +- Scannen van inkomende e-mails op Gmail-accounts voor [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) pogingen +- Strengere [veilige browser scannen](https://www.google.com/chrome/privacy/whitepaper.html#malware) met Google Chrome +- Striktere herstelprocedure voor accounts met verloren inloggegevens + + Als je gebruikmaakt van niet-sandboxed Google Play Services (gebruikelijk op standaard besturingssystemen), wordt het Advanced Protection Program ook geleverd met [extra voordelen](https://support.google.com/accounts/answer/9764949?hl=en), zoals: + +- Installatie van apps buiten de Google Play Store, de app-winkel van de leverancier van het besturingssysteem of via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge)is niet toegestaan +- Verplichte automatische apparaatscan met [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Je waarschuwt voor niet geverifieerde toepassingen + +### Google Play Systeem Updates + +In het verleden moesten beveiligingsupdates voor Android worden verzonden door de leverancier van het besturingssysteem. Android is meer modulair geworden vanaf Android 10, en Google kan beveiligingsupdates pushen voor **sommige** systeemcomponenten via de bevoorrechte Play Services. + +Als je een EOL-apparaat hebt dat met Android 10 of hoger wordt geleverd en geen van onze aanbevolen besturingssystemen op jouw apparaat kunt uitvoeren, kun je waarschijnlijk beter bij jouw OEM Android-installatie blijven (in tegenstelling tot een besturingssysteem dat hier niet wordt vermeld, zoals LineageOS of /e/ OS). Hierdoor kunt je **sommige** beveiligingsfixes van Google ontvangen, terwijl je het Android beveiligingsmodel niet schendt door een onveilig Android derivaat te gebruiken en jouw aanvalsoppervlak te vergroten. We raden nog steeds aan zo snel mogelijk te upgraden naar een ondersteund apparaat. + +### Reclame-ID + +Alle apparaten waarop Google Play Services zijn geïnstalleerd, genereren automatisch een [-reclame-ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) die wordt gebruikt voor gerichte reclame. Schakel deze functie uit om de over je verzamelde gegevens te beperken. + +Op Android distributies met [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), ga naar :gear: **Instellingen** → **Apps** → **Sandboxed Google Play** → **Google Instellingen** → **Advertenties**, en selecteer *Verwijder reclame ID*. + +Op Android distributies met geprivilegieerde Google Play Services (zoals standaard OSes), kan de instelling op een van verschillende locaties staan. Check + +- :gear: **Instellingen** → **Google** → **Advertenties** +- :gear: **Instellingen** → **Privacy** → **Advertenties** + +Je krijgt de optie om jouw advertentie-ID te verwijderen of om *af te melden voor op interesses gebaseerde advertenties*, dit varieert tussen OEM-distributies van Android. Als de mogelijkheid wordt geboden om de reclame-ID te wissen, heeft dat de voorkeur. Zo niet, zorg er dan voor dat je je afmeldt en jouw reclame-ID reset. + +### SafetyNet en Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) en de [Play Integrity API's](https://developer.android.com/google/play/integrity) worden over het algemeen gebruikt voor [bankapps](https://grapheneos.org/usage#banking-apps). Veel bank apps zullen prima werken in GrapheneOS met sandboxed Play services, maar sommige niet-financiële apps hebben hun eigen grove anti-tampering mechanismen die kunnen falen. GrapheneOS doorstaat de `basicIntegrity` check, maar niet de certificeringscheck `ctsProfileMatch`. Toestellen met Android 8 of later hebben hardware-attestondersteuning die niet kan worden omzeild zonder gelekte sleutels of ernstige kwetsbaarheden. + +Wat Google Wallet betreft, wij raden dit niet aan vanwege hun [privacybeleid](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), waarin staat dat je zich moet afmelden als je niet wilt dat jouw kredietwaardigheid en persoonlijke gegevens worden gedeeld met affiliate marketingdiensten. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/os/linux-overview.md b/i18n/nl/os/linux-overview.md new file mode 100644 index 00000000..d9c50977 --- /dev/null +++ b/i18n/nl/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overzicht +icon: simple/linux +--- + +Vaak wordt aangenomen dat [open-source](https://en.wikipedia.org/wiki/Open-source_software) software inherent veilig is omdat de broncode beschikbaar is. Er wordt verwacht dat er regelmatig communautaire verificatie plaatsvindt; dit is echter niet altijd [het geval](https://seirdy.one/posts/2022/02/02/floss-security/). Het hangt af van een aantal factoren, zoals de activiteit van het project, de ervaring van de ontwikkelaar, de striktheid waarmee [code wordt gereviewd](https://en.wikipedia.org/wiki/Code_review), en hoe vaak aandacht wordt besteed aan specifieke delen van de [codebase](https://en.wikipedia.org/wiki/Codebase) die misschien jarenlang onaangeroerd zijn gebleven. + +Op dit moment heeft desktop GNU/Linux enkele gebieden die beter zouden kunnen dan hun propriëtaire tegenhangers, bijv.: + +- Een geverifieerde opstartketen, in tegenstelling tot Apple's [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (met [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android's [Verified Boot](https://source.android.com/security/verifiedboot) of Microsoft Windows's [opstartproces](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) met [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). Deze voorzieningen en hardwaretechnologieën kunnen allemaal helpen om aanhoudende sabotage door malware of [evil maid attacks te voorkomen](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- Sterke sandboxing-oplossing zoals die welke te vinden is in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), en [Android](https://source.android.com/security/app-sandbox). Veelgebruikte Linux sandboxing oplossingen zoals [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) en [Firejail](https://firejail.wordpress.com/) hebben nog een lange weg te gaan +- Sterke [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Ondanks deze nadelen zijn desktop GNU/Linux distributies geweldig als je dat wilt: + +- Vermijd telemetrie die vaak gepaard gaat met propriëtaire besturingssystemen +- Handhaving van [softwarevrijheid](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Hebben speciaal gebouwde systemen zoals [Whonix](https://www.whonix.org) of [Tails](https://tails.boum.org/) + +Op onze website wordt de term "Linux" doorgaans gebruikt om desktop GNU/Linux-distributies te beschrijven. Andere besturingssystemen die ook de Linux-kernel gebruiken, zoals ChromeOS, Android en Qubes OS, worden hier niet besproken. + +[Onze Linux-aanbevelingen :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Uw distributie kiezen + +Niet alle Linux-distributies zijn gelijk geschapen. Hoewel onze Linux-aanbevelingspagina niet bedoeld is als een gezaghebbende bron over welke distributie je zou moeten gebruiken, zijn er een paar dingen die je in gedachten moet houden bij het kiezen van de distributie die je wilt gebruiken. + +### Vrijgave cyclus + +Wij raden je ten zeerste aan distributies te kiezen die dicht bij de stabiele upstream software releases blijven, vaak aangeduid als rolling release distributies. Dit komt omdat distributies met een bevroren releasecyclus vaak de pakketversies niet bijwerken en achterlopen op beveiligingsupdates. + +Voor bevroren distributies wordt van pakketbeheerders verwacht dat ze patches backporteren om kwetsbaarheden te verhelpen (Debian is zo'n [voorbeeld](https://www.debian.org/security/faq#handling)) in plaats van de software aan te passen aan de "volgende versie" die door de upstream-ontwikkelaar wordt uitgebracht. Sommige beveiligingsfixes [krijgen](https://arxiv.org/abs/2105.14565) helemaal geen [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (vooral minder populaire software) en komen daarom niet in de distributie met dit patchingmodel. Als gevolg daarvan worden kleine beveiligingsupdates soms uitgesteld tot de volgende grote release. + +Wij geloven niet dat het een goed idee is om pakketten tegen te houden en tussentijdse patches toe te passen, aangezien dit afwijkt van de manier waarop de ontwikkelaar de software bedoeld zou kunnen hebben. [Richard Brown](https://rootco.de/aboutme/) heeft hier een presentatie over: + +
+ +
+ +### Traditionele vs. Atomische updates + +Traditioneel worden Linux distributies bijgewerkt door sequentieel de gewenste pakketten bij te werken. Traditionele updates zoals die gebruikt worden in Fedora, Arch Linux, en Debian gebaseerde distributies kunnen minder betrouwbaar zijn als er een fout optreedt tijdens het updaten. + +Atomic updating distributies passen updates volledig of helemaal niet toe. Typisch zijn transactionele updatesystemen ook atomair. + +Een transactioneel updatesysteem creëert een momentopname die wordt gemaakt voor en na het toepassen van een update. Als een update op een bepaald moment mislukt (bijvoorbeeld door een stroomstoring), kan de update gemakkelijk worden teruggezet naar een "laatst bekende goede staat" + +De Atomic update methode wordt gebruikt voor immutable distributies zoals Silverblue, Tumbleweed, en NixOS en kan betrouwbaarheid bereiken met dit model. [Adam Šamalík](https://twitter.com/adsamalik) gaf een presentatie over hoe `rpm-ostree` werkt met Silverblue: + +
+ +
+ +### "Beveiligingsgerichte" distributies + +Er bestaat vaak enige verwarring over "op veiligheid gerichte" distributies en "pentesting"-distributies. Een snelle zoekactie naar "de veiligste Linux-distributie" levert vaak resultaten op als Kali Linux, Black Arch en Parrot OS. Deze distributies zijn offensieve penetratietestdistributies die hulpmiddelen bundelen voor het testen van andere systemen. Ze bevatten geen "extra beveiliging" of defensieve maatregelen voor normaal gebruik. + +### Arch-gebaseerde distributies + +Arch-gebaseerde distributies worden niet aanbevolen voor mensen die nieuw zijn met Linux, ongeacht de distributie. Arch heeft geen distributie update mechanisme voor de onderliggende software keuzes. Als gevolg daarvan moet je op de hoogte blijven van de huidige trends en technologieën overnemen naarmate deze oudere praktijken verdringen. + +Voor een veilig systeem wordt ook verwacht dat je voldoende Linux kennis hebt om de beveiliging van hun systeem goed in te stellen, zoals het aannemen van een [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) systeem, het opzetten van [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, het harden van boot parameters, het manipuleren van [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, en weten welke componenten ze nodig hebben zoals [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Iedereen die gebruik maakt van de [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **moet zich** comfortabel voelen bij het auditen van PKGBUILDs die ze vanuit die service installeren. AUR-pakketten zijn door de gemeenschap geproduceerde inhoud en worden op geen enkele manier doorgelicht, en zijn daarom kwetsbaar voor aanvallen op de softwareketen, wat in het verleden inderdaad is gebeurd [](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR moet altijd met mate worden gebruikt en vaak is er veel slecht advies op verschillende pagina's die mensen zonder voldoende waarschuwing opdragen om blindelings [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) te gebruiken. Vergelijkbare waarschuwingen gelden voor het gebruik van Personal Package Archives (PPA's) van derden op Debian gebaseerde distributies of Community Projects (COPR) op Fedora. + +Als je ervaring hebt met Linux en een Arch-gebaseerde distributie wilt gebruiken, raden wij alleen Arch Linux zelf aan, niet een van zijn afgeleiden. Wij raden deze twee Arch-derivaten specifiek af: + +- **Manjaro**: Deze distributie houdt pakketten 2 weken achter om er zeker van te zijn dat hun eigen veranderingen niet kapot gaan, niet om er zeker van te zijn dat upstream stabiel is. Wanneer AUR pakketten worden gebruikt, worden ze vaak gebouwd tegen de laatste [bibliotheken](https://en.wikipedia.org/wiki/Library_(computing)) uit Arch's repositories. +- **Garuda**: Zij gebruiken [Chaotic-AUR](https://aur.chaotic.cx/) die automatisch en blindelings pakketten compileert uit de AUR. Er is geen verificatieproces om ervoor te zorgen dat de AUR-pakketten niet te lijden hebben van aanvallen op de toeleveringsketen. + +### Kicksecure + +Hoewel we sterk afraden om verouderde distributies zoals Debian te gebruiken, als je besluit om het te gebruiken, stellen we voor dat je [](https://www. kicksecure. com/wiki/Debian) omzet in [Kicksecure](https://www.kicksecure.com/). Kicksecure is, in oversimplistische termen, een verzameling scripts, configuraties en pakketten die het aanvalsoppervlak van Debian aanzienlijk verkleinen. Het dekt standaard een heleboel aanbevelingen voor privacy en hardening. + +### Linux-libre kernel en "Libre" distributies + +Wij raden **sterk af om** de Linux-libre kernel te gebruiken, aangezien [beveiligingsbeperkingen verwijdert](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) en [om ideologische redenen kernelwaarschuwingen](https://news.ycombinator.com/item?id=29674846) over kwetsbare microcode onderdrukt. + +## Algemene aanbevelingen + +### Schijfversleuteling + +De meeste Linux-distributies hebben een optie in het installatieprogramma om [LUKS](../encryption.md#linux-unified-key-setup) FDE in te schakelen. Als deze optie niet is ingesteld tijdens de installatie, zult je een back-up van jouw gegevens moeten maken en opnieuw moeten installeren, aangezien de versleuteling wordt toegepast na [schijfpartitionering](https://en.wikipedia.org/wiki/Disk_partitioning), maar voordat [bestandssystemen](https://en.wikipedia.org/wiki/File_system) worden geformatteerd. We raden je ook aan jouw opslagapparaat veilig te wissen: + +- [Veilig wissen van gegevens :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Wissel + +Overweeg het gebruik van [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) of [versleutelde swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) in plaats van onversleutelde swap om potentiële beveiligingsproblemen te vermijden met gevoelige gegevens die naar [swap space](https://en.wikipedia.org/wiki/Memory_paging)worden geduwd. Op Fedora gebaseerde distributies [gebruiken standaard ZRAM](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We raden aan een desktopomgeving te gebruiken die het [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) weergaveprotocol ondersteunt, aangezien het ontwikkeld is met beveiliging [in gedachten](https://lwn.net/Articles/589147/). Zijn voorganger, [X11](https://en.wikipedia.org/wiki/X_Window_System), ondersteunt geen GUI isolatie, waardoor alle vensters [scherm kunnen opnemen, loggen en invoer injecteren in andere vensters](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), waardoor elke poging tot sandboxing zinloos wordt. Hoewel er opties zijn om geneste X11 te doen, zoals [Xpra](https://en.wikipedia.org/wiki/Xpra) of [Xephyr](https://en.wikipedia.org/wiki/Xephyr), komen ze vaak met negatieve prestatiegevolgen en zijn ze niet handig op te zetten en hebben ze geen voorkeur boven Wayland. + +Gelukkig hebben veelgebruikte omgevingen zoals [GNOME](https://www.gnome.org), [KDE](https://kde.org), en de window manager [Sway](https://swaywm.org) ondersteuning voor Wayland. Sommige distributies zoals Fedora en Tumbleweed gebruiken het standaard, en sommige andere zullen dat misschien in de toekomst doen aangezien X11 in [harde onderhoudsmodus is](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). Als je een van deze omgevingen gebruikt is het zo eenvoudig als het selecteren van de "Wayland" sessie bij de desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +Wij raden **aan tegen** door desktop omgevingen of window managers te gebruiken die geen Wayland ondersteuning hebben, zoals Cinnamon (standaard op Linux Mint), Pantheon (standaard op Elementary OS), MATE, Xfce, en i3. + +### Eigen firmware (Microcode Updates) + +Linux-distributies zoals die van [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) of DIY (Arch Linux) worden niet geleverd met de propriëtaire [microcode](https://en.wikipedia.org/wiki/Microcode) updates die vaak kwetsbaarheden patchen. Enkele opmerkelijke voorbeelden van deze kwetsbaarheden zijn [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), en andere [hardwarekwetsbaarheden](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +Wij **bevelen** ten zeerste aan dat je de microcode-updates installeert, aangezien jouw CPU al vanaf de fabriek op de eigen microcode draait. Fedora en openSUSE hebben beide standaard de microcode updates toegepast. + +### Updates + +De meeste Linux-distributies zullen automatisch updates installeren of u eraan herinneren om dat te doen. Het is belangrijk om jouw besturingssysteem up-to-date te houden, zodat jouw software wordt gepatcht wanneer een kwetsbaarheid wordt gevonden. + +Sommige distributies (vooral die gericht zijn op gevorderde gebruikers) zijn aan de kale kant en verwachten dat je dingen zelf doet (bijvoorbeeld Arch of Debian). Hiervoor moet de "pakketbeheerder" (`apt`, `pacman`, `dnf`, enz.) handmatig worden uitgevoerd om belangrijke beveiligingsupdates te ontvangen. + +Bovendien downloaden sommige distributies firmware-updates niet automatisch. Daarvoor moet je [`fwupd`](https://wiki.archlinux.org/title/Fwupd)installeren. + +## Privacy Tweaks + +### MAC-adres randomisatie + +Veel desktop Linux distributies (Fedora, openSUSE, enz.) worden geleverd met [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), om Ethernet en Wi-Fi instellingen te configureren. + +Het is mogelijk om [te randomiseren](https://fedoramagazine.org/randomize-mac-address-nm/) het [MAC adres](https://en.wikipedia.org/wiki/MAC_address) bij gebruik van NetworkManager. Dit zorgt voor wat meer privacy op Wi-Fi-netwerken, omdat het moeilijker wordt specifieke apparaten op het netwerk waarmee u verbonden bent, te traceren. Het doet [**niet**](https://papers.mathyvanhoef.com/wisec2016.pdf) maakt je anoniem. + +Wij raden aan de instelling te wijzigen in **random** in plaats van **stable**, zoals voorgesteld in het [artikel](https://fedoramagazine.org/randomize-mac-address-nm/). + +Als je [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components)gebruikt, moet je [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) instellen, waardoor [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=)wordt ingeschakeld. + +Het heeft niet veel zin om het MAC-adres voor Ethernetverbindingen te randomiseren, aangezien een systeembeheerder je kan vinden door te kijken naar de poort die je gebruikt op de [netwerkswitch](https://en.wikipedia.org/wiki/Network_switch). Het willekeurig maken van Wi-Fi MAC-adressen hangt af van de ondersteuning door de firmware van de Wi-Fi. + +### Andere identificatiemiddelen + +Er zijn andere systeemidentifiers waar u misschien voorzichtig mee moet zijn. Je moet hier eens over nadenken om te zien of dit van toepassing is op jouw [dreigingsmodel](../basics/threat-modeling.md): + +- **Hostnamen:** De hostnaam van jouw systeem wordt gedeeld met de netwerken waarmee je verbinding maakt. Je kunt beter geen identificerende termen zoals jouw naam of besturingssysteem in jouw hostnaam opnemen, maar het bij algemene termen of willekeurige strings houden. +- **Gebruikersnamen:** Ook jouw gebruikersnaam wordt op verschillende manieren in jouw systeem gebruikt. Gebruik liever algemene termen als "gebruiker" dan jouw eigenlijke naam. +- **Machine ID:**: Tijdens de installatie wordt een unieke machine ID gegenereerd en opgeslagen op jouw toestel. Overweeg [het in te stellen op een generieke ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### Systeemtelling + +Het Fedora Project [telt](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) hoeveel unieke systemen toegang hebben tot zijn spiegels door gebruik te maken van een [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variabele in plaats van een uniek ID. Fedora doet dit om de belasting te bepalen en waar nodig betere servers voor updates te voorzien. + +Deze [optie](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) staat momenteel standaard uit. We raden aan om `countme=false` toe te voegen aan `/etc/dnf/dnf.conf` voor het geval het in de toekomst wordt ingeschakeld. Op systemen die `rpm-ostree` gebruiken, zoals Silverblue, wordt de countme optie uitgeschakeld door de [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer te maskeren. + +openSUSE gebruikt ook een [unieke ID](https://en.opensuse.org/openSUSE:Statistics) om systemen te tellen, die kan worden uitgeschakeld door het bestand `/var/lib/zypp/AnonymousUniqueId` te verwijderen. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/os/qubes-overview.md b/i18n/nl/os/qubes-overview.md new file mode 100644 index 00000000..cbc30885 --- /dev/null +++ b/i18n/nl/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overzicht" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is een besturingssysteem dat gebruik maakt van de [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor om sterke beveiliging te bieden voor desktop computing via geïsoleerde virtuele machines. Elke VM wordt een *Qube* genoemd en je kunt elke Qube een vertrouwensniveau toewijzen op basis van het doel ervan. Omdat Qubes OS beveiliging biedt door isolatie te gebruiken en alleen acties per geval toe te staan, is dit het tegenovergestelde van [slechtheids opsomming](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## Hoe werkt Qubes OS? + +Qubes gebruikt [compartimentering](https://www.qubes-os.org/intro/) om het systeem veilig te houden. Qubes worden aangemaakt op basis van sjablonen, waarbij de standaard opties Fedora, Debian en [Whonix](../desktop.md#whonix)zijn. Met Qubes OS kunt u ook [wegwerpbare](https://www.qubes-os.org/doc/how-to-use-disposables/) virtuele machines creëren. + +![Qubes architectuur](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architectuur, Krediet: Wat is Qubes OS Intro
+ +Elke Qube-applicatie heeft een [gekleurde rand](https://www.qubes-os.org/screenshots/) die je kan helpen bij het bijhouden van de virtuele machine waarin het draait. Je kunt bijvoorbeeld een specifieke kleur gebruiken voor jouw bankbrowser, en een andere kleur voor een algemene niet-vertrouwde browser. + +![Gekleurde rand](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes vensterranden, krediet: Qubes Screenshots
+ +## Waarom zou ik Qubes gebruiken? + +Qubes OS is nuttig als jouw [bedreigingsmodel](../basics/threat-modeling.md) een sterke compartimentering en beveiliging vereist, bijvoorbeeld als je denkt dat je onvertrouwde bestanden van onvertrouwde bronnen zult openen. Een typische reden om Qubes OS te gebruiken is het openen van documenten van onbekende bronnen. + +Qubes OS maakt gebruik van [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (dwz een "AdminVM") voor het besturen van andere gast-VM 's of Qubes op het host-besturingssysteem. Andere VM 's geven individuele toepassingsvensters weer binnen de desktopomgeving van Dom0. Hiermee kun je vensters een kleurcode geven op basis van vertrouwensniveaus en apps draaien die met elkaar kunnen communiceren met zeer fijnmazige controle. + +### Tekst kopiëren en plakken + +Je kunt [tekst kopiëren en plakken](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) met behulp van `qvm-copy-to-vm` of de onderstaande instructies: + +1. Druk op **Ctrl+C** om de VM waarin je je bevindt te vertellen dat je iets wilt kopiëren. +2. Druk op **Ctrl+Shift+C** om de VM te vertellen deze buffer beschikbaar te maken voor het algemene klembord. +3. Druk op **Ctrl+Shift+V** in de doel-VM om het globale klembord beschikbaar te maken. +4. Druk op **Ctrl+V** in de bestemmings-VM om de inhoud in de buffer te plakken. + +### Bestandsuitwisseling + +Om bestanden en mappen (mappen) van de ene VM naar de andere te kopiëren en te plakken, kunt je de optie **Kopiëren naar andere AppVM...** of **Verplaatsen naar andere AppVM...**gebruiken. Het verschil is dat de optie **Verplaatsen** het oorspronkelijke bestand verwijdert. Beide opties beschermen jouw klembord tegen uitlekken naar andere Qubes. Dit is veiliger dan bestandsoverdracht via air-gapped, omdat een air-gapped computer nog steeds gedwongen wordt partities of bestandssystemen te parseren. Dat is niet nodig met het inter-qube kopieersysteem. + +??? info "AppVM's of qubes hebben geen eigen bestandssystemen" + + Je kunt [bestanden kopiëren en verplaatsen](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) tussen Qubes. Daarbij worden de wijzigingen niet onmiddellijk aangebracht en kunnen ze bij een ongeval gemakkelijk ongedaan worden gemaakt. + +### Inter-VM Interacties + +Het [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is een kernonderdeel van Qubes dat communicatie tussen virtuele machines in domeinen mogelijk maakt. Het is gebouwd bovenop de Xen-bibliotheek *vchan*, die [isolatie vergemakkelijkt door middel van beleid](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Extra bronnen + +Voor aanvullende informatie raden wij je aan de uitgebreide Qubes OS documentatie pagina's te raadplegen op de [Qubes OS Website](https://www.qubes-os.org/doc/). Offline kopieën kunnen worden gedownload van het Qubes OS [documentatie archief](https://github.com/QubesOS/qubes-doc). + +- Open Technologie Fonds: [*Ongetwijfeld 's werelds veiligste besturingssysteem*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Softwarecompartimentering versus fysieke scheiding*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*De verdeling van mijn digitale leven in veiligheidsdomeinen*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Verwante artikelen*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/passwords.md b/i18n/nl/passwords.md new file mode 100644 index 00000000..2c5a94ce --- /dev/null +++ b/i18n/nl/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Wachtwoord managers" +icon: material/form-textbox-password +--- + +Met wachtwoord Managers kunt je wachtwoorden en andere geheimen veilig opslaan en beheren met behulp van een hoofdwachtwoord. + +[Uitleg over wachtwoorden :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Ingebouwde wachtwoord managers in software zoals browsers en besturingssystemen zijn soms niet zo goed als speciale software voor wachtwoordbeheer. Het voordeel van een ingebouwde wachtwoord manager is een goede integratie met de software, maar het kan vaak erg eenvoudig zijn en mist privacy- en beveiligingsfuncties die aanbiedingen van derden wel hebben. + + De wachtwoord manager in Microsoft Edge biedt bijvoorbeeld helemaal geen E2EE. Google's wachtwoord manager heeft [optional](https://support.google.com/accounts/answer/11350823) E2EE, en [Apple's](https://support.apple.com/en-us/HT202303) biedt standaard E2EE. + +## Cloud-gebaseerd + +Deze wachtwoordbeheerders synchroniseren jouw wachtwoorden met een cloudserver voor gemakkelijke toegang vanaf al jouw apparaten en veiligheid tegen verlies van apparaten. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is een gratis en open-source wachtwoord manager. Het is gericht op het oplossen van problemen op het gebied van wachtwoordbeheer voor individuen, teams en bedrijfsorganisaties. Bitwarden is een van de makkelijkste en veiligste oplossingen om al jouw logins en wachtwoorden op te slaan terwijl ze gemakkelijk gesynchroniseerd blijven tussen al jouw apparaten. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden beschikt ook over de tool genaamd [Bitwarden Send](https://bitwarden.com/products/send/), waarmee je veilig tekst en bestanden kunt delen met [end-to-end encryptie](https://bitwarden.com/help/send-encryption). Een [wachtwoord](https://bitwarden.com/help/send-privacy/#send-passwords) kan nodig zijn samen met de verzendlink. Bitwarden Send beschikt ook over [automatische verwijdering](https://bitwarden.com/help/send-lifespan). + +U hebt het [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) nodig om bestanden te kunnen delen. Het gratis plan staat alleen het delen van tekst toe. + +De server-side code van Bitwarden is [open-source](https://github.com/bitwarden/server), dus als je de Bitwarden-cloud niet wilt gebruiken, kunt je gemakkelijk jouw eigen Bitwarden-synchronisatieserver hosten. + +**Vaultwarden** is een alternatieve implementatie van de sync-server van Bitwarden, geschreven in Rust en compatibel met de officiële Bitwarden-clients, perfect voor zelf-hosting waar het draaien van de officiële resource-heavy service misschien niet ideaal is. Als je Bitwarden zelf wilt hosten op jouw eigen server, wil je vrijwel zeker Vaultwarden gebruiken in plaats van de officiële servercode van Bitwarden. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentatie} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Broncode" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Bijdragen} + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is een wachtwoordmanager met een sterke focus op veiligheid en gebruiksgemak, waarmee je wachtwoorden, creditcards, softwarelicenties en andere gevoelige informatie kunt opslaan in een veilige digitale kluis. Uw kluis wordt gehost op de servers van 1Password voor een [maandelijkse vergoeding](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) op regelmatige basis en biedt uitzonderlijke klantenondersteuning. 1Password is closed source; de beveiliging van het product is echter grondig gedocumenteerd in hun [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentatie} + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditioneel biedt **1Password** de beste wachtwoordmanager-gebruikerservaring voor mensen die macOS en iOS gebruiken; het ondersteunt nu echter alle functies op alle platforms. Het heeft veel functies die gericht zijn op gezinnen en minder technische mensen, maar ook geavanceerde functionaliteit. + +Uw 1Password-kluis is beveiligd met zowel jouw hoofdwachtwoord als een gerandomiseerde beveiligingssleutel van 34 tekens om jouw gegevens op hun servers te versleutelen. Deze beveiligingssleutel voegt een beschermingslaag toe aan jouw gegevens omdat jouw gegevens worden beveiligd met een hoge entropie, ongeacht jouw hoofdwachtwoord. Veel andere oplossingen voor wachtwoordbeheer zijn volledig afhankelijk van de sterkte van jouw hoofdwachtwoord om jouw gegevens te beveiligen. + +Een voordeel van 1Password ten opzichte van Bitwarden is de eersteklas ondersteuning voor native clients. Terwijl Bitwarden veel taken, vooral accountbeheerfuncties, naar hun webkluisinterface verwijst, maakt 1Password bijna elke functie beschikbaar binnen zijn native mobiele of desktop clients. De clients van 1Password hebben ook een meer intuïtieve UI, waardoor ze gemakkelijker te gebruiken en te navigeren zijn. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is een gratis en open-source wachtwoordmanager uit Duitsland, met een focus op wachtwoordbeheer voor teams. Psono ondersteunt het veilig delen van wachtwoorden, bestanden, bladwijzers en e-mails. Alle geheimen worden beschermd door een hoofdwachtwoord. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentatie} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono biedt uitgebreide documentatie voor hun product. De web-client voor Psono kunt je zelf hosten; als alternatief kunt je kiezen voor de volledige Community Edition of de Enterprise Edition met extra mogelijkheden. + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +#### Minimale vereisten + +- Moet gebruik maken van sterke, op standaarden gebaseerde/moderne E2EE. +- Moet beschikken over grondig gedocumenteerde encryptie- en beveiligingspraktijken. +- Moet een gepubliceerde audit hebben van een gerenommeerde, onafhankelijke derde partij. +- Alle niet-essentiële telemetrie moet optioneel zijn. +- Mag niet meer PII verzamelen dan nodig is voor factureringsdoeleinden. + +#### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Telemetrie moet opt-in zijn (standaard uitgeschakeld) of helemaal niet worden verzameld. +- Moet open-source zijn en redelijk self-hostable. + +## Lokale opslag + +Met deze opties kunt je een versleutelde wachtwoorddatabase lokaal beheren. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is een community fork van KeePassX, een native cross-platform port van KeePass Password Safe, met als doel het uit te breiden en te verbeteren met nieuwe functies en bugfixes om een feature-rijke, cross-platform en moderne open-source password manager te bieden. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Broncode" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC slaat zijn exportgegevens op als [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) bestanden. Dit kan gegevensverlies betekenen als je dit bestand importeert in een andere wachtwoordmanager. Wij adviseren je om elke registratie handmatig te controleren. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is een lichtgewicht wachtwoordmanager voor Android, waarmee versleutelde gegevens in een enkel bestand in KeePass-formaat kunnen worden bewerkt en de formulieren op een veilige manier kunnen worden ingevuld. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) maakt het mogelijk om cosmetische inhoud en niet-standaard protocolfuncties vrij te spelen, maar belangrijker nog, het helpt en stimuleert de ontwikkeling. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Bijdrage leveren } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is een native, open-source wachtwoordmanager voor iOS en macOS. Strongbox ondersteunt zowel KeePass als Password Safe formaten en kan worden gebruikt in combinatie met andere wachtwoordmanagers, zoals KeePassXC, op niet-Apple platforms. Door gebruik te maken van een [freemium model](https://strongboxsafe.com/pricing/), biedt Strongbox de meeste functies aan in zijn gratis plan met meer op gemak gerichte [features](https://strongboxsafe.com/comparison/)-zoals biometrische authenticatie- vergrendeld achter een abonnement of eeuwigdurende licentie. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Bovendien wordt er een offline versie aangeboden: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). Deze versie is uitgekleed in een poging het aanvalsoppervlak te verkleinen. + +### Command-line + +Deze producten zijn minimale wachtwoordmanagers die kunnen worden gebruikt binnen scriptingtoepassingen. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is een wachtwoordmanager voor de commandoregel geschreven in Go. Het werkt op alle belangrijke desktop- en serverbesturingssystemen (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Bijdrage leveren } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Moet cross-platform zijn. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/productivity.md b/i18n/nl/productivity.md new file mode 100644 index 00000000..20f218f9 --- /dev/null +++ b/i18n/nl/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productiviteitshulpmiddelen" +icon: material/file-sign +--- + +De meeste online office suites ondersteunen geen E2EE, wat betekent dat de cloud provider toegang heeft tot alles wat je doet. Het privacybeleid kan jouw rechten wettelijk beschermen, maar het voorziet niet in technische toegangsbeperkingen. + +## Samenwerkingsplatforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is een suite van gratis en open-source client-server software voor het creëren van jouw eigen bestandshosting diensten op een prive-server die jij controleert. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Broncode" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "Gevaar" + + Wij raden het gebruik van de [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) voor Nextcloud af, omdat dit kan leiden tot gegevensverlies; het is zeer experimenteel en niet van productiekwaliteit. Om deze reden bevelen wij geen Nextcloud-providers van derden aan. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is een privé alternatief voor populaire office tools. Alle inhoud op deze webdienst is end-to-end versleutelden kan gemakkelijk met andere gebruikers worden gedeeld. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Broncode" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Bijdragen } + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +In het algemeen definiëren wij samenwerkingsplatforms als volwaardige suites die redelijkerwijs als vervanging van samenwerkingsplatforms als Google Drive kunnen dienen. + +- Open source. +- Maakt bestanden toegankelijk via WebDAV, tenzij dat onmogelijk is vanwege E2EE. +- Heeft sync-clients voor Linux, macOS en Windows. +- Ondersteunt het bewerken van documenten en spreadsheets. +- Ondersteunt real-time samenwerking tussen documenten. +- Ondersteunt het exporteren van documenten naar standaard documentformaten (bijv. ODF). + +#### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Moet bestanden opslaan in een conventioneel bestandssysteem. +- Moet TOTP of FIDO2 multi-factor authenticatie ondersteunen, of Passkey-logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is een gratis en open-source kantoorpakket met uitgebreide functionaliteit. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentatie} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is een gratis en open-source kantoorpakket in de cloud met uitgebreide functionaliteit, inclusief integratie met Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +In het algemeen definiëren wij kantoorsuites als toepassingen die voor de meeste behoeften redelijkerwijs als vervanging van Microsoft Word kunnen dienen. + +- Moet cross-platform zijn. +- Moet open-source software zijn. +- Moet offline functioneren. +- Moet het bewerken van documenten, spreadsheets en diavoorstellingen ondersteunen. +- Moet bestanden exporteren naar standaard documentformaten. + +## Paste diensten + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is een minimalistische, open-source online pastebin waar de server geen kennis heeft van geplakte data. Gegevens worden in de browser versleuteld/ontsleuteld met 256-bit AES. Het is de verbeterde versie van ZeroBin. Er is een [lijst van instanties](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Broncode" } + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/real-time-communication.md b/i18n/nl/real-time-communication.md new file mode 100644 index 00000000..5e840077 --- /dev/null +++ b/i18n/nl/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communicatie" +icon: material/chat-processing +--- + +Dit zijn onze aanbevelingen voor versleutelde real-time communicatie. + +[Soorten communicatienetwerken :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Versleutelde Messengers + +Deze boodschappers zijn geweldig voor het beveiligen van jouw gevoelige communicatie. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is een mobiele app ontwikkeld door Signal Messenger LLC. De app biedt instant messaging en spraak- en videobellen. + + Alle communicatie is E2EE. Contactlijsten worden versleuteld met uw Signal PIN en de server heeft er geen toegang toe. Persoonlijke profielen worden ook versleuteld en alleen gedeeld met contacten waarmee je chat. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Broncode" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signaal ondersteunt [privégroepen](https://signal.org/blog/signal-private-group-system/). De server heeft geen gegevens van je groepslidmaatschappen, groepstitels, groepsafbeeldingen of groepsattributen. Signaal heeft minimale metadata wanneer [Verzegelde Afzender](https://signal.org/blog/sealed-sender/) is ingeschakeld. Het afzenderadres is versleuteld samen met de inhoud van het bericht, en alleen het adres van de ontvanger is zichtbaar voor de server. Verzegelde afzender is alleen ingeschakeld voor mensen in uw contactenlijst, maar kan ingeschakeld zijn voor alle ontvangers met een verhoogd risico om spam te ontvangen. Signaal vereist jouw telefoonnummer als persoonlijk identificatiemiddel. + +Het protocol was onafhankelijk [gecontroleerd](https://eprint.iacr.org/2016/1013.pdf) in 2016. De specificatie van het Signaal-protocol kan worden gevonden in hun [documentatie](https://signal.org/docs/). + +We hebben nog enkele extra tips over het configureren en verharden van jouw signaalinstallatie: + +[Signaalconfiguratie en Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is een instant messenger die gedecentraliseerd is en niet afhankelijk is van unieke identifiers zoals telefoonnummers of gebruikersnamen. Berichten en bestanden die in privéruimten worden gedeeld (waarvoor een uitnodiging nodig is) zijn standaard E2EE, net als één-op-één spraak- en videogesprekken. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [werd gecontroleerd](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) door Trail Bits in oktober 2022. + +Momenteel biedt SimpleX Chat alleen een client voor Android en iOS. Basisfuncties voor groepschatten, direct messaging, bewerken van berichten en markdown worden ondersteund. E2EE audio- en video-oproepen worden ook ondersteund. + +Jouw gegevens kunnen worden geëxporteerd en geïmporteerd naar een ander apparaat, omdat er geen centrale servers zijn waar een back-up van wordt gemaakt. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is een versleutelde instant messenger die [connects](https://briarproject.org/how-it-works/) gebruikt voor andere clients via het Tor Netwerk. Briar kan ook verbinding maken via Wi-Fi of Bluetooth wanneer hij in de buurt is. Briar's lokale mesh-modus kan nuttig zijn wanneer de beschikbaarheid van internet een probleem is. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentatie} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Broncode" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donatiemogelijkheden staan onderaan de homepage" } } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +Om een contact toe te voegen aan Briar, moet je eerst beide elkaar toevoegen. Je kunt `briar://` links ruilen of de QR-code van een contactpersoon scannen als deze dichtbij zijn. + +De clientsoftware was onafhankelijk [gecontroleerd](https://briarproject.org/news/2017-beta-released-security-audit/), en het anonieme routing protocol maakt gebruik van het Tor netwerk dat ook is gecontroleerd. + +Briar heeft een volledig [gepubliceerde specificatie](https://code.briarproject.org/briar/briar-spec). + +Briar ondersteunt perfect forward secrecy door het gebruik van jet Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) en [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Aanvullende opties + +!!! warning + + Deze boodschappers hebben geen Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), en hoewel zij in bepaalde behoeften voorzien die onze vorige aanbevelingen niet hebben, bevelen wij ze niet aan voor langdurige of gevoelige communicatie. Elke compromittering van sleutels tussen ontvangers van berichten zou de vertrouwelijkheid van **alle** eerdere communicaties aantasten. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is de referentieclient voor het [Matrix](https://matrix.org/docs/guides/introduction) protocol, een [open standaard](https://matrix.org/docs/spec) voor veilige gedecentraliseerde real-time communicatie. + + Berichten en bestanden die in privéruimten worden gedeeld (waarvoor een uitnodiging nodig is) zijn standaard E2EE, net als één-op-één spraak- en videogesprekken. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profielfoto's, reacties en bijnamen zijn niet versleuteld. + +Groepsgesprekken voor spraak en video zijn [niet](https://github.com/vector-im/element-web/issues/12878) E2EE, en gebruiken Jitsi, maar dit zal naar verwachting veranderen met [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Groepsgesprekken hebben [momenteel geen authenticatie](https://github.com/vector-im/element-web/issues/13074), wat betekent dat ook deelnemers van buiten de zaal aan de gesprekken kunnen deelnemen. Wij raden je aan deze functie niet te gebruiken voor privévergaderingen. + +Het Matrix-protocol zelf [ondersteunt in theorie PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), maar dit wordt [momenteel niet ondersteund in Element](https://github.com/vector-im/element-web/issues/7101) omdat het sommige aspecten van de gebruikerservaring, zoals sleutelback-ups en gedeelde berichtgeschiedenis, hierdoor niet naar behoren functioneerd. + +Het protocol is in 2016 onafhankelijk [gecontroleerd](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last). De specificatie van het Matrix-protocol is te vinden in hun [documentatie](https://spec.matrix.org/latest/). De [Olm](https://matrix.org/docs/projects/other/olm) cryptografische ratel die door Matrix wordt gebruikt, is een implementatie van het [Double Ratchet-algoritme van Signal](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is een gedecentraliseerde messenger met een focus op private, veilige en anonieme communicatie. Session biedt ondersteuning voor directe berichten, groepschats en spraakoproepen. + + Session maakt gebruik van het gedecentraliseerde [Oxen Service Node Network](https://oxen.io/) om berichten op te slaan en te routeren. Elk versleuteld bericht wordt door drie knooppunten in het Oxen Service Node Network geleid, waardoor het voor de knooppunten vrijwel onmogelijk wordt zinvolle informatie te verzamelen over degenen die het netwerk gebruiken. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session maakt E2EE mogelijk in één-op-één chats of gesloten groepen met maximaal 100 leden. Open groepen hebben geen beperking wat het aantal leden betreft, maar zijn open van opzet. + +Session ondersteunt [geen](https://getsession.org/blog/session-protocol-technical-information) perfect forward secrecy, waarbij een encryptiesysteem de sleutels die het gebruikt om informatie te versleutelen en te ontsleutelen, automatisch en frequent wijzigt, zodat, indien de laatste sleutel wordt gecompromitteerd, een kleiner deel van de gevoelige informatie wordt blootgelegd. + +Oxen heeft een onafhankelijke audit aangevraagd voor Session in maart 2020. De audit [concludeerde](https://getsession.org/session-code-audit) in april van 2021: "Het algemene beveiligingsniveau van deze applicatie is goed en maakt het bruikbaar voor mensen die zich zorgen maken over privacy." + +Session heeft een [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) die de techniek van de app en het protocol beschrijft. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Moet open-source clients hebben. +- Moet standaard E2EE gebruiken voor privé-berichten. +- Moet E2EE ondersteunen voor alle berichten. +- Moet onafhankelijk gecontroleerd zijn. + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Moet Perfect Forward Secrecy hebben. +- Moet open-source servers hebben. +- Moet gedecentraliseerd zijn, d.w.z. gefedereerd of P2P. +- Moet standaard E2EE gebruiken voor privé-berichten. +- Moet Linux, macOS, Windows, Android en iOS ondersteunen. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/router.md b/i18n/nl/router.md new file mode 100644 index 00000000..ffa3eddb --- /dev/null +++ b/i18n/nl/router.md @@ -0,0 +1,51 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +--- + +Hieronder staan een paar alternatieve besturingssystemen, die gebruikt kunnen worden op routers, Wi-Fi access points, enz. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is een op Linux gebaseerd besturingssysteem; het wordt voornamelijk gebruikt op embedded apparaten om netwerkverkeer te routeren. De belangrijkste onderdelen zijn de Linux kernel, util-linux, uClibc, en BusyBox. Alle componenten zijn geoptimaliseerd voor afmetingen, zodat ze klein genoeg zijn om in de beperkte opslagruimte en het beperkte geheugen van thuisrouters te passen. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Broncode" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Bijdragen} + +Je kunt OpenWrt's [tabel van hardware](https://openwrt.org/toh/start) raadplegen om te controleren of jouw toestel ondersteund wordt. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is een open source, op FreeBSD gebaseerde firewall en routing platform dat veel geavanceerde functies bevat zoals traffic shaping, load balancing en VPN mogelijkheden, met nog veel meer functies beschikbaar in de vorm van plugins. OPNsense wordt gewoonlijk ingezet als perimeter firewall, router, draadloos toegangspunt, DHCP server, DNS server en VPN eindpunt. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Broncode" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Bijdrage leveren } + +OPNsense werd oorspronkelijk ontwikkeld als een fork van [pfSense](https://en.wikipedia.org/wiki/PfSense), en beide projecten staan bekend als vrije en betrouwbare firewall-distributies die mogelijkheden bieden die vaak alleen in dure commerciële firewalls te vinden zijn. De ontwikkelaars van OPNsense [, gelanceerd in 2015, noemden](https://docs.opnsense.org/history/thefork.html) een aantal beveiligings- en code-kwaliteitsproblemen met pfSense die volgens hen een fork van het project noodzakelijk maakten, evenals zorgen over de meerderheidsovername van pfSense door Netgate en de toekomstige richting van het pfSense-project. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Moet open source zijn. +- Moet regelmatig updates ontvangen. +- Moet een grote verscheidenheid aan hardware ondersteunen. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/search-engines.md b/i18n/nl/search-engines.md new file mode 100644 index 00000000..4de94b18 --- /dev/null +++ b/i18n/nl/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Zoekmachines" +icon: material/search-web +--- + +Gebruik een zoekmachine die geen advertentieprofiel opbouwt op basis van jouw zoekopdrachten. + +De aanbevelingen hier zijn gebaseerd op de verdiensten van het privacybeleid van elke dienst. Er is **geen garantie** dat dit privacybeleid wordt nageleefd. + +Overweeg het gebruik van een [VPN](vpn.md) of [Tor](https://www.torproject.org/) als jouw dreigingsmodel vereist dat je jouw IP-adres verbergt voor de zoekprovider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is ontwikkeld door Brave en levert voornamelijk resultaten van zijn eigen, onafhankelijke index. De index is geoptimaliseerd voor Google Search en kan daarom contextueel nauwkeurigere resultaten bieden dan andere alternatieven. + + Brave Search bevat unieke functies zoals Discussies, die resultaten accentueert die gericht zijn op conversatie, zoals forumberichten. + + Wij raden je aan [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) uit te schakelen, aangezien deze standaard is ingeschakeld en kan worden uitgeschakeld in de instellingen. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentatie} + +Brave Search is gevestigd in de Verenigde Staten. In hun [privacybeleid](https://search.brave.com/help/privacy-policy) staat dat zij geaggregeerde gebruiksgegevens verzamelen, waaronder het besturingssysteem en de gebruikte browser, maar dat geen persoonlijk identificeerbare informatie wordt verzameld. IP-adressen worden tijdelijk verwerkt, maar niet bewaard. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is een van de meer mainstream privé zoekmachine opties. Opmerkelijke DuckDuckGo-zoekfuncties zijn [bangs](https://duckduckgo.com/bang) en vele [instant antwoorden](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). De zoekmachine maakt gebruik van een commerciële Bing API voor de meeste resultaten, maar gebruikt ook talrijke [andere bronnen](https://help.duckduckgo.com/results/sources/) voor directe antwoorden en andere niet-primaire resultaten. + + DuckDuckGo is de standaard zoekmachine voor de Tor Browser en is één van de weinige beschikbare opties op Apple's Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentatie} + +DuckDuckGo is gevestigd in de Verenigde Staten. In hun [privacybeleid](https://duckduckgo.com/privacy) staat dat zij **wel** jouw zoekopdrachten registreren voor productverbetering, maar niet jouw IP-adres of enige andere persoonlijk identificeerbare informatie. + +DuckDuckGo biedt twee [andere versies](https://help.duckduckgo.com/features/non-javascript/) van hun zoekmachine, die beide geen JavaScript vereisen. Deze versies missen echter functies. Deze versies kunnen ook worden gebruikt in combinatie met hun [Tor onion adres](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) door [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) of [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) toe te voegen voor de respectieve versie. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is een open-source, zelf-hostbare, metasearch engine, die de resultaten van andere zoekmachines aggregeert, maar zelf geen informatie opslaat. Het is een actief onderhouden vork van [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Broncode" } + +SearXNG is een proxy tussen jij en de zoekmachines waarvan het aggregeert. Jouw zoekopdrachten zullen nog steeds worden verzonden naar de zoekmachines waar SearXNG zijn resultaten van krijgt. + +Bij zelf-hosting is het belangrijk dat er ook andere mensen gebruik maken van jouw instantie, zodat je op kunt gaan in de menigte. Je moet voorzichtig zijn met waar en hoe je SearXNG host, omdat mensen die illegale inhoud op jouw instantie opzoeken, ongewenste aandacht van de autoriteiten kunnen trekken. + +Wanneer je een SearXNG-instantie gebruikt, moet je zeker hun privacybeleid lezen. Aangezien SearXNG-instanties door hun eigenaars kunnen worden gewijzigd, weerspiegelen zij niet noodzakelijk hun privacybeleid. Sommige instanties draaien als een verborgen Tor-service, die enige privacy kan bieden zolang jouw zoekopdrachten geen PII bevatten. + +## Startpage + +!!! recommendation + + ![Startpage-logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage-logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is een private zoekmachine die bekend staat om haar Google zoekresultaten. Eén van Startpage's unieke eigenschappen is de [Anonymous View](https://www.startpage.com/en/anonymous-view/), die inspanningen levert om gebruikersactiviteit te standaardiseren zodat het moeilijker is om uniek geïdentificeerd te worden. De functie kan nuttig zijn voor het verbergen van [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) netwerk- en browsereigenschappen. In tegenstelling tot wat de naam suggereert, mag deze functie niet worden gebruikt voor anonimiteit. Als u op zoek bent naar anonimiteit, gebruik dan de [Tor Browser](tor.md#tor-browser). + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentatie} + +!!! warning + + Startpage beperkt regelmatig de toegang tot de dienst tot bepaalde IP adressen, zoals IPs gereserveerd voor VPNs of Tor. [DuckDuckGo](#duckduckgo) en [Brave Search](#brave-search) zijn vriendelijker opties als jouw dreigingsmodel vereist dat je jouw IP-adres verbergt voor de zoekprovider. + +Startpage is gevestigd in Nederland. Volgens hun [privacybeleid](https://www.startpage.com/en/privacy-policy/)loggen zij gegevens zoals: besturingssysteem, type browser, en taal. Zij slaan jouw IP-adres, zoekopdrachten of andere persoonlijk identificeerbare informatie niet op. + +Startpage's meerderheidsaandeelhouder is System1, een adtech bedrijf. Wij denken niet dat dit een probleem is, aangezien zij een duidelijk gescheiden [privacybeleid hebben](https://system1.com/terms/privacy-policy). Het Privacy Guides team heeft contact opgenomen met Startpage [in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) om eventuele zorgen weg te nemen over System1's aanzienlijke investering in de dienst. We waren tevreden met de antwoorden die we kregen. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimale vereisten + +- Mag geen persoonlijk identificeerbare informatie verzamelen volgens hun privacybeleid. +- Mag niet toestaan dat gebruikers bij hen een account aanmaken. + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Moet gebaseerd zijn op open-source software. +- Mag geen Tor exit node IP adressen blokkeren. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/tools.md b/i18n/nl/tools.md new file mode 100644 index 00000000..60b81393 --- /dev/null +++ b/i18n/nl/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Hulpmiddelen" +icon: material/tools +hide: + - toc +--- + +Als je op zoek bent naar een specifieke oplossing voor iets, dan zijn dit de hardware en software tools die wij aanbevelen in verschillende categorieën. Onze aanbevolen privacytools zijn in de eerste plaats gekozen op basis van beveiligingskenmerken, met extra nadruk op gedecentraliseerde en open-source tools. Ze zijn van toepassing op een verscheidenheid aan dreigingsmodellen, variërend van bescherming tegen wereldwijde massasurveillanceprogramma's en het vermijden van grote technologiebedrijven tot het beperken van aanvallen, maar alleen jij kunt bepalen wat het beste werkt voor jouw behoeften. + +Als je hulp wilt bij het uitzoeken van de beste privacytools en alternatieve programma's voor jouw behoeften, start dan een discussie op ons [forum](https://discuss.privacyguides.net/) of onze [Matrix](https://matrix.to/#/#privacyguides:matrix.org) gemeenschap! + +Voor meer details over elk project, waarom ze werden gekozen, en extra tips of trucs die we aanbevelen, klik op de "Meer informatie"-link in elke sectie, of klik op de aanbeveling zelf om naar die specifieke sectie van de pagina te gaan. + +## Tor Netwerk + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake verhoogt de privacy niet, maar stelt je wel in staat om eenvoudig bij te dragen aan het Tor-netwerk en mensen in gecensureerde netwerken te helpen betere privacy te bereiken. + +[Meer informatie :material-arrow-right-drop-circle:](tor.md) + +## Desktop webbrowsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave llogo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Extra bronnen + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobiele webbrowsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Extra bronnen + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard voor iOS](mobile-browsers.md#adguard) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Besturingssystemen + +### Mobiel + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Werkprofielen)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Ondersteunde apparaten)](android.md#auditor) +- ![Beveiligde camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Beveiligde camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Beveiligde camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](router.md) + +## Dienstverleners + +### Cloud opslag + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +Wij [bevelen](dns.md#recommended-providers) een aantal versleutelde DNS servers aan op basis van verschillende criteria, zoals [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) en [Quad9](https://quad9.net/) onder andere. Wij raden je aan onze pagina's over DNS te lezen voordat je een provider kiest. In veel gevallen wordt het gebruik van een alternatieve DNS-provider niet aanbevolen. + +[Meer informatie :material-arrow-right-drop-circle:](dns.md) + +#### Versleutelde DNS-proxy + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Zelf gehoste oplossingen + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](email.md) + +#### E-mail aliasing diensten + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Onze criteria + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Zoekmachines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPN's zorgen niet voor anonimiteit" + + Het gebruik van een VPN houdt jouw surfgedrag niet anoniem, noch voegt het extra beveiliging toe aan niet-beveiligd (HTTP) verkeer. + + Als je op zoek bent naar **anonimiteit**, kunt je beter de Tor Browser **in plaats** van een VPN gebruiken. + + Als je op zoek bent naar extra **veiligheid**, moet je er altijd voor zorgen dat je verbinding maakt met websites via HTTPS. Een VPN is geen vervanging voor goede beveiligingspraktijken. + + [Meer informatie :material-arrow-right-drop-circle::](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Kalendersynchronisatie + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](calendar.md) + +### Redactie van gegevens en metagegevens + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](data-redaction.md) + +### Email clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](email-clients.md) + +### Encryptie Software + +??? info "Schijfversleuteling besturingssysteem" + + Om de schijf van jouw besturingssysteem te versleutelen, raden wij je aan de versleutelingstool te gebruiken die jouw besturingssysteem biedt, of dat nu **BitLocker** in Windows, **FileVault** in macOS of **LUKS** in Linux is. Deze tools worden meegeleverd met het besturingssysteem en maken doorgaans gebruik van hardware-encryptie-elementen zoals een TPM, die andere software voor volledige schijfversleuteling, zoals VeraCrypt, niet gebruiken. VeraCrypt is nog steeds geschikt voor schijven die niet op een besturingssysteem werken, zoals externe schijven, vooral schijven die vanuit meerdere besturingssystemen kunnen worden benaderd. + + [Meer informatie :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP-clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### Bestanden delen en synchroniseren + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](frontends.md) + +### Multi-factor authenticatie Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### Nieuws Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![Gnome Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [Gnome Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![logo Newsboat](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notitieboekjes + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](notebooks.md) + +### Wachtwoord managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](passwords.md) + +### Productiviteitshulpmiddelen + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communicatie + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Apps + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/tor.md b/i18n/nl/tor.md new file mode 100644 index 00000000..14116883 --- /dev/null +++ b/i18n/nl/tor.md @@ -0,0 +1,122 @@ +--- +title: "Tor Netwerk" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +Het **Tor** netwerk is een groep vrijwilligersservers waarmee je gratis verbinding kunt maken en je privacy en veiligheid op het internet kunt verbeteren. Individuen en organisaties kunnen ook informatie delen via het Tor-netwerk met ".onion hidden services" zonder hun privacy in gevaar te brengen. Omdat Tor-verkeer moeilijk te blokkeren en te traceren is, is Tor een effectief middel om censuur te omzeilen. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ [:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Broncode" } } [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Bijdragen } + +Tor werkt door je internetverkeer om te leiden via deze door vrijwilligers beheerde servers, in plaats van een directe verbinding te maken met de site die je probeert te bezoeken. Dit versluiert waar het verkeer vandaan komt, en geen enkele server in het verbindingspad kan het volledige pad zien van waar het verkeer vandaan komt en naartoe gaat, wat betekent dat zelfs de servers die je gebruikt om verbinding te maken jouw anonimiteit niet kunnen doorbreken. + +
+ Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Knooppunten in het pad kunnen alleen de servers zien waarmee ze direct verbonden zijn, bijvoorbeeld het getoonde "Entry" knooppunt kan je IP adres zien, en het adres van het "Middle" knooppunt, maar kan niet zien welke website je bezoekt.
+
+ +- [Meer informatie over hoe Tor werkt :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Verbinding maken met Tor + +Er zijn verschillende manieren om verbinding te maken met het Tor-netwerk vanaf je apparaat. De meest gebruikte is de **Tor Browser**, een fork van Firefox ontworpen voor anoniem browsen voor desktop computers en Android. Naast de onderstaande apps zijn er ook besturingssystemen die speciaal zijn ontworpen om verbinding te maken met het Tor-netwerk, zoals [Whonix](desktop.md#whonix) op [Qubes OS](desktop.md#qubes-os), die nog meer veiligheid en bescherming bieden dan de standaard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is de keuze als je anonimiteit nodig hebt, omdat het je toegang geeft tot het Tor netwerk en bruggen, en het bevat standaard instellingen en extensies die automatisch geconfigureerd worden door de standaard beveiligingsniveaus: *Standard*, *Safer* en *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentatie } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Broncode" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger "Gevaar" + + Je moet **nooit** extra extensies installeren op Tor Browser of `about:config` instellingen bewerken, inclusief de extensies die we voorstellen voor Firefox. Browserextensies en niet-standaardinstellingen zorgen ervoor dat je je onderscheidt van anderen op het Tor-netwerk, waardoor je browser gemakkelijker te vinden is op [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +De Tor Browser is ontworpen om fingerprinting, of het identificeren van jou op basis van je browserconfiguratie, te voorkomen. **Daarom is het absoluut noodzakelijk dat je** de browser niet wijzigt buiten de standaard [beveiligingsniveaus](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is een gratis Tor VPN voor smartphones die het verkeer van elke app op je toestel door het Tor-netwerk leidt. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentatie} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Broncode" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +Om weerstand te bieden tegen verkeersanalyse aanvallen, kunt je overwegen om *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity** in te schakelen. Dit zal voor elk domein waarmee je verbinding maakt een volledig ander Tor Circuit (verschillende middle nodes en exit nodes) gebruiken. + +!!! tip "Tips voor Android" + + Orbot kan individuele apps proxyen als ze SOCKS of HTTP proxying ondersteunen. Het kan ook al uw netwerkverbindingen proxyen met behulp van [VpnService](https://developer.android.com/reference/android/net/VpnService) en kan worden gebruikt met de VPN killswitch in :gear: **Instellingen** → **Netwerk & internet** → **VPN** → :gear: → **Blokkeer verbindingen zonder VPN**. + + Orbot is vaak verouderd op de [F-Droid repository](https://guardianproject.info/fdroid) en [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) van het Guardian Project, dus overweeg in plaats daarvan direct te downloaden van de [GitHub repository](https://github.com/guardianproject/orbot/releases). + + Alle versies zijn ondertekend met dezelfde handtekening, zodat ze onderling compatibel zouden moeten zijn. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Met Snowflake** kun je bandbreedte doneren aan het Tor Project door een "Snowflake proxy" in je browser te gebruiken. + + Mensen die gecensureerd worden kunnen Snowflake proxies gebruiken om verbinding te maken met het Tor-netwerk. Snowflake is een geweldige manier om bij te dragen aan het netwerk, zelfs als je niet de technische know-how hebt om een Tor relay of bridge te runnen. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentatie} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Broncode" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Documentatie} + + ??? downloads "Downloaden" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Laat deze pagina open om een Snowflake proxy te zijn") + +??? tip "Embedded Snowflake" + + Je kunt Snowflake in jouw browser inschakelen door op de schakelaar hieronder te klikken en ==deze pagina open laten==. Je kunt Snowflake ook installeren als een browserextensie om het altijd te laten draaien terwijl jouw browser open is, maar het toevoegen van extensies van derden kan uw aanvalsoppervlak vergroten. + +
+ Als de embed niet voor je verschijnt, zorg er dan voor dat je het frame van derden van `torproject.org` niet blokkeert. Of bezoek [deze pagina](https://snowflake.torproject.org/embed.html). + +Snowflake verhoogt jouw privacy op geen enkele manier, en wordt ook niet gebruikt om verbinding te maken met het Tor-netwerk binnen jouw persoonlijke browser. Als jouw internetverbinding echter ongecensureerd is, zou je moeten overwegen het te gebruiken om mensen in gecensureerde netwerken te helpen zelf betere privacy te krijgen. Je hoeft je geen zorgen te maken over welke websites mensen via je proxy bezoeken- hun zichtbare surf IP adres zal overeenkomen met hun Tor exit node, niet met die van jou. + +Het runnen van een Snowflake proxy is weinig riskant, zelfs meer dan het runnen van een Tor relay of bridge, wat al geen bijzonder riskante onderneming is. Het stuurt echter nog steeds verkeer door jouw netwerk, wat in sommige opzichten gevolgen kan hebben, vooral als jouw netwerk een beperkte bandbreedte heeft. Zorg ervoor dat je [begrijpt hoe Snowflake werkt](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) voordat je beslist of je een proxy wilt gebruiken. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/video-streaming.md b/i18n/nl/video-streaming.md new file mode 100644 index 00000000..04a1663c --- /dev/null +++ b/i18n/nl/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Videostreaming" +icon: material/video-wireless +--- + +Het grootste gevaar bij het gebruik van een videostreamingplatform is dat uw streaminggewoonten en abonneelijsten kunnen worden gebruikt om u te profileren. Je zou deze tools moeten combineren met een [VPN](vpn.md) of [Tor](https://www.torproject.org/) om het moeilijker te maken je gebruik te profileren. + +## Cliënten + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **Het LBRY netwerk** is een gedecentraliseerd video-sharing netwerk. Het gebruikt een [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-achtig netwerk om de video-inhoud op te slaan, en een [blockchain](https://wikipedia.org/wiki/Blockchain) om de indexen voor die video's op te slaan. Het belangrijkste voordeel van dit ontwerp is de censuurbestendigheid. + + **De LBRY desktop client** helpt je bij het streamen van video's van het LBRY netwerk en slaat jouw abonnementenlijst op in jouw eigen LBRY portemonnee. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Alleen de **LBRY desktop client** wordt aanbevolen, aangezien de [Odysee](https://odysee.com) website en de LBRY clients in F-Droid, Play Store, en de App Store verplichte synchronisatie en telemetrie hebben. + +!!! warning + + Tijdens het bekijken en hosten van video's is jouw IP-adres zichtbaar voor het LBRY-netwerk. Overweeg het gebruik van een [VPN](vpn.md) of [Tor](https://www.torproject.org) als jouw [bedreigingsmodel](basics/threat-modeling.md) het verbergen van jouw IP-adres vereist. + +Wij adviseren **tegen** het synchroniseren van jouw portemonnee met LBRY Inc., omdat het synchroniseren van versleutelde portemonnees nog niet wordt ondersteund. Als je je portemonnee synchroniseert met LBRY Inc., moet je erop vertrouwen dat ze niet in je abonnementenlijst kijken, [LBC](https://lbry.com/faq/earn-credits) fondsen, of de controle over je kanaal overnemen. + +Je kunt de optie *Hostinggegevens opslaan om het LBRY-netwerk te helpen* uitschakelen in :gear: **Instellingen** → **Geavanceerde instellingen**, om te voorkomen dat jouw IP-adres en bekeken video's worden blootgesteld wanneer je LBRY langere tijd gebruikt. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Mag geen gecentraliseerde account vereisen om video's te bekijken. + - Gedecentraliseerde authenticatie, bijvoorbeeld via de privésleutel van een mobiele portemonnee, is aanvaardbaar. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/nl/vpn.md b/i18n/nl/vpn.md new file mode 100644 index 00000000..92674839 --- /dev/null +++ b/i18n/nl/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN-diensten" +icon: material/vpn +--- + +Zoek een no-logging VPN-operator die er niet op uit is jouw webverkeer te verkopen of te lezen. + +??? danger "VPN's zorgen niet voor anonimiteit" + + Het gebruik van een VPN houdt jouw surfgedrag niet anoniem, noch voegt het extra beveiliging toe aan niet-beveiligd (HTTP) verkeer. + + Als je op zoek bent naar **anonimiteit**, kunt je beter de Tor Browser **in plaats** van een VPN gebruiken. + + Als je op zoek bent naar extra **veiligheid**, moet je er altijd voor zorgen dat je verbinding maakt met websites via HTTPS. Een VPN is geen vervanging voor goede beveiligingspraktijken. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Mythen & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "Wanneer zijn VPN's nuttig?" + + Als je op zoek bent naar extra **privacy** van uw ISP, op een openbaar Wi-Fi-netwerk, of tijdens het torrenten van bestanden, kan een VPN de oplossing voor je zijn, zolang je de risico's ervan begrijpt. + + [Meer info](basics/vpn-overview.md){ .md-button } + +## Aanbevolen Providers + +!!! abstract "Criteria" + + Onze aanbevolen providers gebruiken encryptie, accepteren Monero, ondersteunen WireGuard & OpenVPN, en hebben een no logging beleid. Lees onze [volledige lijst van criteria](#onze-criteria) voor meer informatie. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is een sterke speler in de VPN-ruimte, en ze zijn in bedrijf sinds 2016. Proton AG is gevestigd in Zwitserland en biedt een beperkt gratis niveau en een meer uitgebreide premium optie. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Landen" + + Proton VPN heeft [servers in 67 landen](https://protonvpn.com/vpn-servers) (1). Door een VPN-provider te kiezen met een server het dichtst bij jou in de buurt, verminder je de latentie van het netwerkverkeer dat je verstuurt. Dit komt door een kortere route (minder hops) naar de bestemming. + + Wij denken ook dat het voor de veiligheid van de privé-sleutels van de VPN-provider beter is als zij [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service) gebruiken, in plaats van goedkopere gedeelde oplossingen (met andere klanten) zoals [virtuele privé-servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Laatst gecontroleerd: 2022-09-16 + +??? success "Onafhankelijk Gecontroleerd" + + Vanaf januari 2020, heeft Proton VPN een onafhankelijke audit door SEC Consult ondergaan. SEC Consult vond enkele kwetsbaarheden met een gemiddeld en laag risico in de Windows-, Android- en iOS-applicaties van Proton VPN, die allemaal door Proton VPN "naar behoren waren verholpen" voordat de rapporten werden gepubliceerd. Geen van de geconstateerde problemen zou een aanvaller op afstand toegang hebben verschaft tot jouw apparaat of verkeer. Je kunt de afzonderlijke verslagen voor elk platform bekijken op [protonvpn.com](https://protonvpn.com/blog/open-source/). In april 2022 onderging Proton VPN [nog een audit](https://protonvpn.com/blog/no-logs-audit/) en het verslag werd [opgesteld door Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). Voor de apps van Proton VPN is op 9 november 2021 een [attestbrief](https://proton.me/blog/security-audit-all-proton-apps) verstrekt door [Securitum](https://research.securitum.com). + +??? success "Open-Source Cliënts" + + Proton VPN biedt de broncode voor hun desktop en mobiele clients in hun [GitHub organisatie](https://github.com/ProtonVPN). + +??? success "Accepteert Cash" + + Proton VPN accepteert naast creditcards en PayPal ook Bitcoin en **contant geld/lokale valuta** als anonieme vormen van betaling. + +??? success "WireGuard Support" + + Proton VPN ondersteunt hoofdzakelijk het WireGuard® protocol. [WireGuard](https://www.wireguard.com) is een nieuwer protocol dat gebruik maakt van het modernste [cryptography](https://www.wireguard.com/protocol/). Bovendien wil WireGuard eenvoudiger en performanter zijn. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) het gebruik van WireGuard met hun dienst. Op Proton VPN's Windows, macOS, iOS, Android, ChromeOS, en Android TV apps is WireGuard het standaard protocol; [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) voor het protocol is echter niet aanwezig in hun Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN ondersteunt momenteel alleen remote [port forwarding](https://protonvpn.com/support/port-forwarding/) op Windows, wat gevolgen kan hebben voor sommige toepassingen. Vooral Peer-to-peer-toepassingen zoals Torrent-cliënten. + +??? success "Mobiele klanten" + + Naast het leveren van standaard OpenVPN-configuratiebestanden, heeft Proton VPN mobiele clients voor [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=nl_US), en [GitHub](https://github.com/ProtonVPN/android-app/releases) die eenvoudige verbindingen met hun servers mogelijk maken. + +??? info "Aanvullende Functionaliteit" + + Proton VPN heeft eigen servers en datacenters in Zwitserland, IJsland en Zweden. Ze bieden adblocking en het blokkeren van bekende malware domeinen met hun DNS service. Ze bieden adblocking en blokkering van bekende malwaredomeinen met hun DNS-dienst. Daarnaast biedt Proton VPN ook "Tor" servers waarmee je gemakkelijk verbinding kunt maken met onion sites, maar we raden nog steeds sterk aan om hiervoor [de officiële Tor Browser](https://www.torproject.org/) te gebruiken. + +!!! danger "De killswitch-functionaliteit werkt niet op Intel-gebaseerde Macs" + + Systeemcrashes [kunnen optreden](https://protonvpn.com/support/macos-t2-chip-kill-switch/) op Intel-gebaseerde Macs bij gebruik van de VPN killswitch. Als je deze functie nodig hebt, en je gebruikt een Mac met Intel-chipset, moet je overwegen een andere VPN-dienst te gebruiken. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is een andere premium VPN provider, en ze zijn actief sinds 2009. IVPN is gevestigd in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Landen" + + IVPN heeft [servers in 35 landen](https://www.ivpn.net/server-locations) (1). Door een VPN-provider te kiezen met een server het dichtst bij jou in de buurt, verminder je de latentie van het netwerkverkeer dat je verstuurt. Dit komt door een kortere route (minder hops) naar de bestemming. + + Wij denken ook dat het voor de veiligheid van de privé-sleutels van de VPN-provider beter is als zij [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service) gebruiken, in plaats van goedkopere gedeelde oplossingen (met andere klanten) zoals [virtuele privé-servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Laatst gecontroleerd: 2022-09-16 + +??? success "Onafhankelijk Gecontroleerd" + + IVPN heeft een [no-logging audit van Cure53](https://cure53.de/audit-report_ivpn.pdf) ondergaan die concludeerde in overeenstemming met de no-logging claim van IVPN. IVPN heeft in januari 2020 ook een [uitgebreid pentestrapport Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) afgerond. IVPN heeft ook gezegd dat zij van plan zijn in de toekomst [jaarverslagen](https://www.ivpn.net/blog/independent-security-audit-concluded) uit te brengen. Er is nog een evaluatie uitgevoerd [in april 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) en deze is opgesteld door Cure53 [op hun website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Cliënts" + + Sinds februari 2020 zijn [IVPN applicaties nu open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Broncode kan worden verkregen van hun [GitHub organisatie](https://github.com/ivpn). + +??? success "Accepteert contant geld en Monero" + + Naast creditcards/debetkaarten en PayPal accepteert IVPN ook Bitcoin, **Monero** en **cash/lokale valuta** (op jaarplannen) als anonieme betalingsvormen. + +??? success "WireGuard Support" + + IVPN ondersteunt het WireGuard® protocol. [WireGuard](https://www.wireguard.com) is een nieuwer protocol dat gebruik maakt van het modernste [cryptography](https://www.wireguard.com/protocol/). Bovendien wil WireGuard eenvoudiger en performanter zijn. + + IVPN [raad](https://www.ivpn.net/wireguard/) het gebruik van WireGuard aan en hierom is het protocol de standaard in alle apps van IVPN. IVPN biedt ook een WireGuard configuratie generator voor gebruik met de officiële WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding] (https://en.wikipedia.org/wiki/Port_forwarding) is mogelijk met een Pro-abonnement. Port forwarding [kan geactiveerd worden](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via de client area. Port forwarding is alleen beschikbaar op IVPN bij gebruik van WireGuard of OpenVPN protocollen en is [uitgeschakeld op US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobiele klanten" + + Naast het leveren van standaard OpenVPN-configuratiebestanden, heeft IVPN mobiele clients voor [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), en [GitHub](https://github.com/ivpn/android-app/releases) die eenvoudige verbindingen met hun servers mogelijk maken. + +??? info "Aanvullende Functionaliteit" + + IVPN-clients ondersteunen tweefactorauthenticatie (de clients van Mullvad niet). IVPN biedt ook de "[AntiTracker](https://www.ivpn.net/antitracker)" functionaliteit, die advertentienetwerken en trackers op netwerkniveau blokkeert. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is een snelle en goedkope VPN met een serieuze focus op transparantie en veiligheid. Zij zijn in bedrijf sinds **2009**. Mullvad is gevestigd in Zweden en heeft geen gratis proefversie. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" }. + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 landen" + + Mullvad heeft [servers in 41 landen](https://mullvad.net/servers/) (1). Door een VPN-provider te kiezen met een server het dichtst bij jou in de buurt, verminder je de latentie van het netwerkverkeer dat je verstuurt. Dit komt door een kortere route (minder hops) naar de bestemming. + + Wij denken ook dat het voor de veiligheid van de privé-sleutels van de VPN-provider beter is als zij [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service) gebruiken, in plaats van goedkopere gedeelde oplossingen (met andere klanten) zoals [virtuele privé-servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Laatst gecontroleerd: 2023-01-19 + +??? success "Onafhankelijk Gecontroleerd" + + De VPN-clients van Mullvad zijn gecontroleerd door Cure53 en Assured AB in een pentest-rapport [gepubliceerd op cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). De beveiligingsonderzoekers concludeerden: + + > Cure53 en Assured AB zijn blij met de resultaten van de audit en de software laat een algehele positieve indruk achter. Dankzij de inzet van het interne team van Mullvad VPN, twijfelen de testers er niet aan dat het project vanuit beveiligingsoogpunt op het juiste spoor zit. + + In 2020 werd een tweede audit [aangekondigd](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) en werd het [definitieve auditverslag](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) beschikbaar gesteld op de website van Cure53: + + > De resultaten van dit mei-juni 2020 project gericht op het Mullvad complex zijn vrij positief. [...] Het door Mullvad gebruikte totale applicatie-ecosysteem maakt een degelijke en gestructureerde indruk. De algemene structuur van de applicatie maakt het gemakkelijk om patches en fixes op een gestructureerde manier uit te rollen. De bevindingen van Cure53 laten vooral zien hoe belangrijk het is om de huidige lekvectoren voortdurend te controleren en opnieuw te beoordelen, om de privacy van de eindgebruikers altijd te waarborgen. Dat gezegd hebbende, Mullvad beschermt de eindgebruiker uitstekend tegen veelvoorkomende lekken van PII en privacygerelateerde risico's. + + In 2021 werd een infrastructuuraudit [aangekondigd](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) en werd het [definitieve auditverslag](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) beschikbaar gesteld op de website van Cure53. Een ander rapport werd [in juni 2022] besteld (https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) en is beschikbaar op [de website van Assured](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Cliënts" + + Mullvad biedt de broncode voor hun desktop en mobiele clients in hun [GitHub organisatie](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepteert contant geld en Monero" + + Mullvad accepteert naast creditcards en PayPal ook Bitcoin, Bitcoin Cash, **Monero** en **contant geld/lokale valuta** als anonieme vormen van betaling. Zij aanvaarden ook Swish en bankoverschrijvingen. + +??? success "WireGuard Support" + + Mullvad ondersteunt het WireGuard® protocol. [WireGuard](https://www.wireguard.com) is een nieuwer protocol dat gebruik maakt van het modernste [cryptography](https://www.wireguard.com/protocol/). Bovendien wil WireGuard eenvoudiger en performanter zijn. + + Mullvad [recommends](https://mullvad.net/nl/help/why-wireguard/) het gebruik van WireGuard met hun service. Het is het standaard of enige protocol op Mullvad 's Android-, iOS-, macOS- en Linux-apps, maar op Windows moet je [handmatig inschakelen](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad biedt ook een WireGuard configuratie generator aan voor gebruik met de officiële WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 ondersteuning" + + Mullvad ondersteunt de toekomst van networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Hun netwerk laat je toe [toegang te krijgen tot diensten die gehost worden op IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) in tegenstelling tot andere providers die IPv6-verbindingen blokkeren. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is toegestaan voor mensen die eenmalige betalingen doen, maar niet voor rekeningen met een terugkerende/abonnementsgebaseerde betalingsmethode. Dit is om te voorkomen dat Mullvad je kan identificeren op basis van jouw poortgebruik en opgeslagen abonnementsinformatie. Zie [Port forwarding met Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) voor meer informatie. + +??? success "Mobiele klanten" + + Mullvad heeft [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) en [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients gepubliceerd, die beide een gebruiksvriendelijke interface ondersteunen in plaats van je te verplichten jouw WireGuard-verbinding handmatig te configureren. De Android-client is ook beschikbaar op [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Aanvullende Functionaliteit" + + Mullvad is zeer transparant over welke knooppunten zij [bezitten of huren] (https://mullvad.net/en/servers/). Ze gebruiken [ShadowSocks](https://shadowsocks.org/) in hun ShadowSocks + OpenVPN configuratie, waardoor ze beter bestand zijn tegen firewalls met [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) die VPN's proberen te blokkeren. Vermoedelijk, [China moet een andere methode gebruiken om ShadowSocks servers te blokkeren](https://github.com/net4people/bbs/issues/22). De website van Mullvad is ook toegankelijk via Tor op [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger "Gevaar" + + Het is belangrijk op te merken dat het gebruik van een VPN provider je niet anoniem maakt, maar het geeft je wel een betere privacy in bepaalde situaties. Een VPN is geen instrument voor illegale activiteiten. Vertrouw niet op een "no log" beleid. + +**Wij zijn niet verbonden aan de providers die wij aanbevelen. Hierdoor kunnen wij volledig objectieve aanbevelingen doen.** Naast [onze standaardcriteria](about/criteria.md), hebben we een duidelijke reeks vereisten ontwikkeld voor elke VPN-provider die aanbevolen wil worden, waaronder sterke encryptie, onafhankelijke beveiligingsaudits, moderne technologie en meer. Wij raden je aan deze lijst goed door te nemen voordat je een VPN-provider kiest, en jouw eigen onderzoek te doen om er zeker van te zijn dat de VPN-provider die je kiest zo betrouwbaar mogelijk is. + +### Technologie + +Wij eisen dat al onze aanbevolen VPN-providers OpenVPN-configuratiebestanden leveren die in elke client kunnen worden gebruikt. **Als** een VPN met een eigen aangepaste client aanbiedt, is een killswitch vereist om het lekken van netwerkgegevens te blokkeren wanneer de verbinding wordt verbroken. + +**Minimum om in aanmerking te komen:** + +- Ondersteuning voor sterke protocollen zoals WireGuard & OpenVPN. +- Killswitch ingebouwd in clients. +- Multihop ondersteuning. Multihopping is belangrijk om gegevens privé te houden in het geval van een compromittering door één knooppunt. +- Als er VPN-clients worden verstrekt, moeten dat [open-source](https://en.wikipedia.org/wiki/Open_source)zijn, zoals de VPN-software die er doorgaans in is ingebouwd. Wij zijn van mening dat de beschikbaarheid van [broncode](https://en.wikipedia.org/wiki/Source_code) meer transparantie biedt over wat uw apparaat feitelijk doet. + +**Beste geval:** + +- Ondersteuning voor WireGuard en OpenVPN. +- Killswitch met in hoge mate configureerbare opties (inschakelen/uitschakelen op bepaalde netwerken, bij opstarten, enz.) +- Gemakkelijk te gebruiken VPN-clients +- Ondersteunt [IPv6](https://en.wikipedia.org/wiki/IPv6). Wij verwachten dat servers inkomende verbindingen via IPv6 zullen toestaan en u toegang zullen verschaffen tot diensten die op IPv6-adressen worden gehost. +- De mogelijkheid van [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) helpt bij het maken van verbindingen bij het gebruik van P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software, Freenet, of het hosten van een server (bv. Mumble). + +### Privacy + +Wij geven er de voorkeur aan dat de door ons aanbevolen aanbieders zo weinig mogelijk gegevens verzamelen. Er worden geen persoonlijke gegevens verzameld bij de registratie en er worden anonieme betalingsvormen aanvaard. + +**Minimum om in aanmerking te komen:** + +- Monero of contante betaling. +- Geen persoonlijke informatie nodig om te registreren: Hooguit gebruikersnaam, wachtwoord en e-mail. + +**Beste geval:** + +- Accepteert Monero, contant geld, en andere vormen van anonieme betalingsopties (cadeaubonnen, enz.) +- Geen persoonlijke informatie aanvaard (automatisch gegenereerde gebruikersnaam, geen e-mail nodig, enz.) + +### Veiligheid + +Een VPN is zinloos als het niet eens voldoende beveiliging kan bieden. Wij eisen van al onze aanbevolen providers dat zij zich houden aan de huidige beveiligingsstandaarden voor hun OpenVPN-verbindingen. Idealiter zouden zij standaard meer toekomstbestendige encryptiesystemen gebruiken. Wij eisen ook dat een onafhankelijke derde partij de beveiliging van de aanbieder controleert, idealiter op zeer uitgebreide wijze en herhaaldelijk (jaarlijks). + +**Minimum om in aanmerking te komen:** + +- Sterke coderingsschema's: OpenVPN met SHA-256 authenticatie; RSA-2048 of betere handshake; AES-256-GCM of AES-256-CBC data-encryptie. +- Perfect Forward Secrecy (PFS). +- Gepubliceerde veiligheidscontroles van een gerenommeerde derde partij. + +**Beste geval:** + +- Sterkste encryptie: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Uitgebreide gepubliceerde veiligheidscontroles door een gerenommeerde derde partij. +- Programma's voor bug-bounty's en/of een gecoördineerd proces voor de openbaarmaking van kwetsbaarheden. + +### Vertrouwen + +Je zou jouw financiën niet toevertrouwen aan iemand met een valse identiteit, dus waarom zou je hen jouw internetgegevens toevertrouwen? Wij eisen van onze aanbevolen aanbieders dat zij hun eigendom of leiderschap openbaar maken. Wij zouden ook graag zien dat regelmatig verslag wordt uitgebracht over de transparantie, met name wat betreft de wijze waarop verzoeken van de overheid worden behandeld. + +**Minimum om in aanmerking te komen:** + +- Publiekelijk leiderschap of eigendom. + +**Beste geval:** + +- Publieksgericht leiderschap. +- Frequente transparantieverslagen. + +### Marketing + +Bij de VPN providers die wij aanbevelen zien wij graag verantwoorde marketing. + +**Minimum om in aanmerking te komen:** + +- Moet zelf analytics hosten (d.w.z., geen Google Analytics). De site van de aanbieder moet ook voldoen aan [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) voor mensen die zich willen afmelden. + +Mag geen marketing hebben die onverantwoord is: + +- Garanties van 100% bescherming van de anonimiteit. Wanneer iemand beweert dat iets 100% is, betekent dit dat er geen zekerheid is voor mislukking. We weten dat mensen zichzelf vrij gemakkelijk kunnen deanonimiseren op een aantal manieren, bv.: + - Hergebruik van persoonlijke informatie (bv. e-mailaccounts, unieke pseudoniemen, enz.) waartoe zij toegang hadden zonder anonimiteitssoftware (Tor, VPN, enz.) + - [Browser vingerafdrukken](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Beweren dat een VPN met één circuit "anoniemer" is dan Tor, dat een circuit van drie of meer hops is dat regelmatig verandert. +- Gebruik verantwoordelijk taalgebruik: d.w.z. het is oké om te zeggen dat een VPN "losgekoppeld" of "niet aangesloten" is, maar beweren dat iemand "blootgesteld", "kwetsbaar" of "gecompromitteerd" is, is nodeloos gebruik van alarmerende taal die onjuist kan zijn. Die persoon kan bijvoorbeeld gewoon gebruik maken van de service van een andere VPN-provider of Tor gebruiken. + +**Beste geval:** + +Verantwoorde marketing die zowel educatief als nuttig is voor de consument zou kunnen bestaan uit: + +- Een nauwkeurige vergelijking met wanneer Tor of andere [op zichzelf staande netwerken](tor.md) moeten worden gebruikt. +- Beschikbaarheid van de website van de VPN-provider via een .onion [Verborgen service](https://en.wikipedia.org/wiki/.onion) + +### Extra functionaliteit + +Hoewel het geen strikte vereisten zijn, zijn er enkele factoren die wij in aanmerking hebben genomen bij het bepalen van de aanbieders die wij aanbevelen. Deze omvatten adblocking/tracker-blocking-functionaliteit, warrant canaries, multihop-verbindingen, uitstekende klantenondersteuning, het aantal toegestane gelijktijdige verbindingen, enz. + +--8<-- "includes/abbreviations.nl.txt" diff --git a/i18n/pl/404.md b/i18n/pl/404.md new file mode 100644 index 00000000..f0f4bec0 --- /dev/null +++ b/i18n/pl/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/CODE_OF_CONDUCT.md b/i18n/pl/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/pl/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/pl/about/criteria.md b/i18n/pl/about/criteria.md new file mode 100644 index 00000000..f2e96c12 --- /dev/null +++ b/i18n/pl/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/about/donate.md b/i18n/pl/about/donate.md new file mode 100644 index 00000000..73bae286 --- /dev/null +++ b/i18n/pl/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Wspieranie nas +--- + + +Potrzeba wiele [osób](https://github.com/privacyguides/privacyguides.org/graphs/contributors) oraz sporo [pracy](https://github.com/privacyguides/privacyguides.org/pulse/monthly), aby na bieżąco aktualizować Privacy Guides oraz udostępniać informacje o prywatności i masowej inwigilacji. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Na Open Collective możesz płacić poprzez karty płatnicze, PayPal oraz przelewy bankowe. + +[Przekaż darowiznę na OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Wspieranie przez GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Wspierający + +Szczególne podziękowania kierujemy do każdej osoby, która wspiera naszą misję! :heart: + +*Uwaga: Ta sekcja wczytuje widżet bezpośrednio z Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## Na co przeznaczamy darowizny + +Privacy Guides to organizacja **pożytku publicznego**. Przeznaczamy darowizny na różne cele, w tym: + +**Rejestracja domen** +: + +Posiadamy kilka domen, takich jak `privacyguides.org`, których utrzymanie rejestracji kosztuje nas około 10 dolarów rocznie. + +**Hosting WWW** +: + +Ruch na tej witrynie zużywa setki gigabajtów danych miesięcznie, a do obsługi tak dużego ruchu korzystamy z usług różnych dostawców usług. + +**Usługi online** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Zakup produktów** +: + +Od czasu do czasu kupujemy produkty oraz usługi w celu przetestowania naszych [polecanych narzędzi](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/about/index.md b/i18n/pl/about/index.md new file mode 100644 index 00000000..950ea827 --- /dev/null +++ b/i18n/pl/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/about/notices.md b/i18n/pl/about/notices.md new file mode 100644 index 00000000..47d7c3f4 --- /dev/null +++ b/i18n/pl/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Informacje i zastrzeżenia" +hide: + - toc +--- + +## Zastrzeżenie prawne + +Privacy Guides nie jest kancelarią prawną. W związku z tym, strona internetowa Privacy Guides oraz jej współtwórcy nie udzielają porad prawnych. Materiały i zalecenia umieszczone na naszej stronie internetowej oraz w poradnikach nie stanowią porady prawnej, a współtworzenie strony internetowej oraz komunikowanie się z Privacy Guides lub innymi współtwórcami w sprawach dotyczących strony internetowej nie ustanawiają relacji prawnik-klient. + +Prowadzenie tej strony, jak każde ludzkie przedsięwzięcie, wiąże się z niepewnością i kompromisami. Mamy nadzieję, że ta strona internetowa jest pomocna, ale może zawierać pomyłki i może nie odnosić się do każdej sytuacji. Jeśli masz jakiekolwiek pytania dotyczące swojej sytuacji, zachęcamy do przeprowadzenia własnego rozeznania, skonsultowania z innymi ekspertami oraz wzięcia udziału w dyskusjach ze społecznością Privacy Guides. Jeśli masz jakiekolwiek zapytania prawne, należy skonsultować się ze swoim własnym radcą prawnym przed podjęciem dalszych działań. + +Privacy Guides to projekt o otwartym źródle współtworzony na licencjach, które zawierają warunki, które w celu ochrony strony internetowej oraz jej współtwórców, jasno stwierdzają, że projekt Privacy Guides i strona internetowa są oferowane "tak jak są", bez gwarancji oraz zrzekają się odpowiedzialności poniesionej z uwagi na szkody powstałe w wyniku korzystania ze strony internetowej oraz jakichkolwiek rekomendacji na niej zawartych. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Ponadto Privacy Guides nie gwarantuje że strona internetowa będzie dostępna cały czas lub wcale. + +## Licencje + +O ile nie zaznaczono inaczej, wszelkie treści dostępne na tej stronie internetowej są ogólnodostępne na warunkach licencji [Creative Commons CC0 1.0 Universal](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +Nie dotyczy to kodu z zewnętrznych źródeł osadzonego w tym repozytorium lub kodu, w którym określono inną licencję zastępczą. Poniżej przedstawiono warte uwagi przykłady, ale ta lista może nie być wyczerpująca: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) dostępny jest na licencji [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. Znaki towarowe marki Privacy Guides obejmują znak słowny "Privacy Guides" oraz logo tarczy. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +Uważamy, że loga i inne obrazy w `zasobach` pozyskanych od zewnętrznych dostawców znajdują się w domenie publicznej lub zaliczają się do **dozwolonego użytku**. W skrócie, prawnie [dozwolony użytek](https://www.copyright.gov/fair-use/more-info.html) umożliwia używanie zastrzeżonych prawem autorskim treści w celu identyfikacji tematu na potrzeby wyrażenia publicznej opinii. Jednakże te loga i inne obrazy mogą nadal podlegać prawom dotyczącym znaków towarowych w jednej lub kilku jurysdykcjach. Przed wykorzystaniem tych treści należy upewnić się, że służą one identyfikacji podmiotu lub organizacji będącej właścicielem znaku towarowego oraz że masz prawo do ich wykorzystania zgodnie z przepisami prawa, które mają zastosowanie w okolicznościach zamierzonego wykorzystania. *Kopiując treści z tej strony internetowej ponosisz wyłączną odpowiedzialność za zapewnienie, że nie naruszasz cudzego znaku towarowego lub prawa autorskiego.* + +Udzielając się w tym repozytorium, robisz to na podstawie powyższych licencji. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/about/privacy-policy.md b/i18n/pl/about/privacy-policy.md new file mode 100644 index 00000000..3f7f65c0 --- /dev/null +++ b/i18n/pl/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides to projekt społecznościowy prowadzony przez wielu aktywnych wolontariuszy. Publiczna lista członków zespołu [jest dostępna na GitHub](https://github.com/orgs/privacyguides/people). + +## Dane zbierane od odwiedzających + +Prywatność osób odwiedzających naszą witrynę jest dla nas ważna, więc nie śledzimy żadnych indywidualnych osób. Gdy odwiedzasz naszą witrynę: + +- Nie zbieramy o Tobie żadnych danych osobowych +- No information such as cookies are stored in the browser +- Nie udostępniamy, nie przesyłamy i nie sprzedajemy żadnych informacji zewnętrznym podmiotom +- Nie udostępniamy żadnych danych firmom reklamowym +- Nie wydobywamy i nie gromadzimy danych w celu personalizacji i analizy zachowań +- Nie zarabiamy na żadnych informacjach + +You can view the data we collect on our [statistics](statistics.md) page. + +Posiadamy własną instalację [Plausible Analytics](https://plausible.io) w celu gromadzenia pewnych anonimowych danych o użytkowaniu w celach statystycznych. Ma to na celu badanie ogólnych trendów ruchu na naszej stronie internetowej, a nie śledzenie indywidualnych użytkowników. Wszelkie dane są tylko i wyłącznie gromadzone. Nie są gromadzone żadne dane osobowe. + +Gromadzone dane obejmują źródła wizyt, najpopularniejsze strony, czas trwania odwiedzin, informacje o urządzeniu (typ urządzenia, system operacyjny, państwo oraz przeglądarka), z którego korzystasz podczas odwiedzin i więcej. [Tutaj](https://plausible.io/data-policy) możesz dowiedzieć się więcej o tym, jak działa Plausible i jak gromadzą informacje z poszanowaniem prywatności. + +## Dane gromadzone od posiadaczy kont + +Wiele funkcji na niektórych ze świadczonych przez nas witrynach i usługach może wymagać posiadania konta. Na przykład może być wymagane konto do publikowania i odpowiadania na tematy na forum. + +W celu rejestracji większości kont gromadzimy imię i nazwisko, nazwę użytkownika, adres e-mail oraz hasło. Jeśli witryna będzie wymagać więcej informacji niż te, zostanie to wyraźnie zaznaczone i odnotowane w oddzielnym oświadczeniu o prywatności danej witryny. + +Używamy danych Twojego konta do identyfikacji użytkownika w witrynie oraz w celu utworzenia indywidualnych dla Ciebie stron, takich jak strona Twojego profilu. Twoich danych użyjemy również do opublikowania Twojego profilu w naszych usługach. + +Używamy Twojego adresu e-mail do: + +- Powiadamiania o wpisach oraz innej aktywności w witrynach oraz usługach. +- Wyzerowania Twojego hasła, aby zadbać o bezpieczeństwo Twojego konta. +- Kontaktowania przy zaistnieniu szczególnych okoliczności związanych z Twoim kontem. +- Kontaktu w sprawie wniosków prawnych, takich jak nakaz usunięcia zgodnie z DMCA. + +Na niektórych stronach internetowych i usługach możesz podać dodatkowe informacje dla swojego konta, takie jak krótka biografia, obraz użytkownika, swoją lokalizację oraz datę urodzenia. Udostępniamy te informacje wszystkim osobom, które mają dostęp do danej strony internetowej lub usługi. Te informacje nie są wymagane do korzystania z naszych usług i mogą zostać wykasowane w dowolnym momencie. + +Będziemy przechowywać dane Twojego konta, dopóki nie zostanie ono zamknięte. Po zamknięciu konta możemy zachować pewne lub wszystkie dane Twojego konta w formie kopii zapasowych lub archiwów nie dłużej niż 90 dni. + +## Kontakt z nami + +Zespół Privacy Guides zasadniczo nie ma dostępu do danych osobowych poza ograniczonym dostępem udzielonym przez niektóre panele moderacyjne. Zapytania dotyczące Twoich danych osobowych należy kierować bezpośrednio do: + +```text +Jonah Aragon +Administrator usług +jonah@privacyguides.org +``` + +Dla wszystkich innych zapytań możesz skontaktować się z dowolnym członkiem naszego zespołu. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## O tej Polityce + +We will post any new versions of this statement [here](privacy-policy.md). Zastrzegamy sobie prawo do zmiany sposobu ogłaszania zmian w przyszłych wersjach tego dokumentu. W międzyczasie możemy aktualizować nasze informacje kontaktowe w dowolnym momencie bez ogłaszania tej zmiany. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/about/privacytools.md b/i18n/pl/about/privacytools.md new file mode 100644 index 00000000..46af2add --- /dev/null +++ b/i18n/pl/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/about/services.md b/i18n/pl/about/services.md new file mode 100644 index 00000000..a5af3086 --- /dev/null +++ b/i18n/pl/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/about/statistics.md b/i18n/pl/about/statistics.md new file mode 100644 index 00000000..d5cc14ac --- /dev/null +++ b/i18n/pl/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/advanced/communication-network-types.md b/i18n/pl/advanced/communication-network-types.md new file mode 100644 index 00000000..7acf22fa --- /dev/null +++ b/i18n/pl/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/advanced/dns-overview.md b/i18n/pl/advanced/dns-overview.md new file mode 100644 index 00000000..01f96575 --- /dev/null +++ b/i18n/pl/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## Co to jest DNS? + +Gdy odwiedzasz stronę internetową, zwracany jest adres w postaci dziesiętnej. Na przykład, gdy odwiedzasz `privacyguides.org`, zwracany jest adres `192.98.54.105`. + +DNS istnieje od [wczesnych lat](https://en.wikipedia.org/wiki/Domain_Name_System#History) istnienia Internetu. Zapytania DNS wysyłane i odbierane z serwerów DNS zazwyczaj **nie są** szyfrowane. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | ------------ | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | Wyszukiwarki | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | Wyszukiwarki | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | Wyszukiwarki | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | Wyszukiwarki | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](threat-modeling.md). **Nie zalecamy** używania szyfrowanego DNS w tym celu. Zamiast tego skorzystaj z sieci [Tor](https://torproject.org) lub [VPN](../vpn.md). Jeśli korzystasz z sieci VPN, należy użyć serwerów DNS jej dostawcy. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### Adres IP + +Najprostszym sposobem na określenie aktywności przeglądania może być sprawdzenie adresów IP, z którymi łączą się Twoje urządzenia. Na przykład, jeśli obserwator wie, że `privacyguides.org` znajduje się pod adresem `198.98.54.105`, a Twoje urządzenie pobiera dane z adresu `198.98.54.105`, istnieje duże prawdopodobieństwo, że odwiedzasz witrynę Privacy Guides. + +Ta metoda jest użyteczna tylko wtedy, gdy adres IP należy do serwera, na którym znajduje się tylko kilka stron internetowych. Nie pomaga również to, jeśli witryna jest umieszczona na współdzielonej platformie (np. GitHub Pages, Cloudflare Pages, Netlify, WordPress, Blogger itd.). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[Lista polecanych serwerów DNS](../dns.md ""){.md-button} + +## Co to jest DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) to funkcja DNS uwierzytelniająca odpowiedzi na zapytania o nazwę domen. Nie zapewnia ona ochrony prywatności tych zapytań, ale uniemożliwia atakującym manipulowanie lub zatruwanie odpowiedzi na zapytania DNS. + +Innymi słowy, DNSSEC podpisuje cyfrowo dane, aby zapewnić ich spójność. W celu zapewnienia bezpiecznego wyszukiwania, podpisywanie odbywa się na każdym poziomie procesu zapytania DNS. Dzięki temu wszystkie odpowiedzi z DNS są zaufane. + +Proces podpisywania DNSSEC jest podobny do podpisywania dokumentu prawnego długopisem; osoba składająca podpis używa niepowtarzalnego podpisu, a ekspert sądowy może spojrzeć na ten podpis i zweryfikować, czy dokument został podpisany przez tę osobę. Te podpisy cyfrowe są gwarancją, że dane nie zostały naruszone. + +DNSSEC wprowadza hierarchiczną politykę podpisywania cyfrowego we wszystkich warstwach DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/advanced/tor-overview.md b/i18n/pl/advanced/tor-overview.md new file mode 100644 index 00000000..d92addd8 --- /dev/null +++ b/i18n/pl/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Android + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.pl.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/pl/android.md b/i18n/pl/android.md new file mode 100644 index 00000000..58e9121a --- /dev/null +++ b/i18n/pl/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'fontawesome/brands/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. rekomendacja + +- [Ogólny przegląd Androida i zalecenia :hero-arrow-circle-right-fill:](os/android-overview.md) +- [Dlaczego polecamy GrapheneOS zamiast CalyxOS :hero-arrow-circle-right-fill:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## Pochodne AOSP + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + Urządzenia z zakończonym okresem wsparcia (takie jak urządzenia z "rozszerzonym wsparciem" dla GrapheneOS lub CalyxOS) nie posiadają pełnych poprawek bezpieczeństwa (aktualizacji oprogramowania), ponieważ ich producenci przestali je wspierać. Te urządzenia nie mogą być uznawane za w pełni bezpieczne niezależnie od zainstalowanego oprogramowania. + +### GrapheneOS + +!!! rekomendacja + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** jest najlepszym wyborem w kwestii prywatności i bezpieczeństwa. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +DivestOS posiada zautomatyzowane [naprawianie](https://gitlab.com/divested-mobile/cve_checker) luk bezpieczeństwa jądra ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)), mniej zastrzeżonych moduów, własny plik [hosts](https://divested.dev/index.php?page=dnsbl) oraz [F-Droid](https://www.f-droid.org) jako sklep z aplikacjami. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! rekomendacja + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. Systemy oraz oprogramowanie sprzętowe urządzeń mobilnych są wspierane tylko przez ograniczony czas, więc kupno nowego urządzenia wydłuża jego żywotność do maksimum. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +Unikaj kupowania urządzeń od operatorów sieci komórkowych. Posiadają one często **zablokowany program rozruchowy** i nie mają wsparcia dla [odblokowania OEM](https://source.android.com/devices/bootloader/locking_unlocking). Te warianty urządzeń uniemożliwią Ci zainstalowanie jakiejkolwiek alternatywnej dystrybucji Androida. We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Urządzenia z Androidem + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Urządzenia Google Pixel są **jedynymi** urządzeniami, które polecamy zakupić. Te urządzenia posiadają silniejsze zabezpieczenia sprzętowe niż jakiekolwiek inne urządzenia z Androidem obecnie dostępne na rynku dzięki odpowiedniemu wsparciu AVB dla alternatywnych systemów operacyjnych oraz układom bezpieczeństwa Google [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) działającymi jako Bezpieczna enklawa. These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Nie kupuj urządzeń, których okres wsparcia dobiegł końca lub zbliża się do tego momentu, ponieważ dodatkowe aktualizacje bezpieczeństwa muszą zostać dostarczone przez producenta. +- Nie kupuj urządzeń z fabrycznie wgranym LineageOS lub /e/ OS lub jakiegokolwiek urządzenia z Androidem bez odpowiedniego wsparcia dla [Zweryfikowanego rozruchu](https://source.android.com/security/verifiedboot) oraz aktualizacji oprogramowania. Na tych urządzeniach nie można również sprawdzić, czy ktoś z nimi nie eksperymentował. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! rekomendacja + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! rekomendacja + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! rekomendacja + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! rekomendacja + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! rekomendacja + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Źródła aplikacji + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! rekomendacja + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. [Aurora Store](https://auroraoss.com/download/AuroraStore/) (klient Sklepu Google Play) tego nie wymaga i działa w większości przypadków. + +### GrapheneOS App Store + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### Aurora Store + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/assets/img/account-deletion/exposed_passwords.png b/i18n/pl/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/pl/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/pl/assets/img/android/rss-apk-dark.png b/i18n/pl/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/pl/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/pl/assets/img/android/rss-apk-light.png b/i18n/pl/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/pl/assets/img/android/rss-apk-light.png differ diff --git a/i18n/pl/assets/img/android/rss-changes-dark.png b/i18n/pl/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/pl/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/pl/assets/img/android/rss-changes-light.png b/i18n/pl/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/pl/assets/img/android/rss-changes-light.png differ diff --git a/i18n/pl/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/pl/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/pl/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pl/assets/img/how-tor-works/tor-encryption.svg b/i18n/pl/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/pl/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pl/assets/img/how-tor-works/tor-path-dark.svg b/i18n/pl/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/pl/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pl/assets/img/how-tor-works/tor-path.svg b/i18n/pl/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/pl/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pl/assets/img/multi-factor-authentication/fido.png b/i18n/pl/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/pl/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/pl/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/pl/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/pl/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/pl/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/pl/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/pl/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/pl/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/pl/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/pl/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/pl/basics/account-creation.md b/i18n/pl/basics/account-creation.md new file mode 100644 index 00000000..40dbcd5a --- /dev/null +++ b/i18n/pl/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/basics/account-deletion.md b/i18n/pl/basics/account-deletion.md new file mode 100644 index 00000000..abcaa507 --- /dev/null +++ b/i18n/pl/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Dostawcy sieci VPN + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/basics/common-misconceptions.md b/i18n/pl/basics/common-misconceptions.md new file mode 100644 index 00000000..a85efe59 --- /dev/null +++ b/i18n/pl/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.pl.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/pl/basics/common-threats.md b/i18n/pl/basics/common-threats.md new file mode 100644 index 00000000..0de46265 --- /dev/null +++ b/i18n/pl/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.pl.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/pl/basics/email-security.md b/i18n/pl/basics/email-security.md new file mode 100644 index 00000000..9593ee2c --- /dev/null +++ b/i18n/pl/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/basics/multi-factor-authentication.md b/i18n/pl/basics/multi-factor-authentication.md new file mode 100644 index 00000000..3f50a6c7 --- /dev/null +++ b/i18n/pl/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Uwierzytelnianie wieloskładnikowe" +icon: 'material/two-factor-authentication' +--- + +**Uwierzytelnianie wieloskładnikowe** to mechanizm zabezpieczeń, który wymaga dodatkowych czynności poza wprowadzeniem nazwy użytkownika (lub e-maila) oraz hasła. Najczęściej spotykaną metodą są ograniczone czasowo kody otrzymywane poprzez wiadomość SMS lub aplikację. + +W większości przypadków, jeśli haker (lub przeciwnik) jest w stanie odgadnąć Twoje hasło, zyskuje on dostęp do konta, do którego to hasło należy. Konto z MFA zmusza hakera do posiadania zarówno hasła (coś co *wiesz*) oraz urządzenia, które posiadasz (coś co *masz*), takiego jak Twój telefon. + +Metody MFA różnią się pod względem bezpieczeństwa, ale opierają się na założeniu, że im trudniej jest atakującemu uzyskać dostęp do Twojej metody MFA, tym lepiej. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## Ogólne zalecenia + +Przedstawiamy następujące ogólne zalecenia: + +### Z której metody mam skorzystać? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Kopie zapasowe + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Konfiguracja początkowa + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### E-mail i SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## Więcej miejsc do ustawienia MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/basics/passwords-overview.md b/i18n/pl/basics/passwords-overview.md new file mode 100644 index 00000000..c596d8b0 --- /dev/null +++ b/i18n/pl/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Kopie zapasowe + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/basics/threat-modeling.md b/i18n/pl/basics/threat-modeling.md new file mode 100644 index 00000000..a9786ffe --- /dev/null +++ b/i18n/pl/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Czym są modele zagrożeń" +icon: 'material/target-account' +--- + +Osiągnięcie kompromisu pomiędzy bezpieczeństwem, prywatnością oraz łatwością korzystania jest pierwszym, a zarazem najtrudniejszym zadaniem z jakim przyjdzie Ci się zmierzyć na swojej drodze do prywatności. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +Chcąc korzystać z **najbezpieczniejszych** narzędzi należy poświęcić *ogromną ilość* funkcji. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. Z tego powodu, modele zagrożeń są ważne. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. Co chcę chronić? +2. Przed kim chcę to chronić? +3. Na ile prawdopodobne jest to, że zajdzie potrzeba to chronić? +4. Jak poważne będą konsekwencje, jeśli mi się nie uda? +5. Co jestem w stanie znieść, aby zapobiec potencjalnym konsekwencjom? + +### Co chcę chronić? + +"Zasobem" jest wszystko, co jest dla Ciebie cenne i chcesz to chronić. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Twoje urządzenia również mogą stanowić zasoby. + +*Sporządź listę swoich zasobów: przechowywanych danych, gdzie są one przechowywane, kto ma do nich dostęp oraz co zapobiega uzyskaniu do nich dostępu przez inne osoby.* + +### Przed kim chcę to chronić? + +Przed odpowiedzeniem na te pytania warto ustalić, kto może chcieć próbować dotrzeć do Ciebie lub Twoich danych. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Twoja lista może zawierać osoby fizyczne, agencje rządowe lub korporacje.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### Na ile prawdopodobne jest to, że zajdzie potrzeba to chronić? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. Mimo tego, że Twój dostawca usług mobilnych posiada możliwości dostępu do wszystkich Twoich danych to ryzyko, że opublikują Twoje prywatne dane w sieci w celu zaszkodzenia Twojej reputacji jest niskie. + +Ważne jest, aby rozróżnić to, co może się wydarzyć i to, jak prawdopodobne jest, że się wydarzy. Na przykład istnieje zagrożenie, że Twój budynek ulegnie zawaleniu, ale ryzyko wystąpienia tego jest o wiele większe w San Francisco (gdzie trzęsienia ziemi są częste) niż w Sztokholmie (gdzie nie są). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. W innych przypadkach osoby lekceważą wysokie ryzyko, ponieważ nie postrzegają zagrożenia jako problemu. + +*Zapisz, które zagrożenia zamierzasz traktować poważnie, a które mogą być zbyt rzadkie lub zbyt mało szkodliwe (lub zbyt trudne do zwalczenia), by się nimi przejmować.* + +### Jak poważne będą konsekwencje, jeśli mi się nie uda? + +Twój przeciwnik może uzyskać dostęp do Twoich danych na wiele sposobów. Na przykład: przeciwnik może czytać Twoją prywatną komunikację w trakcie jej podróży poprzez sieć lub usunąć oraz uszkodzić Twoje dane. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. Haker może uzyskać dostęp do Twojej nieszyfrowanej komunikacji, gdy korzystasz z otwartej sieci Wi-Fi. Twój rząd może mieć większe możliwości. + +*Zapisz, co Twój przeciwnik może chcieć zrobić z Twoimi danymi.* + +### Co jestem w stanie znieść, aby zapobiec potencjalnym konsekwencjom? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**Co chcesz chronić? (lub *co w Twoim posiadaniu jest warte ochrony?*)** +: + +Twoim mieniem mogą być biżuteria, elektronika, ważne dokumenty oraz zdjęcia. + +**Przed kim chcesz to chronić?** +: + +Twoimi przeciwnikami mogą być włamywacze, współlokatorzy oraz goście. + +**Na ile prawdopodobne jest to, że będziesz musieć to chronić?** +: + +Czy w Twojej dzielnicy mają miejsce włamania? How trustworthy are your roommates or guests? Co są w stanie zrobić Twoi przeciwnicy? Jakie zagrożenia należy wziąć pod uwagę? + +**Jak poważne będą konsekwencję, jeśli Ci się nie uda?** +: + +Czy posiadasz w swoim domu coś, czego nie da się zastąpić? Do you have the time or money to replace those things? Czy posiadasz ubezpieczenie, które obejmuje ochronę Twojego mienia od kradzieży? + +**Ile czasu jesteś w stanie poświęcić, aby zapobiec tym konsekwencjom?** +: + +Czy jesteś w stanie kupić sejf na wrażliwe dokumenty? Czy możesz sobie pozwolić na zakup wysokiej jakości kłódki? Czy masz czas na założenie skrytki bankowej w swoim lokalnym banku, aby przechowywać tam swoje kosztowności? + +Dopiero po odpowiedzeniu sobie na te pytania, będziesz mieć możliwość oceny, jakie działania należy podjąć. Jeśli Twoja własność jest cenna, ale prawdopodobieństwo włamania jest niskie, nie warto inwestować zbyt wiele pieniędzy w zamek. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Stworzenie planu bezpieczeństwa pomoże Ci zrozumieć zagrożenia, które są unikalne dla Twojej osoby oraz oszacować Twoje zasoby, przeciwników, ich możliwości oraz prawdopodobieństwo wystąpienia ryzyka. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Źródła + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/basics/vpn-overview.md b/i18n/pl/basics/vpn-overview.md new file mode 100644 index 00000000..6c7660e4 --- /dev/null +++ b/i18n/pl/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/calendar.md b/i18n/pl/calendar.md new file mode 100644 index 00000000..de724097 --- /dev/null +++ b/i18n/pl/calendar.md @@ -0,0 +1,72 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! rekomendacja + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Funkcje obejmują: automatyczne szyfrowanie E2E wszystkich danych, funkcje udostępniania, importowanie/eksportowanie, uwierzytelnianie wieloskładnikowe i [więcej](https://tutanota.com/calendar-app-comparison/). + + Wiele kalendarzy oraz rozszerzone funkcje udostępniania są ograniczone do płatnych subskrybentów. + + [:octicons-home-16: Strona WWW](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Polityka prywatności" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Dokumentacja} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Kod źródłowy" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Darowizna } + + ??? do pobrania + + - [:octicons-browser-16: Internet](https://mail.tutanota.com/) + - [:fontawesome-brands-windows: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:fontawesome-brands-google-play: Sklep Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.tutao.tutanota) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + +## Proton Calendar + +!!! rekomendacja + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/cloud.md b/i18n/pl/cloud.md new file mode 100644 index 00000000..4a9c053e --- /dev/null +++ b/i18n/pl/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! rekomendacja + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/data-redaction.md b/i18n/pl/data-redaction.md new file mode 100644 index 00000000..15cfda67 --- /dev/null +++ b/i18n/pl/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! rekomendacja + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! rekomendacja + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! rekomendacja + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! rekomendacja + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! rekomendacja + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/desktop-browsers.md b/i18n/pl/desktop-browsers.md new file mode 100644 index 00000000..0c8d6b45 --- /dev/null +++ b/i18n/pl/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! rekomendacja + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! rekomendacja + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Android + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! rekomendacja + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.pl.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/pl/desktop.md b/i18n/pl/desktop.md new file mode 100644 index 00000000..3f4000b3 --- /dev/null +++ b/i18n/pl/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Magazyny chmurowe" +icon: fontawesome/brands/linux +--- + +Dystrybucje systemu Linux są powszechnie polecane, jeśli chodzi o ochronę prywatności oraz wolne oprogramowanie. Jeśli nie korzystasz jeszcze z systemu Linux, poniżej znajdziesz kilka dystrybucji, które polecamy wypróbować oraz kilka ogólnych porad dotyczących lepszej prywatności i bezpieczeństwa, które mają zastosowanie dla wielu dystrybucji systemu Linux. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Tradycyjne dystrybucje + +### Fedora Workstation + +!!! rekomendacja + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. Podczas gdy aktualizacja niektórych pakietów, takich jak [GNOME](https://www.gnome.org) jest wstrzymywana do następnego wydania Fedora, większość pakietów (w tym jądro) jest często aktualizowanych podczas okresu wsparcia dla wydania. Każde wydanie Fedora jest wspierane przez jeden rok, a nowe wersje są wydawane co 6 miesięcy. + +### openSUSE Tumbleweed + +!!! rekomendacja + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. Podczas aktualizacji systemu pobierany jest nowy punkt kontrolny. Każdy z nich jest poddawany serii testów przez [openQA](https://openqa.opensuse.org), aby zapewnić o jego jakości. + +### Arch Linux + +!!! rekomendacja + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! rekomendacja + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! rekomendacja + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! rekomendacja + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! rekomendacja + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! rekomendacja + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/dns.md b/i18n/pl/dns.md new file mode 100644 index 00000000..f326defd --- /dev/null +++ b/i18n/pl/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Najnowsze wersje systemów iOS, iPadOS, tvOS oraz macOS obsługują zarówno DoT oraz DoH. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Urządzenia Apple + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! rekomendacja + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! rekomendacja + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! rekomendacja + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! rekomendacja + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.pl.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/pl/email-clients.md b/i18n/pl/email-clients.md new file mode 100644 index 00000000..09dfdfe4 --- /dev/null +++ b/i18n/pl/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! rekomendacja + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! rekomendacja + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! rekomendacja + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! rekomendacja + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! rekomendacja + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! rekomendacja + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! rekomendacja + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! rekomendacja + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! rekomendacja + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/email.md b/i18n/pl/email.md new file mode 100644 index 00000000..e820464b --- /dev/null +++ b/i18n/pl/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! rekomendacja + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! rekomendacja + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! rekomendacja + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! rekomendacja + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! rekomendacja + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! rekomendacja + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! rekomendacja + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! rekomendacja + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/encryption.md b/i18n/pl/encryption.md new file mode 100644 index 00000000..ccb3fbf1 --- /dev/null +++ b/i18n/pl/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Oprogramowanie szyfrujące" +icon: material/file-lock +--- + +Szyfrowanie danych to jedyny sposób na kontrolowanie tego, kto ma do nich dostęp. Jeśli obecnie nie używasz oprogramowania szyfrującego dla swojego dysku, e-maili lub plików, możesz wybrać jedną z tych opcji. + +## Międzyplatformowe + +Wymienione tutaj opcje są międzyplatformowe i świetnie nadają się do tworzenia szyfrowanych kopii zapasowych sowich danych. + +### Cryptomator (Chmura) + +!!! rekomendacja + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** to rozwiązanie szyfrujące zaprojektowane do prywatnego zapisywania plików do dowolnego dostawcy usług chmury. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator wykorzystuje szyfrowanie AES-256 do szyfrowania zarówno plików, jak i nazw plików. Cryptomator nie może szyfrować metadanych, takich jak daty dostępu, modyfikacji oraz utworzenia, ani liczby i rozmiaru plików i folderów. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! rekomendacja + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! rekomendacja + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! rekomendacja + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** to funkcja pełnego szyfrowania woluminów dołączona do systemów Microsoft Windows. Głównym powodem naszej rekomendacji tego rozwiązania jest {wykorzystanie modułu TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! rekomendacja + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! rekomendacja + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! rekomendacja + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! rekomendacja + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! rekomendacja + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! rekomendacja + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! rekomendacja + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! rekomendacja + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! rekomendacja + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/file-sharing.md b/i18n/pl/file-sharing.md new file mode 100644 index 00000000..7c5c2668 --- /dev/null +++ b/i18n/pl/file-sharing.md @@ -0,0 +1,156 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Dowiedz się, jak prywatnie udostępniać piki pomiędzy swoimi urządzeniami, ze znajomymi lub rodziną lub anonimowo w sieci. + +## Udostępnianie plików + +### Send + +!!! rekomendacja + + ![Magic Wormhole logo](assets/img/file-sharing-sync/magic_wormhole.png){ align=right } + + **Magic Wormhole** to pakiet, który dostarcza bibliotekę i narzędzie konsolowe o nazwie wormhole, które umożliwia wysyłanie plików i katalogów (lub kawałków tekstu) o dowolnym rozmiarze z jednego komputera na drugi. [:octicons-repo-16: Repozytorium](https://github.com/magic-wormhole/magic-wormhole){ .md-button .md-button--primary } + [:octicons-info-16:](https://magic-wormhole.readthedocs.io/){ .card-link title=Dokumentacja} + [:octicons-code-16:](https://github.com/magic-wormhole/magic-wormhole){ .card-link title="Kod źródłowy" } + + ??? pobieranie + + - [:fontawesome-brands-windows: Windows](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation) + - [:fontawesome-brands-apple: macOS](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#macos-os-x) + - [:fontawesome-brands-linux: Linux](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation) You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! rekomendacja + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! rekomendacja + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! rekomendacja + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! rekomendacja + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/frontends.md b/i18n/pl/frontends.md new file mode 100644 index 00000000..3b041ef0 --- /dev/null +++ b/i18n/pl/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Menedżery haseł" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## Klienty + +### Librarian + +!!! rekomendacja + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! rekomendacja + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! rekomendacja + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! rekomendacja + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! rekomendacja + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! rekomendacja + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Ostrzeżenie + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! rekomendacja + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! rekomendacja + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/index.md b/i18n/pl/index.md new file mode 100644 index 00000000..19b703ce --- /dev/null +++ b/i18n/pl/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.pl.html +hide: + - navigation + - toc + - feedback +--- + + +## A kogo to obchodzi? + +##### "Ja nie mam nic do ukrycia. Po co mam się martwić o swoją prywatność?" + +Podobnie jak prawo do małżeństw różnych ras, prawo wyborcze kobiet, wolność słowa i wiele innych, nasze prawo do prywatności nie zawsze było egzekwowane. W części dyktatur nadal nie jest. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/kb-archive.md b/i18n/pl/kb-archive.md new file mode 100644 index 00000000..629dbfe2 --- /dev/null +++ b/i18n/pl/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integracja usuwania metadanych](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/meta/brand.md b/i18n/pl/meta/brand.md new file mode 100644 index 00000000..896f1703 --- /dev/null +++ b/i18n/pl/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/meta/git-recommendations.md b/i18n/pl/meta/git-recommendations.md new file mode 100644 index 00000000..7d1c2668 --- /dev/null +++ b/i18n/pl/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/meta/uploading-images.md b/i18n/pl/meta/uploading-images.md new file mode 100644 index 00000000..58a7b0f4 --- /dev/null +++ b/i18n/pl/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/meta/writing-style.md b/i18n/pl/meta/writing-style.md new file mode 100644 index 00000000..b5b31357 --- /dev/null +++ b/i18n/pl/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/mobile-browsers.md b/i18n/pl/mobile-browsers.md new file mode 100644 index 00000000..a89eebfc --- /dev/null +++ b/i18n/pl/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Przeglądarki mobilne" +icon: octicons/device-mobile-16 +--- + +Oto obecnie polecane przez nas przeglądarki mobilne oraz ich konfiguracje. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. Ogólnie rzecz biorąc, zalecamy ograniczenie rozszerzeń do minimum; posiadają one uprzywilejowany dostęp do Twojej przeglądarki, wymagają zaufania do twórcy, mogą wspomóc [personalizowanie](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) oraz [osłabić](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) izolację witryn. + +## Android + +Na Androidzie, Firefox jest nadal mniej bezpieczna od alternatyw bazujących na silniku Chromium: Silnik od Mozilla, [GeckoView](https://mozilla.github.io/geckoview/), nie posiada jeszcze wsparcia dla [izolowania witryn](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) oraz włączonego [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! rekomendacja + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +W systemie iOS każda aplikacja, która umożliwia przeglądanie Internetu [ma obowiązek](https://developer.apple.com/app-store/review/guidelines) korzystać z [platformy WebKit](https://developer.apple.com/documentation/webkit) dostarczonej przez Apple, więc nie ma zbyt wielu powodów na używanie zewnętrznych przeglądarek. + +### Safari + +!!! rekomendacja + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! rekomendacja + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/multi-factor-authentication.md b/i18n/pl/multi-factor-authentication.md new file mode 100644 index 00000000..cb7f9e88 --- /dev/null +++ b/i18n/pl/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! rekomendacja + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! rekomendacja + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! rekomendacja + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! rekomendacja + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/news-aggregators.md b/i18n/pl/news-aggregators.md new file mode 100644 index 00000000..65538dc6 --- /dev/null +++ b/i18n/pl/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! rekomendacja + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! rekomendacja + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! rekomendacja + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! rekomendacja + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! rekomendacja + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! rekomendacja + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! rekomendacja + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/notebooks.md b/i18n/pl/notebooks.md new file mode 100644 index 00000000..7eb5c43f --- /dev/null +++ b/i18n/pl/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notatniki" +icon: material/notebook-edit-outline +--- + +Prowadź swoje notatniki i dzienniki bez udostępniania ich stronom trzecim. + +Jeśli obecnie używasz aplikacji, takiej jak Evernote, Google Keep lub Microsoft OneNote, sugerujemy, aby wybrać jedną z tych alternatyw, która obsługuje E2EE. + +## Oparte na chmurze + +### Joplin + +!!! rekomendacja + + ![EteSync Notes logo](assets/img/notebooks/etesync-notes.png){ align=right } + + **EteSync Notes** to bezpieczna, szyfrowana od końca do końca i respektująca prywatność aplikacja do robienia notatek. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! rekomendacja + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! rekomendacja + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! rekomendacja + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/os/android-overview.md b/i18n/pl/os/android-overview.md new file mode 100644 index 00000000..b705b0df --- /dev/null +++ b/i18n/pl/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: fontawesome/brands/android +--- + +Android to bezpieczny system operacyjny, który posiada silną [izolację aplikacji](https://source.android.com/security/app-sandbox), [Weryfikację rozruchu](https://source.android.com/security/verifiedboot) (AVB), oraz solidny system kontroli [uprawnień](https://developer.android.com/guide/topics/permissions/overview). + +## Wybór dystrybucji Androida + +System Android na zakupionym telefonie często zawiera zintegrowane inwazyjne aplikacje oraz usługi, które nie są częścią [Android Open Source Project](https://source.android.com/). Jedną z nich są Usługi Google Play, która ma niezbywalne uprawnienia dostępu do Twoich plików, magazynu kontaktów, rejestru połączeń, wiadomości SMS, lokalizacji, aparatu, mikrofonu, identyfikatorów sprzętowych oraz wiele więcej. Te aplikacje i usługi zwiększają możliwości ataku na Twoje urządzenie oraz są źródłem wielu obaw związanych z prywatnością systemu Android. + +Ten problem można rozwiązać instalując niestandardową dystrybucję Androida, która nie zawiera tak inwazyjnej integracji. Niestety, ale wiele niestandardowych dystrybucji Androida narusza model bezpieczeństwa systemu nie wspierając funkcji bezpieczeństwa, takich jak AVB, ochrona przed cofnięciem aktualizacji, aktualizacje oprogramowania i innych. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Wybierając niestandardową dystrybucję Androida, należy upewnić się, że jest ona zgodna z modelem bezpieczeństwa tego systemu. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Polecane przez nas dystrybucje Androida :hero-arrow-circle-right-fill:](../android.md ""){.md-button} + +## Unikaj rootowania + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Blokery reklam, które modyfikują [plik hosts](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) oraz zapory sieciowe (AFWall+), które wymagają ciągłego dostępu do roota są niebezpieczne i nie powinny być używane. Nie są one również właściwym sposobem na rozwiązanie ich zamierzonych celów. Zamiast tego do blokowania reklam polecamy szyfrowany [DNS](../dns.md) lub [sieć VPN](../vpn.md) z blokowaniem serwerów. RethinkDNS, TrackerControl oraz AdAway bez dostępu do roota zajmą miejsce sieci VPN (używając interfejsu zwrotnego VPN) uniemożliwiając Ci korzystanie z usług zwiększających prywatność, takich jak Orbot lub prawdziwej sieci VPN. + +AFWall+ działa w oparciu o [filtrowanie pakietów](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter), które może w niektórych przypadkach zostać ominięte. + +Naszym zdaniem, wady zdecydowanie przewyższają zalety rootowania telefonu w celu korzystania z tych aplikacji. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +W Androidzie 10 i nowszych zrezygnowano z szyfrowania całego dysku na rzecz bardziej elastycznego [szyfrowania plików](https://source.android.com/security/encryption/file-based). Twoje dane są zaszyfrowane za pomocą niepowtarzalnych kluczy szyfrujących, a pliki systemu operacyjnego pozostają niezaszyfrowane. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Aktualizacje oprogramowania mają kluczowe znaczenie dla zachowania bezpieczeństwa. Producenci urządzeń zawierają umowy ze swoimi partnerami na dostarczanie komponentów o zamkniętym kodzie źródłowym przez ograniczony czas. This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Aktualizacje oprogramowania + +Firmware updates are critical for maintaining security and without them your device cannot be secure. Dlatego ważne jest, aby zakupić urządzenie, które jest nadal wspierane. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) oraz [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) oferując wsparcie dla swoich urządzeń przez 4 lata, podczas gdy tańsze produkty często mają krótszy okres wsparcia. + +Urządzenia bez aktywnego wsparcia producenta układów nie otrzymują już aktualizacji oprogramowania od producentów urządzeń lub niestandardowych dystrybucji Androida. Oznacza to, że luki bezpieczeństwa w tych urządzeniach nie zostaną naprawione. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +Ważne jest, aby nie korzystać z [niewspieranej](https://endoflife.date/android) wersji Androida. Nowsze wersje Androida nie tylko otrzymują poprawki bezpieczeństwa dla systemu operacyjnego, ale także ważne aktualizacje poprawiające prywatność. + +[Uprawnienia systemu Android](https://developer.android.com/guide/topics/permissions/overview) umożliwiają Ci kontrolę nad tym, do czego mają dostęp Twoje aplikacje. Firma Google regularnie wprowadza [poprawki](https://developer.android.com/about/versions/11/privacy/permissions) do systemu zabezpieczeń z każdą kolejną wersją. Wszystkie instalowane przez Ciebie aplikacje są ściśle [izolowane](https://source.android.com/security/app-sandbox), więc nie ma potrzeby instalowania żadnych aplikacji antywirusowych. + +## Wersje Androida + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Uprawnienia systemu Android + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Profile użytkowników + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. Jeśli w danej chwili z nich nie korzystasz, zalecamy wyłączenie tych funkcji. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). To umożliwi Ci otrzymywanie **niektórych** poprawek bezpieczeństwa od Google bez naruszania modelu zabezpieczeń Androida poprzez używanie systemu pochodnego od Androida i zwiększanie ryzyka na atak. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Aktualizacje systemowe Google Play + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/os/linux-overview.md b/i18n/pl/os/linux-overview.md new file mode 100644 index 00000000..78e266ce --- /dev/null +++ b/i18n/pl/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: fontawesome/brands/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Ogólne zalecenia + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/os/qubes-overview.md b/i18n/pl/os/qubes-overview.md new file mode 100644 index 00000000..0e92c5dc --- /dev/null +++ b/i18n/pl/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Android + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/passwords.md b/i18n/pl/passwords.md new file mode 100644 index 00000000..4c958bd1 --- /dev/null +++ b/i18n/pl/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Oparte na chmurze + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! rekomendacja + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! rekomendacja + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! rekomendacja + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! rekomendacja + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! rekomendacja + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! rekomendacja + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! rekomendacja + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/productivity.md b/i18n/pl/productivity.md new file mode 100644 index 00000000..f45343ad --- /dev/null +++ b/i18n/pl/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! rekomendacja + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! rekomendacja + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! rekomendacja + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! rekomendacja + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! rekomendacja + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/real-time-communication.md b/i18n/pl/real-time-communication.md new file mode 100644 index 00000000..afbe3471 --- /dev/null +++ b/i18n/pl/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! rekomendacja + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! rekomendacja + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! rekomendacja + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! rekomendacja + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! rekomendacja + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/router.md b/i18n/pl/router.md new file mode 100644 index 00000000..c495b5c0 --- /dev/null +++ b/i18n/pl/router.md @@ -0,0 +1,52 @@ +--- +title: "Oprogramowanie routera" +icon: material/router-wireless +--- + +Poniżej wymieniono kilka alternatywnych systemów operacyjnych, które możesz zainstalować na swoim routerze, punkcie dostępowym Wi-Fi itp. + +## OpenWrt + +!!! rekomendacja + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** to system operacyjny oparty na oprogramowaniu Linux; jest używany głównie w urządzeniach wbudowanych do kierowania ruchem sieciowym. Zawiera util-linux, uClibc oraz BusyBox. Wszystkie komponenty zostały zoptymalizowane pod kątem routerów domowych. + + [:octicons-home-16: Strona WWW](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Dokumentacja} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Kod źródłowy" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Wesprzyj } + +Zapoznaj się z [listą obsługiwanych urządzeń](https://openwrt.org/toh/start), aby sprawdzić, czy Twoje urządzenie jest obsługiwane. + +## OPNsense + +!!! rekomendacja + + ![pfSense logo](assets/img/router/pfsense.svg#only-light){ align=right } + ![pfSense logo](assets/img/router/pfsense-dark.svg#only-dark){ align=right } + + pfSense to otwarte oprogramowanie zapory sieciowej/routera bazujące na FreeBSD. Po zainstalowaniu na komputerze pełni rolę dedykowanej zapory sieciowej/routera dla sieci i wyróżnia się niezawodnością oraz oferuje funkcje, które można często znaleźć tylko w drogich zaporach sieciowych. + + [:octicons-home-16: Strona WWW](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Dokumentacja} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Kod źródłowy" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Wesprzyj } + +OPNsense zostało pierwotnie opracowane na podstawie [pfSense](https://en.wikipedia.org/wiki/PfSense), a oba te projekty są znane z bycia bezpłatnymi i niezawodnymi dystrybucjami zapór sieciowych, które oferują funkcje dostępne często tylko w drogich komercyjnych zaporach sieciowych. Począwszy od 2015 roku programiści OPNsense [ujawnili](https://docs.opnsense.org/history/thefork.html) wiele problemów dotyczących bezpieczeństwa i jakości kodu pfSense, co popchnęło ich w stronę utworzenia pochodnego projektu, jak również obawy związane z większościowym zakupem pfSense przez Netgate i przyszłym kierunkiem rozwoju projektu. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Wymagane jest otwarte źródło. +- Wymagane są regularne aktualizacje. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/search-engines.md b/i18n/pl/search-engines.md new file mode 100644 index 00000000..1669cfaf --- /dev/null +++ b/i18n/pl/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! rekomendacja + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! rekomendacja + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! rekomendacja + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! rekomendacja + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/tools.md b/i18n/pl/tools.md new file mode 100644 index 00000000..ec3295aa --- /dev/null +++ b/i18n/pl/tools.md @@ -0,0 +1,443 @@ +--- +title: "Narzędzia ochrony prywatności" +icon: material/tools +hide: + - toc +--- + +Jeśli szukasz konkretnego rozwiązania, oto polecane przez nas narzędzia oraz oprogramowanie w różnych kategoriach. Polecane przez nas narzędzia zostały wybrane głównie na podstawie funkcji zabezpieczeń z dodatkowym naciskiem na te o zdecentralizowane i o otwartym kodzie żródłowym. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Przeglądarki internetowe + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake nie zwiększa prywatności, ale ułatwia udzielenie się w sieci Tor, aby wspomóc inne osoby w cenzurowanych sieciach w osiągnięciu lepszej prywatności. + +[Dowiedz się więcej :hero-arrow-circle-right-fill:](tor.md) + +## Systemy operacyjne + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](desktop-browsers.md) + +### Android + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](desktop-browsers.md#additional-resources) + +## Dostawcy usług + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](mobile-browsers.md) + +### Android + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](android.md#general-apps) + +### Magazyny chmurowe + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](desktop.md) + +### Oprogramowanie routera + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](cloud.md) + +### Wyszukiwarki + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Dowiedz się więcej :hero-arrow-circle-right-fill:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](dns.md#self-hosted-solutions) + +### Dostawcy sieci VPN + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](email-clients.md) + +### Oprogramowanie szyfrujące + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](file-sharing.md) + +### Menedżery haseł + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](news-aggregators.md) + +### Notatniki + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](video-streaming.md) + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/tor.md b/i18n/pl/tor.md new file mode 100644 index 00000000..63a26275 --- /dev/null +++ b/i18n/pl/tor.md @@ -0,0 +1,124 @@ +--- +title: "Przeglądarki internetowe" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! rekomendacja + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! rekomendacja + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! rekomendacja + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/video-streaming.md b/i18n/pl/video-streaming.md new file mode 100644 index 00000000..d51c7c01 --- /dev/null +++ b/i18n/pl/video-streaming.md @@ -0,0 +1,54 @@ +--- +title: "Strumieniowanie filmów" +icon: material/video-wireless +--- + +Podstawowym zagrożeniem związanym z korzystaniem z platformy do strumieniowania filmów jest to, że Twoje nawyki dotyczące strumieniowania oraz listy subskrypcyjne mogą zostać wykorzystane do profilowania Ciebie. Warto połączyć te narzędzia z [VPN](vpn.md) lub [Tor](https://www.torproject.org/), aby utrudnić profilowanie. + +## Klienty + +!!! rekomendacja + + ![FreeTube logo](assets/img/video-streaming/freetube.svg){ align=right } + + **FreeTube** to bezpłatna i otwarta aplikacja komputerowa dla [YouTube](https://youtube.com). Podczas korzystania z FreeTube, Twoja lista subskrypcji i listy odtwarzania są zapisywane lokalnie na Twoim urządzeniu. FreeTube domyślnie blokuje wszystkie reklamy na YouTube. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Strona WWW](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Polityka prywatności" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Dokumentacja} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Kod źródłowy" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Darowizna } + + ??? do pobrania + + - [:fontawesome-brands-windows: Windows](https://freetubeapp.io/#download) + - [:fontawesome-brands-apple: macOS](https://freetubeapp.io/#download) + - [:fontawesome-brands-linux: Linux](https://freetubeapp.io/#download) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pl/vpn.md b/i18n/pl/vpn.md new file mode 100644 index 00000000..2073c392 --- /dev/null +++ b/i18n/pl/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN Services" +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! rekomendacja + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! rekomendacja + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.pl.txt" diff --git a/i18n/pt-BR/404.md b/i18n/pt-BR/404.md new file mode 100644 index 00000000..0b626e1e --- /dev/null +++ b/i18n/pt-BR/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Não encontrado + +Não conseguimos encontrar a página que você estava procurando! Talvez você estivesse procurando por uma dessas? + +- [Introdução à Modelo de Ameças](basics/threat-modeling.md) +- [Serviços de DNS recomendados](dns.md) +- [Melhores navegadores de Internet no desktop](desktop-browsers.md) +- [Melhores serviços de VPN](vpn.md) +- [Fórum do Privacy Guides](https://discuss.privacyguides.net) +- [Nosso Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/CODE_OF_CONDUCT.md b/i18n/pt-BR/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/pt-BR/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/pt-BR/about/criteria.md b/i18n/pt-BR/about/criteria.md new file mode 100644 index 00000000..cfb1252c --- /dev/null +++ b/i18n/pt-BR/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/about/donate.md b/i18n/pt-BR/about/donate.md new file mode 100644 index 00000000..490497a9 --- /dev/null +++ b/i18n/pt-BR/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Nos Apoiando +--- + + +São necessárias muitas [pessoas](https://github.com/privacyguides/privacyguides.org/graphs/contributors) e muito [trabalho](https://github.com/privacyguides/privacyguides.org/pulse/monthly) para manter o Privacy Gudes atualizado e a divulgar informações sobre privacidade e vigilância em massa. Se gosta do que nós fazemos, a melhor forma de ajudar é participando da [edição do site](https://github.com/privacyguides/privacyguides.org) ou [contribuindo com as traduções](https://crowdin.com/project/privacyguides). + +Se quiser apoiar-nos financeiramente, o método mais conveniente para nós são contribuições através do Open Collective, um website operado pelo nosso anfitrião fiscal. O Open Collective aceita pagamentos através de cartão de crédito/débito, PayPal e transferências bancárias. + +[Doar na OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +As doações feitas diretamente a nós no Open Collective são geralmente dedutíveis de imposto nos EUA, porque o nosso anfitrião fiscal (a Open Collective Foundation) é uma organização registada 501(c)3. Você irá receber um recibo da Open Collective Foundation após a doação. O Privacy Guides não fornece aconselhamento financeiro e você deve entrar em contato com seu consultor fiscal para descobrir se isso é aplicável a você. + +Se você já usa os patrocínios do GitHub, também pode patrocinar nossa organização lá. + +[Patrocine-nos no GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Contribuidores + +Um agradecimento especial a todos aqueles que apoiam a nossa missão! :heart: + +*Nota: Esta seção carrega um widget diretamente do Open Collective. Esta seção não reflete donativos feitos por fora do Open Collective e nós não temos controle sobre os doadores específicos que são destacados nesta seção.* + + + +## Como Usamos as Doações + +O Privacy Guides é uma organização **sem fins lucrativos**. Usamos as doações para diversos propósitos, incluindo: + +**Registo de Domínios** +: + +Temos alguns domínios como `privacyguides.org` que nos custam cerca de US$ 10 por ano para manter seu registro. + +**Hospedagem Web** +: + +O tráfego para este website usa centenas de gigabytes de dados por mês e nós usamos vários provedores de serviço para lidar com ele. + +**Serviços Online** +: + +Nós hospedamos [serviços de internet](https://privacyguides.net) para teste e demonstração de diferentes produtos de privacidade que gostamos e [recomendamos](../tools.md). Alguns deles são disponibilizados publicamente para uso da nossa comunidade (SearXNG, Tor, etc.) e alguns são para uso dos membros da nossa equipe (e-mail, etc.). + +**Compras de Produtos** +: + +Ocasionamente adquirimos produtos e serviços com o propósito de testar as nossas [ferramentas recomendadas](../tools.md). + +Ainda estamos a trabalhar com o nosso anfitrião fiscal (a Open Collective Foundation) para receber doações em criptomoeda. No momento a contabilidade não é viável para muitas transações menores, mas isso deve mudar no futuro. Enquanto isso, se você deseja fazer uma doação de criptomoeda considerável (> $100), entre em contato com [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/about/index.md b/i18n/pt-BR/about/index.md new file mode 100644 index 00000000..1869f484 --- /dev/null +++ b/i18n/pt-BR/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/about/notices.md b/i18n/pt-BR/about/notices.md new file mode 100644 index 00000000..c6fdff4a --- /dev/null +++ b/i18n/pt-BR/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Avisos" +hide: + - toc +--- + +## Ressalva Legal + +O Privacy Guides não é um escritório de advocacia. Como tal, o website do Privacy Guides e seus colaboradores não estão prestando aconselhamento jurídico. O material e as recomendações em nosso site e guias não constituem aconselhamento jurídico, nem a contribuição para o site ou a comunicação com o Privacy Guides ou outros colaboradores sobre nosso site criam um relacionamento advogado-cliente. + +A gestão deste website, como qualquer esforço humano, envolve incerteza e contrapartidas. Esperamos que este website ajude, mas pode conter erros e não pode abordar todas as situações. Se você tiver alguma dúvida sobre sua situação, incentivamos você a fazer sua própria pesquisa, procurar outros especialistas e participar de discussões com a comunidade de Privacy Guides. Se tiver quaisquer questões jurídicas, deve consultar o seu próprio consultor jurídico antes de avançar. + +O Privacy Guides é um projeto de código aberto para o qual contribuíram sob licenças que incluem termos que, para protecção do website e dos seus contribuintes, tornam claro que o projeto Privacy Guides e o website é oferecido "tal como está", sem garantia, e excluindo a responsabilidade por danos resultantes da utilização do website ou quaisquer recomendações contidas no mesmo. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Além disso, Privacy Guides não garante que este site esteja constantemente disponível ou completamente disponível. + +## Licenças + +Salvo indicação em contrário, todo o conteúdo deste ‘website’ é disponibilizado nos termos da licença [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +Isto não inclui o código de terceiros incorporado neste repositório, ou código onde uma licença de substituição é de outro modo anotada. Os exemplos seguintes são notáveis, mas esta lista pode não incluir tudo: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) está licenciado sob a licença [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Partes deste aviso foram adotadas a partir de [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) no GitHub. Esse recurso e esta página são publicados sob a licença [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +Isso significa que você pode utilizar o conteúdo legível por humanos neste repositório para o seu próprio projeto, nos termos descritos no texto da licença Creative Commons Attribution-NoDerivatives 4.0 International Public License. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to this repository you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Uso Aceitável + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Varreduras Automatizadas Excessivas +* Ataques de Negação de Serviço +* Scraping +* Mineração de dados +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/about/privacy-policy.md b/i18n/pt-BR/about/privacy-policy.md new file mode 100644 index 00000000..4299a53c --- /dev/null +++ b/i18n/pt-BR/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +Para queixas no âmbito da GDPR em geral, você pode apresentar queixas às suas autoridades supervisoras locais de proteção de dados. Na França, é a Commission Nationale de l'Informatique et des Libertés que cuida e lida com as queixas. Eles fornecem um [modelo de carta de reclamação](https://www.cnil.fr/en/plaintes) para usar. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/about/privacytools.md b/i18n/pt-BR/about/privacytools.md new file mode 100644 index 00000000..f74ea6bd --- /dev/null +++ b/i18n/pt-BR/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Porque abandonamos o PrivacyTools + +Em setembro de 2021, todos os colaboradores ativos concordaram por unanimidade em migrar do PrivacyTools para trabalhar neste site: Privacy Guides. Esta decisão foi tomada porque o fundador e controlador do nome de domínio da PrivacyTools desapareceu por um longo período de tempo e não pôde ser contatado. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/about/services.md b/i18n/pt-BR/about/services.md new file mode 100644 index 00000000..d4a69ebc --- /dev/null +++ b/i18n/pt-BR/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domínio: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Disponibilidade: Semi-Público + Hospedamos o Invidious principalmente para veicular vídeos incorporados do YouTube em nosso site, esta instância não se destina ao uso geral e pode ser limitada a qualquer momento. +- Fonte: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/about/statistics.md b/i18n/pt-BR/about/statistics.md new file mode 100644 index 00000000..517109ad --- /dev/null +++ b/i18n/pt-BR/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/advanced/communication-network-types.md b/i18n/pt-BR/advanced/communication-network-types.md new file mode 100644 index 00000000..dda1fcfe --- /dev/null +++ b/i18n/pt-BR/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Tipos de redes de comunicação" +icon: 'material/transit-connection-variant' +--- + +Existem várias arquiteturas de rede comumente usadas para retransmitir mensagens entre pessoas. Essas redes podem fornecer diferentes garantias de privacidade, e é por isso que vale a pena considerar seu [modelo de ameaça](../basics/threat-modeling.md) ao decidir qual aplicativo usar. + +[Mensageiros Instantâneos Recomendados](../real-time-communication.md ""){.md-button} + +## Redes Centralizadas + +![Diagrama de redes centralizadas](../assets/img/layout/network-centralized.svg){ align=left } + +Mensageiros centralizados são aqueles em que todos os participantes estão no mesmo servidor ou rede de servidores controlados pela mesma organização. + +Alguns mensageiros podem ser auto-hospedados e permitem que você configure seu próprio servidor. A auto-hospedagem pode fornecer garantias adicionais de privacidade, como nenhum registro de uso ou acesso limitado a metadados (dados sobre quem está falando com quem). Mensageiros centralizados auto-hospedados são isolados e todos devem estar no mesmo servidor para se comunicar. + +**Vantagens:** + +- Novos recursos e mudanças podem ser implementados mais rapidamente. +- Mais fácil de começar e de encontrar contatos. +- Ecossistemas mais maduros e estáveis, já que são mais fáceis de serem implementados em um software centralizado. +- Problemas de privacidade podem ser reduzidos quando você confia em um servidor que você está hospedando. + +**Desvantagens:** + +- Pode incluir [controle ou acesso restrito](https://drewdevault.com/2018/08/08/Signal.html). Isto pode incluir coisas como: +- Ser [proibido de conectar clientes alternativos](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) à rede, mesmo podendo oferecer uma melhor customização ou até mesmo uma melhor experiência. Muitas vezes definido nos Termos e Condições de uso. +- Documentação pobre ou inexistente para desenvolvedores de terceiros. +- O [proprietário](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), a política de privacidade e operações podem ser facilmente mudadas quando uma só entidade controla tudo, podendo comprometer o serviço mais tarde. +- A auto-hospedagem requer esforço e conhecimento de como configurar um serviço. + +## Redes Federadas + +![Diagrama de redes federadas](../assets/img/layout/network-decentralized.svg){ align=left } + +Os mensageiros federados usam vários servidores independentes e descentralizados que podem conversar entre si (o e-mail é um exemplo de um serviço federado). A federação permite que os administradores do sistema controlem seu próprio servidor e ainda façam parte da rede de comunicações principal. + +Quando auto-hospedados, os membros de um servidor federado podem descobrir e se comunicar com membros de outros servidores, embora alguns servidores possam optar por permanecer privados e não serem federados (por exemplo, servidor de uma equipe de trabalho). + +**Vantagens:** + +- Permite maior controle sobre seus próprios dados ao usar seu próprio servidor. +- Permite que você escolha com quem confiar seus dados, escolhendo entre vários servidores "públicos". +- Muitas vezes permitem clientes de terceiros que podem fornecer uma experiência mais nativa, personalizada ou acessível. +- O software do servidor pode ser verificado para saber se ele corresponde ao código-fonte original, assumindo que você tem acesso ao servidor ou confia na pessoa que o mantém (por exemplo, um membro de sua família). + +**Desvantagens:** + +- A adição de novos recursos é mais complexa porque esses recursos precisam ser padronizados e testados para garantir que funcionem com todos os servidores da rede. +- Devido ao ponto anterior, os recursos podem estar faltando, ou incompletos ou funcionando de maneiras inesperadas em comparação com plataformas centralizadas, como retransmissão de mensagens quando offline ou exclusão de mensagens. +- Alguns metadados podem estar disponíveis (por exemplo, informações como "quem está falando com quem", mas não o conteúdo real da mensagem se E2EE for usado). +- Os servidores federados geralmente exigem confiar no administrador do seu servidor. Eles podem ser um amador ou não ser um "profissional de segurança" e podem não servir documentos padrão, como uma política de privacidade ou termos de serviço detalhando como seus dados são usados. +- Os administradores de servidores às vezes optam por bloquear outros servidores, que são uma fonte de abuso não moderado ou quebram as regras gerais de comportamento aceito. Isso prejudicará sua capacidade de se comunicar com os membros desses servidores. + +## Rede Peer-to-Peer + +![Diagrama P2P](../assets/img/layout/network-distributed.svg){ align=left } + +Os mensageiros P2P se conectam a uma [ rede distribuída](https://en.wikipedia.org/wiki/Distributed_networking) de nós para retransmitir uma mensagem ao destinatário sem um servidor de terceiros. + +Clientes (peers) geralmente encontram um ao outro através do uso de um [sistema de processamento distribuído](https://pt.wikipedia.org/wiki/Sistema_de_processamento_distribu%C3%ADdo). Exemplos disso incluem [Distributed hash table](https://pt.wikipedia.org/wiki/Distributed_hash_table) (DHT), usado por [torrents](https://pt.wikipedia.org/wiki/BitTorrent) e [IPFS](https://pt.wikipedia.org/wiki/Sistema_de_Arquivos_Interplanet%C3%A1rio) por exemplo. Outra abordagem é redes baseadas em proximidade, onde uma conexão é estabelecida através de WiFi ou Bluetooth (por exemplo, Briar ou o protocolo de rede social [Scuttlebutt](https://www.scuttlebutt.nz)). + +Uma vez que um peer tenha encontrado uma rota para o seu contato através de qualquer um desses métodos, uma conexão direta entre eles é feita. Embora as mensagens sejam geralmente criptografadas, um observador ainda pode deduzir a localização e a identidade do remetente e do destinatário. + +As redes P2P não usam servidores, pois os peers se comunicam diretamente entre si e, portanto, não podem ser auto-hospedados. No entanto, alguns serviços adicionais podem contar com servidores centralizados, como descoberta de usuários ou retransmissão de mensagens off-line, que podem se beneficiar da auto-hospedagem. + +**Vantagens:** + +- Informações mínimas são expostas a terceiros. +- Plataformas P2P modernas implementam E2EE por padrão. Não há servidores que possam interceptar e descriptografar suas transmissões, ao contrário de modelos centralizados e federados. + +**Desvantagens:** + +- Conjunto de recursos reduzido: +- As mensagens só podem ser enviadas quando ambos os peers estão online, no entanto, seu cliente pode armazenar mensagens localmente enquanto espera o contato ficar online. +- Geralmente aumenta o uso da bateria em dispositivos móveis, porque o cliente deve permanecer conectado à rede para saber quem está online. +- Alguns recursos comuns em mensageiros podem não ser implementados ou estar incompletos, como a exclusão de mensagens. +- Seu endereço IP e o dos contatos com os quais você está se comunicando podem ser expostos se você não usar o software em conjunto com uma [VPN](../vpn.md) ou [Tor](../tor.md). Muitos países têm alguma forma de vigilância em massa e/ou retenção de metadados. + +## Roteamento Anônimo + +![Diagrama de roteamento anônimo](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +Um mensageiro usando [roteamento anônimo](https://doi.org/10.1007/978-1-4419-5906-5_628) oculta a identidade do remetente, do destinatário ou a evidência de que eles estão se comunicando. Idealmente, um mensageiro deve esconder todos os três. + +Existem [muitas](https://doi.org/10.1145/3182658) maneiras diferentes de implementar o roteamento anônimo. Um dos mais famosos é o [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (ou seja, [Tor](tor-overview.md)), que comunica mensagens criptografadas através de uma [rede sopbreposta](https://pt.wikipedia.org/wiki/Rede_sobreposta) virtual, que esconde a localização de cada nó, bem como o destinatário e o remetente de cada mensagem. O remetente e o destinatário nunca interagem diretamente e só se encontram através de um nó de encontro secreto para que não haja vazamento de endereços IP ou localização física. Os nós não podem descriptografar mensagens, nem o destino final; apenas o destinatário pode. Cada nó intermediário só pode descriptografar uma parte que indica para onde enviar a mensagem criptografada, até chegar ao destinatário que pode descriptografá-la totalmente, daí as "onion layers." + +A auto-hospedagem de um nó em uma rede de roteamento anônimo não fornece ao hoster benefícios adicionais de privacidade, mas contribui para a resiliência de toda a rede contra ataques de identificação para o benefício de todos. + +**Vantagens:** + +- Pouca ou nenhuma informação é exposta a outras partes. +- As mensagens podem ser retransmitidas de forma descentralizada, mesmo que uma das partes esteja offline. + +**Desvantagens:** + +- Propagação lenta da mensagem. +- Muitas vezes limitado a menos tipos de mídia, principalmente texto, uma vez que a rede é lenta. +- Menos confiável se os nós são selecionados por roteamento randomizado, alguns nós podem estar muito longe do remetente e do receptor, adicionando latência ou mesmo não transmitindo mensagens se um dos nós ficar offline. +- Mais complexo para começar, pois é necessária a criação e o backup seguro de uma chave privada criptográfica. +- Assim como outras plataformas descentralizadas, adicionar recursos é mais complexo para os desenvolvedores do que em uma plataforma centralizada. Assim, os recursos podem estar faltando ou incompletamente implementados, como retransmissão de mensagens offline ou exclusão de mensagens. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/advanced/dns-overview.md b/i18n/pt-BR/advanced/dns-overview.md new file mode 100644 index 00000000..429b36cd --- /dev/null +++ b/i18n/pt-BR/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "Introdução ao DNS" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## O que é DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### DNS não Criptografado + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## O que é "DNS criptografado"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS sobre TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS sobre HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Por que **não deveria** usar DNS criptografado? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### Endereço IP + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## O que é DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/advanced/tor-overview.md b/i18n/pt-BR/advanced/tor-overview.md new file mode 100644 index 00000000..25cc0834 --- /dev/null +++ b/i18n/pt-BR/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Recursos Adicionais + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [Como funciona o Tor - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Serviços Tor Onion - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.pt-BR.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/pt-BR/android.md b/i18n/pt-BR/android.md new file mode 100644 index 00000000..aa7a84d1 --- /dev/null +++ b/i18n/pt-BR/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +O **Android Open Source Project** é um sistema operacional de código aberto liderado pelo Google que é usado na maioria dos dispositivos móveis do mundo. A maioria dos celulares vendidos com Android são modificados para incluir integrações invasivas e aplicativos como o Google Play Services. Você pode melhorar a privacidade de seu dispositivo significativamente ao usar uma versão do Android sem esses recursos invasivos. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +Estes são os sistemas operacionais, dispositivos e aplicações Android que recomendamos para maximizar a segurança e privacidade do seu dispositivo móvel. Para saber mais sobre o Android: + +- [Visão geral do Android :material-arrow-right-drop-circle:](os/android-overview.md) +- [Por que recomendamos o GrapheneOS em vez do CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## Derivados do AOSP + +Recomendamos instalar um desses sistemas operacionais Android personalizados em seu dispositivo, listados em ordem de preferência, dependendo da compatibilidade do seu dispositivo com esses sistemas operacionais. + +!!! note + + Os dispositivos em fim de vida útil (como os dispositivos GrapheneOS ou "suporte estendido" da CalyxOS) não possuem patches de segurança completos (atualizações de firmware) devido à interrupção do suporte do OEM. Estes dispositivos não podem ser considerados completamente seguros, independentemente do software instalado. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS*** é a melhor escolha quando se trata de privacidade e segurança. + + O GrapheneOS conta com um [hardening](https://pt.wikipedia.org/wiki/Hardening) adicional e melhorias de privacidade. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. No entanto, não é algo que podemos recomendar, já que normalmente os aplicativos são [removidos](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) desse repositório quando vão para o repositório oficial do F-Droid. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +Com isso em mente, os repositórios do [F-Droid](https://f-droid.org/en/packages/) e [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) hospedam milhares de projetos, então eles podem ser boas ferramentas para pesquisar e descobrir aplicativos open-source que você pode, então, obter pela Play Store, Aurora Store ou baixando o APK disponibilizado pelo desenvolvedor. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + Em alguns raros casos, o desenvolvedor só vai disponibilizar o app no F-Droid ([Gadgetbridge](https://gadgetbridge.org/) é um exemplo). Se você realmente precisa de um aplicativo assim, recomendamos que use a [Neo Store](https://github.com/NeoApplications/Neo-Store/) ao invés do aplicativo oficial do F-Droid. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/assets/img/account-deletion/exposed_passwords.png b/i18n/pt-BR/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/pt-BR/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/pt-BR/assets/img/android/rss-apk-dark.png b/i18n/pt-BR/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/pt-BR/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/pt-BR/assets/img/android/rss-apk-light.png b/i18n/pt-BR/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/pt-BR/assets/img/android/rss-apk-light.png differ diff --git a/i18n/pt-BR/assets/img/android/rss-changes-dark.png b/i18n/pt-BR/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/pt-BR/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/pt-BR/assets/img/android/rss-changes-light.png b/i18n/pt-BR/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/pt-BR/assets/img/android/rss-changes-light.png differ diff --git a/i18n/pt-BR/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/pt-BR/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/pt-BR/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt-BR/assets/img/how-tor-works/tor-encryption.svg b/i18n/pt-BR/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/pt-BR/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt-BR/assets/img/how-tor-works/tor-path-dark.svg b/i18n/pt-BR/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/pt-BR/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt-BR/assets/img/how-tor-works/tor-path.svg b/i18n/pt-BR/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/pt-BR/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt-BR/assets/img/multi-factor-authentication/fido.png b/i18n/pt-BR/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/pt-BR/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/pt-BR/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/pt-BR/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/pt-BR/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/pt-BR/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/pt-BR/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/pt-BR/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/pt-BR/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/pt-BR/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/pt-BR/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/pt-BR/basics/account-creation.md b/i18n/pt-BR/basics/account-creation.md new file mode 100644 index 00000000..7e82dedf --- /dev/null +++ b/i18n/pt-BR/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/basics/account-deletion.md b/i18n/pt-BR/basics/account-deletion.md new file mode 100644 index 00000000..01266fb3 --- /dev/null +++ b/i18n/pt-BR/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Exclusão de Conta" +icon: 'material/account-remove' +--- + +Com o tempo, pode ser fácil acumular várias contas online, muitas das quais você pode não mais usar. Excluir essas contas não utilizadas é um passo importante para recuperar sua privacidade, pois contas inativas são vulneráveis a violações de dados. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Localizando Contas Antigas + +### Gerenciador de Senhas + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Excluindo Contas Antigas + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Sobrescrevendo Informações da Conta + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Exclusão + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Evite Novas Contas + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/basics/common-misconceptions.md b/i18n/pt-BR/basics/common-misconceptions.md new file mode 100644 index 00000000..a5e7a019 --- /dev/null +++ b/i18n/pt-BR/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Equívocos Comuns" +icon: 'material/robot-confused' +--- + +## "Software de código aberto é sempre seguro" ou "Software proprietário é mais seguro" + +Estes mitos resultam de uma série de preconceitos, mas se o código fonte está disponível e a forma como o software é licenciado não afecta de modo algum a sua segurança de forma inerente. ==Software de código aberto tem o *potencial* para ser mais seguro do que um software proprietário, mas não existe qualquer garantia de que assim seja.== Quando se avalia o software, se deve olhar a reputação e a segurança de cada ferramenta numa base individual. + +O software de código aberto *pode* ser auditado por terceiros, e é muitas vezes mais transparente sobre potenciais vulnerabilidades do que os seus equivalentes proprietários. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.pt-BR.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/pt-BR/basics/common-threats.md b/i18n/pt-BR/basics/common-threats.md new file mode 100644 index 00000000..2d4f6b0c --- /dev/null +++ b/i18n/pt-BR/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Ameaças Comuns" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonimato vs Privacidade + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Segurança e Privacidade + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacidade dos Prestadores de Serviços + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Programas de Vigilância em Massa + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + Na França, você pode dar uma olhada no [site da Technopolicy](https://technopolice.fr/villes/) mantido pela associação sem fins lucrativos La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limitação de Informações Públicas + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Evitando a Censura + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.pt-BR.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/pt-BR/basics/email-security.md b/i18n/pt-BR/basics/email-security.md new file mode 100644 index 00000000..a95f97e8 --- /dev/null +++ b/i18n/pt-BR/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Segurança de Email +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Visão Geral da Criptografia de Email + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### Quais Clientes de Email Suportam E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### Como Protejo Minhas Chaves Privadas? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Visão Geral dos Metadados de Email + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Quem Pode Ver Metadados de Email? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Por Que os Metadados Não Podem Ser E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/basics/multi-factor-authentication.md b/i18n/pt-BR/basics/multi-factor-authentication.md new file mode 100644 index 00000000..cefa281d --- /dev/null +++ b/i18n/pt-BR/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Autenticação de Múltiplos Fatores" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## Recomendações gerais + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/basics/passwords-overview.md b/i18n/pt-BR/basics/passwords-overview.md new file mode 100644 index 00000000..fce59c5f --- /dev/null +++ b/i18n/pt-BR/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/basics/threat-modeling.md b/i18n/pt-BR/basics/threat-modeling.md new file mode 100644 index 00000000..e405f4a0 --- /dev/null +++ b/i18n/pt-BR/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Modelagem de Ameaças" +icon: 'material/target-account' +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**Então, o que são esses modelos de ameaça afinal?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Criando seu modelo de ameaça + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Fontes + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/basics/vpn-overview.md b/i18n/pt-BR/basics/vpn-overview.md new file mode 100644 index 00000000..4f9a7736 --- /dev/null +++ b/i18n/pt-BR/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Devo Usar Uma VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## E Quanto à Criptografia? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Devo usar DNS criptografado com uma VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Devo usar Tor *e* uma VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## E se eu precisar de anonimato? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## E os provedores de VPN que fornecem nós Tor? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## Quando VPNs são úteis? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Fontes e Leituras Adicionais + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Informações Relacionadas a VPN + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/calendar.md b/i18n/pt-BR/calendar.md new file mode 100644 index 00000000..ba913cf1 --- /dev/null +++ b/i18n/pt-BR/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/cloud.md b/i18n/pt-BR/cloud.md new file mode 100644 index 00000000..df89a2de --- /dev/null +++ b/i18n/pt-BR/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/data-redaction.md b/i18n/pt-BR/data-redaction.md new file mode 100644 index 00000000..ca0f8552 --- /dev/null +++ b/i18n/pt-BR/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/desktop-browsers.md b/i18n/pt-BR/desktop-browsers.md new file mode 100644 index 00000000..7481af53 --- /dev/null +++ b/i18n/pt-BR/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Navegadores Desktop" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! aviso + O Firefox inclui um token exclusivo de [download](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) pelo site da Mozilla e usa telemetria no Firefox para enviar o token. O token é **não** incluído nas versões do [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +Se você quiser permanecer conectado a sites específicos, você pode permitir exceções em **Cookies e Dados do Site** → **Gerenciar Exceções...** + +##### Proteção Reforçada de Rastreio (ETP) + +- Selecione **Strict** + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitizar ao Fechar + +O serviço [Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) usa E2EE. + +- Selecione **Excluir cookies e dados do site quando o Firefox estiver fechado** + +Geralmente, não recomendamos a instalação de nenhuma extensão, pois elas aumentam sua superfície de ataque; no entanto, se você deseja o bloqueio de conteúdo, o [uBlock Origin](#additional-resources) pode ser útil para você. A extensão também é uma extensão :trophy: [recomendada](https://support.mozilla.org/kb/add-on-badges#w_recommended-extensions) pela Mozilla. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Desativar Sugestão de Pesquisa + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Desativar Telemetria + +- Limpar **Permitir que o Firefox envie dados técnicos e de interação para o Mozilla** +- Limpar **Permitir que o Firefox instale e execute estudos** +- Limpar **Permitir que o Firefox envie relatórios de falhas identificadas em seu nome** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### Modo Somente HTTPS + +- Selecione **Ativar modo somente HTTPS em todas as janelas** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Extensões + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Modo Somente HTTPS + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensões + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Recursos Adicionais + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.pt-BR.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/pt-BR/desktop.md b/i18n/pt-BR/desktop.md new file mode 100644 index 00000000..5076ac4d --- /dev/null +++ b/i18n/pt-BR/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/dns.md b/i18n/pt-BR/dns.md new file mode 100644 index 00000000..1eb4b838 --- /dev/null +++ b/i18n/pt-BR/dns.md @@ -0,0 +1,141 @@ +--- +title: "Introdução ao DNS" +icon: material/dns +--- + +!!! Devo usar DNS criptografado? + + Encrypted DNS with a 3rd party should only be used to get around redirects and basic DNS blocking when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Provedores Recomendados + +| DNS | Privacy Policy | Protocol | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | 2 | Based on server choice. Filter list being used can be found here. [**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | 2 | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | 2 | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | 2 | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## DNSCrypt + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. Info Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### DNS + +!!! recommendation + + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### DNS + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.pt-BR.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/pt-BR/email-clients.md b/i18n/pt-BR/email-clients.md new file mode 100644 index 00000000..d052838f --- /dev/null +++ b/i18n/pt-BR/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Firefox + +We recommend changing some of these settings to make Thunderbird a little more private. + +Se você quiser permanecer conectado a sites específicos, você pode permitir exceções em **Cookies e Dados do Site** → **Gerenciar Exceções...** + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Desativar Telemetria + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/email.md b/i18n/pt-BR/email.md new file mode 100644 index 00000000..eae629b8 --- /dev/null +++ b/i18n/pt-BR/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Nossos Critérios + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/encryption.md b/i18n/pt-BR/encryption.md new file mode 100644 index 00000000..c8a2fafa --- /dev/null +++ b/i18n/pt-BR/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Softwares de Criptografia" +icon: material/file-lock +--- + +A criptografia de dados é a única maneira de controlar quem pode acessá-los. Se você atualmente não está usando “software” de criptografia para seu disco rígido, e-mails ou arquivos, você deve escolher uma opção aqui. + +## Aplicativos multiplataforma + +As opções listadas aqui suportam múltiplas plataformas e são ótimas para criar backups criptografados de seus dados. + +### Cryptomator (Nuvem) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** é uma solução de criptografia projetada para salvar arquivos de forma privada em qualquer provedor de nuvem. Ele permite que você crie cofres armazenados em uma unidade virtual (virtual disk), cujo conteúdo é criptografado e sincronizado com seu provedor de armazenamento em nuvem. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +O Cryptomator usa criptografia AES-256 para criptografar arquivos e nomes de arquivos. O Cryptomator não pode criptografar metadados, como histórico de data/hora de acesso, modificação e criação, nem o número e o tamanho de arquivos e pastas. + +Algumas bibliotecas criptográficas do Cryptomator foram [auditadas](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) pela Cure53. O âmbito das bibliotecas auditadas inclui: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) e [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). A auditoria não se estendeu a [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), que é uma biblioteca usada pelo Cryptomator para o iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (Arquivo) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** é uma ferramenta de criptografia pequena e simples que fornece criptografia moderna. O Picocrypt usa a cifra segura XChaCha20 e a função de derivação de chave do Argon2id para fornecer um alto nível de segurança. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repositório](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribuir } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/file-sharing.md b/i18n/pt-BR/file-sharing.md new file mode 100644 index 00000000..a6820567 --- /dev/null +++ b/i18n/pt-BR/file-sharing.md @@ -0,0 +1,149 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! aviso + Você **nunca** deve instalar quaisquer extensões adicionais no Tor Browser, incluindo as que sugerimos para o Firefox. + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/frontends.md b/i18n/pt-BR/frontends.md new file mode 100644 index 00000000..149badab --- /dev/null +++ b/i18n/pt-BR/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! anotar recomendação + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/index.md b/i18n/pt-BR/index.md new file mode 100644 index 00000000..adedf2fd --- /dev/null +++ b/i18n/pt-BR/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.pt-BR.html +hide: + - navigation + - toc + - feedback +--- + + +## Por que devo me importar? + +##### "Não tenho nada a esconder. Por que eu deveria me preocupar com a minha privacidade?” + +Assim como o direito ao casamento inter-racial, o direito feminino de votar, a liberdade de expressão e muitos outros, nosso direito à privacidade nem sempre foi respeitado. Em várias ditaduras, ainda não é. Gerações anteriores à nossa lutaram pelo nosso direito à privacidade. ==Privacidade é um direito humano, inerente a todos nós,== ao qual temos direito (sem discriminação). + +Você não deve confundir privacidade com sigilo. Sabemos o que acontece no banheiro, mas você ainda fecha a porta. Isso é porque você quer privacidade, não sigilo. **Todo mundo** tem algo para proteger. Privacidade é algo que nos torna humanos. + +[:material-target-account: Ameaças comuns na Internet](basics/common-threats.md ""){.md-button.md-button--primary} + +## O que eu deveria fazer? + +##### Primeiro, você precisa fazer um plano + +Tentar proteger todos os seus dados de todos — o tempo todo — é impraticável, caro e exaustivo. Mas não se preocupe! A segurança é um processo e, ao pensar no futuro, você pode montar um plano que seja certo para você. Segurança não é apenas sobre as ferramentas que você usa ou o software que você baixa. Em vez disso, começa por entender as ameaças que você enfrenta e como você pode mitigá-las. + +==Este processo de identificação de ameaças e definição de contramedidas é chamado de **threat modeling**==, e forma a base de todo bom plano de segurança e privacidade. + +[:material-book-outline: Saiba mais sobre Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## Precisamos de você! Veja como participar do projeto: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Participe do nosso fórum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Siga-nos no Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribua para este site" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Ajude a traduzir este site" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Converse conosco no Matrix" } +[:material-information-outline:](about/index.md){ title="Saiba mais sobre nós" } +[:material-hand-coin-outline:](about/donate.md){ title="Apoie o projeto" } + +É importante que um site como o Privacy Guides esteja sempre atualizado. Precisamos que nosso público fique de olho nas atualizações de software para os aplicativos listados em nosso site e acompanhe as notícias recentes sobre os serviços que recomendamos. É difícil acompanhar o ritmo acelerado da internet, mas tentamos o nosso melhor. Se você detectar um erro, achar que um serviço não deve ser listado, notar que um serviço qualificado está faltando, acreditar que uma extensão de navegador não é mais a melhor escolha ou descobrir qualquer outro problema, informe-nos. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/kb-archive.md b/i18n/pt-BR/kb-archive.md new file mode 100644 index 00000000..ab4c65c7 --- /dev/null +++ b/i18n/pt-BR/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrando a remoção de metadados](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/meta/brand.md b/i18n/pt-BR/meta/brand.md new file mode 100644 index 00000000..8f6197c2 --- /dev/null +++ b/i18n/pt-BR/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/meta/git-recommendations.md b/i18n/pt-BR/meta/git-recommendations.md new file mode 100644 index 00000000..48582c34 --- /dev/null +++ b/i18n/pt-BR/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/meta/uploading-images.md b/i18n/pt-BR/meta/uploading-images.md new file mode 100644 index 00000000..57a21a59 --- /dev/null +++ b/i18n/pt-BR/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/meta/writing-style.md b/i18n/pt-BR/meta/writing-style.md new file mode 100644 index 00000000..d816f95d --- /dev/null +++ b/i18n/pt-BR/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/mobile-browsers.md b/i18n/pt-BR/mobile-browsers.md new file mode 100644 index 00000000..ebe3dd95 --- /dev/null +++ b/i18n/pt-BR/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Modo Somente HTTPS + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Firefox + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/multi-factor-authentication.md b/i18n/pt-BR/multi-factor-authentication.md new file mode 100644 index 00000000..bdf3c00c --- /dev/null +++ b/i18n/pt-BR/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/news-aggregators.md b/i18n/pt-BR/news-aggregators.md new file mode 100644 index 00000000..4ab18287 --- /dev/null +++ b/i18n/pt-BR/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/notebooks.md b/i18n/pt-BR/notebooks.md new file mode 100644 index 00000000..3ddcf46e --- /dev/null +++ b/i18n/pt-BR/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/os/android-overview.md b/i18n/pt-BR/os/android-overview.md new file mode 100644 index 00000000..6b63bb45 --- /dev/null +++ b/i18n/pt-BR/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## Perfis de Usuário + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Perfil de Trabalho + +Os [Perfis de Trabalho](https://support.google.com/work/android/answer/6191949) são outra forma de isolar aplicações individuais e podem ser mais convenientes do que perfis de usuário separados. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/os/linux-overview.md b/i18n/pt-BR/os/linux-overview.md new file mode 100644 index 00000000..b9cef89c --- /dev/null +++ b/i18n/pt-BR/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Recomendações gerais + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/os/qubes-overview.md b/i18n/pt-BR/os/qubes-overview.md new file mode 100644 index 00000000..e34dd3d6 --- /dev/null +++ b/i18n/pt-BR/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## Como funciona o Qubes OS? + +Qubes usa [compartimentação](https://www.qubes-os.org/intro/) para manter o sistema seguro. Os Qubes são criados a partir de modelos, sendo as predefinições para Fedora, Debian e [Whonix](../desktop.md#whonix). O Qubes OS também permite que você crie máquinas virtuais [descartáveis](https://www.qubes-os.org/doc/how-to-use-disposables/) de uso único. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Borda colorida](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Por Que Devo Usar Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Cópia e Colagem de Texto + +Você pode [copiar e colar texto](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) usando `qvm-copy-to-vm` ou as instruções abaixo: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Recursos Adicionais + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Artigos Relacionados*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/passwords.md b/i18n/pt-BR/passwords.md new file mode 100644 index 00000000..ca2df2f2 --- /dev/null +++ b/i18n/pt-BR/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/productivity.md b/i18n/pt-BR/productivity.md new file mode 100644 index 00000000..21c49a05 --- /dev/null +++ b/i18n/pt-BR/productivity.md @@ -0,0 +1,157 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! aviso + Você **nunca** deve instalar quaisquer extensões adicionais no Tor Browser, incluindo as que sugerimos para o Firefox. + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/real-time-communication.md b/i18n/pt-BR/real-time-communication.md new file mode 100644 index 00000000..2c7cdbb3 --- /dev/null +++ b/i18n/pt-BR/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/router.md b/i18n/pt-BR/router.md new file mode 100644 index 00000000..3931a5bc --- /dev/null +++ b/i18n/pt-BR/router.md @@ -0,0 +1,51 @@ +--- +title: "Firmware para Roteadores" +icon: material/router-wireless +--- + +Abaixo estão alguns sistemas operacionais alternativos, que podem ser usados em roteadores, pontos de acesso Wi-Fi, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark. vg#only-dark){ align=right } + + **OpenWrt** é um sistema operacional baseado em Linux; ele é usado principalmente em dispositivos incorporados (embedded) para rotear o tráfego de rede. Inclui util-linux, uClibc e BusyBox. Todos os componentes foram otimizados para roteadores domésticos. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentação} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribuir } + +Você pode consultar a tabela [de hardware](https://openwrt.org/toh/start) do OpenWrt para verificar se o seu dispositivo é compatível. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** é uma plataforma de firewall e roteamento de código aberto baseada em FreeBSD que incorpora muitos recursos avançados, como modelagem de tráfego, balanceamento de carga e recursos de VPN, com muitos outros recursos disponíveis na forma de plugins. O OPNsense é comumente implantado como um firewall de perímetro, roteador, ponto de acesso wireless, servidor DHCP, servidor DNS e endpoint de VPN. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentação} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribuir } + +OPNsense foi originalmente desenvolvido como um fork do [pfSense](https://en.wikipedia.org/wiki/PfSense), e ambos os projetos são conhecidos por serem distribuições de firewall gratuitas e confiáveis que oferecem recursos frequentemente encontrados apenas em firewalls comerciais caros. Lançado em 2015, os desenvolvedores do OPNsense [citaram](https://docs.opnsense.org/history/thefork.html) uma série de problemas de segurança e qualidade de código com o pfSense. Assim, eles sentiram necessário criar um fork do projeto, além de terem preocupações sobre a aquisição majoritária do pfSense pela Netgate e a direção futura do projeto pfSense. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Deve ser de código aberto. +- Deve receber atualizações regulares. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/search-engines.md b/i18n/pt-BR/search-engines.md new file mode 100644 index 00000000..edb2f30f --- /dev/null +++ b/i18n/pt-BR/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/tools.md b/i18n/pt-BR/tools.md new file mode 100644 index 00000000..b32bd2a1 --- /dev/null +++ b/i18n/pt-BR/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Recursos Adicionais + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Recursos Adicionais + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Firmware para Roteadores + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Nossos Critérios + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? perigo "VPNs não fornecem anonimidade" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Softwares de Criptografia + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/tor.md b/i18n/pt-BR/tor.md new file mode 100644 index 00000000..ead2daa5 --- /dev/null +++ b/i18n/pt-BR/tor.md @@ -0,0 +1,131 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Navegador Tor + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! aviso + Você **nunca** deve instalar quaisquer extensões adicionais no Tor Browser, incluindo as que sugerimos para o Firefox. + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. downloads + + - [:fontawesome-brands-windows: Windows](https://www.mozilla.org/firefox/windows) + - [:fontawesome-brands-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:fontawesome-brands-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.firefox) + - [:fontawesome-brands-git: Fonte](https://hg.mozilla.org/mozilla-central) + +Este navegador dá acesso às Pontes Tor (Tor Bridges) e a \[Rede Tor\](https://en.wikipedia.org/wiki/Tor_(rede)), juntamente com extensões que podem ser configuradas automaticamente para se adaptarem aos três níveis de segurança propostos - *Standard*, *Safer* e *Safest*. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/video-streaming.md b/i18n/pt-BR/video-streaming.md new file mode 100644 index 00000000..a8f9b868 --- /dev/null +++ b/i18n/pt-BR/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt-BR/vpn.md b/i18n/pt-BR/vpn.md new file mode 100644 index 00000000..73d8afbe --- /dev/null +++ b/i18n/pt-BR/vpn.md @@ -0,0 +1,324 @@ +--- +title: "Serviços VPN" +icon: material/vpn +--- + +Encontre um operador de VPN sem rastreamento que não esteja fora para vender ou ler seu tráfego online. + +??? perigo "VPNs não fornecem anonimidade" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Baixar Tor Browser](https://www.torproject.org/){ .md-button .md-button--primary } [Mitos sobre o Tor Browser & FAQ](advanced/tor-overview.md){ .md-button } + +??? pergunta "Quando VPNs são úteis?" + + Se estiver à procura de **privacidade** adicional do seu ISP, numa rede Wi-Fi pública, ou enquanto faça torrent de arquivos, uma VPN pode ser a solução, desde que entenda os riscos envolvidos. + + [Mais Informações](basics/vpn-overview.md){ .md-button } + +## Provedores Recomendados + +!!! resumo "Critérios" + + Nossos fornecedores recomendados usam encriptação, aceitam Monero, suportam WireGuard e OpenVPN, e têm uma política de não-rastreamento. Leia nossa [lista completa de critérios](#our-criteria) para mais informações. + +### Proton VPN + +!!! anotar recomendação + + ![Logomarca ProtonVPN](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** é um forte concorrente no espaço VPN, e estão em funcionamento desde 2016. Proton AG está sediada na Suíça e oferece um plano gratuito limitado, bem como uma opção paga com mais recursos. + + [:octicons-home-16: Página Inicial](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Política de Privacidade" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentação} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Código Fonte" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? verificar anotação "64 Países" + + ProtonVPN tem [servidores em 64 países](https://protonvpn.com/vpn-servers) (1). Escolher um fornecedor de VPN com um servidor mais próximo de você irá reduzir a latência do tráfego de rede que você enviar. Isto deve-se a um caminho mais curto (menos pulos) até ao destino. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Última verificação: 16-09-2022 + +??? verificar "Auditado Independentemente" + + Em Janeiro de 2020, ProtonVPN foi submetida a uma auditoria independente pela SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? verificar "Clientes Código-Aberto" + + Proton VPN fornece o código fonte para os seus clientes desktop e móveis na sua [organização GitHub](https://github.com/ProtonVPN). + +??? verificar "Aceita Dinheiro" + + ProtonVPN, além de aceitar cartões de crédito/débito e PayPal, aceita Bitcoin, e **dinheiro/moeda local** como formas de pagamento anônimas. + +??? verificar "Suporta WireGuard" + + Proton VPN suporta principalmente o protocolo WireGuard®. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. A IVPN está sediada em Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Escolher um fornecedor de VPN com um servidor mais próximo de você irá reduzir a latência do tráfego de rede que você enviar. Isto deve-se a um caminho mais curto (menos pulos) até ao destino. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Última verificação: 16-09-2022 + +??? verificar "Auditado Independentemente" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? verificar "Clientes Código-Aberto" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? verificar "Suporta WireGuard" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? verificar anotação "39 Países" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Escolher um fornecedor de VPN com um servidor mais próximo de você irá reduzir a latência do tráfego de rede que você enviar. Isto deve-se a um caminho mais curto (menos pulos) até ao destino. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Última verificação: 16-09-2022 + +??? verificar "Auditado Independentemente" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? verificar "Clientes Código-Aberto" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? verificar "Suporta WireGuard" + + Mullvad suporta o protocolo WireGuard®. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? verificar "Suporte à IPv6" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! aviso + Você **nunca** deve instalar quaisquer extensões adicionais no Tor Browser, incluindo as que sugerimos para o Firefox. + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Não confie somente numa política de "não-rastreamento". + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.pt-BR.txt" diff --git a/i18n/pt/404.md b/i18n/pt/404.md new file mode 100644 index 00000000..4ce56a66 --- /dev/null +++ b/i18n/pt/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/CODE_OF_CONDUCT.md b/i18n/pt/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/pt/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/pt/about/criteria.md b/i18n/pt/about/criteria.md new file mode 100644 index 00000000..67965b73 --- /dev/null +++ b/i18n/pt/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/about/donate.md b/i18n/pt/about/donate.md new file mode 100644 index 00000000..c2ea2ae7 --- /dev/null +++ b/i18n/pt/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Apoiar-nos +--- + + +São precisas muitas [pessoas](https://github.com/privacyguides/privacyguides.org/graphs/contributors) e muito [trabalho](https://github.com/privacyguides/privacyguides.org/pulse/monthly) para manter o Privacy Gudes atualizado e a divulgar informações sobre privacidade e vigilância em massa. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +Se quiser apoiar-nos financeiramente, o método mais conveniente para nós são contribuições através do Open Collective, um website operado pelo nosso anfitrião fiscal. O Open Collective aceita pagamentos através de cartão de crédito/débito, PayPal e transferências bancárias. + +[Doar no OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. Irá receber um recibo da Open Collective Foundation após a doação. O Privacy Guides não fornece aconselhamento financeiro. Como tal, deverá consultar um contablista para determinar se está abrangido pelo regime. + +Se já utiliza os patrocínios do GitHub, pode também patrocinar a nossa organização por lá. + +[Patrocine-nos no GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Contribuidores + +Um agradecimento especial a todos aqueles que apoiam a nossa missão! :heart: + +*Nota: Esta secção carrega um widget diretamente do Open Collective. Esta secção não reflete donativos feitos por fora do Open Collective e nós não temos controlo sobre os doadores específicos que são destacados nesta seção.* + + + +## Como usamos os donativos + +O Privacy Guides é uma organização **sem fins lucrativos**. Utilizamos os donativos que recebemos para uma variedade de propósitos, entre eles: + +**Registos de Domínio** +: + +Temos alguns domínios tais como o `privacyguides.org`, que nos custam aproximadamente 10 USD para manter o seu registo. + +**Alojamento Web** +: + +O tráfego para este website usa centenas de gigabytes de dados por mês. Nós usamos vários provedores de serviço para lidar com este tráfego. + +**Serviços Online** +: + +Nós alojamos [ serviços na internet ](https://privacyguides.net) para teste e demonstração de diferentes produtos de privacidade que gostamos e [recomendamos](../tools.md). Alguns deles são disponibilizados publicamente para uso da nossa comunidade (SearXNG, Tor, etc.) e alguns são para uso dos membros da nossa equipa (e-mail, etc.). + +**Compras de Produtos** +: + +Ocasionamente adquirimos produtos e serviços com o propósito de testar as nossas [ferramentas recomendadas](../tools.md). + +Ainda estamos a trabalhar com o nosso anfitrião fiscal (a Open Collective Foundation) para receber donativos em criptomoeda, neste momento a contabilidade não é viável para muitas transacções mais pequenas, mas isso deverá mudar no futuro. Entretanto, se desejar fazer um donativo considerável em criptomoeda (> 100 USD), por favor contacte [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/about/index.md b/i18n/pt/about/index.md new file mode 100644 index 00000000..77759cad --- /dev/null +++ b/i18n/pt/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. Você **não pode** utilizar a marca Privacy Guides no seu próprio projecto sem a aprovação expressa deste projecto. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/about/notices.md b/i18n/pt/about/notices.md new file mode 100644 index 00000000..5a7d1bd1 --- /dev/null +++ b/i18n/pt/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "página" +hide: + - toc +--- + +## Aviso Legal + +O Privacy Guides não é um escritório de advocacia. Como tal, o website Privacy Guides e os seus colaboradores não estão a prestar aconselhamento jurídico. O material e as recomendações do nosso website e guias não constituem aconselhamento legal nem contribuem para o website ou comunicam com Guias de Privacidade ou outros colaboradores sobre o nosso website criam uma relação advogado-cliente. + +Gerir este website, como qualquer esforço humano, envolve incerteza e contrapartidas. Esperamos que este site ajude, mas ele pode incluir erros e não pode resolver todas as situações. Se você tiver alguma dúvida sobre sua situação, nós o encorajamos a fazer sua própria pesquisa, procurar outros especialistas e participar de discussões com a comunidade do Privacy Guides. Se você tiver alguma questão legal, você deve consultar seu próprio advogado antes de seguir adiante. + +O Privacy Guides é um projeto de código aberto para o qual contribuíram sob licenças que incluem termos que, para a proteção do website e seus colaboradores, deixam claro que o projeto Privacy Guides e o website é oferecido "como está", sem garantia, e isentando-se de responsabilidade por danos resultantes da utilização do website ou de quaisquer recomendações contidas no mesmo. Os Guias de Privacidade não garantem ou fazem quaisquer declarações relativas à precisão, resultados prováveis ou fiabilidade do uso dos materiais no site ou de qualquer outra forma relacionados com tais materiais no site ou em quaisquer sites de terceiros ligados a este site. + +Além disso, os Guias de Privacidade não garantem que este website esteja constantemente disponível, ou disponível de todo. + +## Licenças + +Salvo indicação em contrário, todo o conteúdo deste website é disponibilizado gratuitamente nos termos do [Creative Commons CC0 1.0 Universal](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +Isto não inclui código de terceiros embutido neste repositório, ou código onde uma licença substituta é de outra forma anotada. Os exemplos a seguir são notáveis, mas esta lista pode não incluir tudo: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/mathjax.js) está licenciado sob o [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/LICENSE.mathjax.txt). + +Partes deste aviso em si foram adotadas de [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) no GitHub. Esse recurso e esta página são publicados em [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +Isto significa que você pode usar o conteúdo legível por humanos neste repositório para seu próprio projeto, de acordo com os termos descritos no CC0 1.0 Texto Universal. Você **não pode** utilizar a marca Privacy Guides no seu próprio projecto sem a aprovação expressa deste projecto. As marcas registradas da Privacy Guides incluem a palavra-chave "Privacy Guides" e o logotipo do escudo. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +Acreditamos que os logotipos e outras imagens em `activos` obtidos de fornecedores terceiros são de domínio público ou **uso justo**. Em resumo, legal [doutrina de uso justo](https://en.wikipedia.org/wiki/Fair_use) permite o uso de imagem protegida por direitos autorais, a fim de identificar o assunto para fins de comentário público. No entanto, estes logotipos e outras imagens podem ainda estar sujeitos às leis de marcas em uma ou mais jurisdições. Antes de usar este conteúdo, certifique-se de que ele é usado para identificar a entidade ou organização que possui a marca registrada e que você tem o direito de usá-lo sob as leis que se aplicam nas circunstâncias de seu uso pretendido. *Ao copiar conteúdo deste site, você é o único responsável por garantir que não infrinja a marca registrada ou os direitos autorais de outra pessoa.* + +Quando você contribui para este repositório, você está fazendo isso sob as licenças acima. + +## Utilização aceitável + +Você não pode usar este website de nenhuma forma que cause ou possa causar danos ao website ou prejudicar a disponibilidade ou acessibilidade dos Guias de Privacidade, ou de qualquer forma que seja ilegal, ilegal, fraudulenta, prejudicial, ou em conexão com qualquer propósito ou atividade ilegal, ilegal, fraudulenta, ou prejudicial. + +Você não deve conduzir nenhuma atividade sistemática ou automatizada de coleta de dados neste website ou em relação a ele sem o consentimento expresso por escrito da Aragon Ventures LLC, incluindo: + +* Varreduras Automatizadas Excessivas +* Ataques de Negação de Serviço +* Raspagem +* Mineração de dados +* "Enquadramento" (IFrames) + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/about/privacy-policy.md b/i18n/pt/about/privacy-policy.md new file mode 100644 index 00000000..ee4ee0f2 --- /dev/null +++ b/i18n/pt/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Política de Privacidade" +--- + +O Privacy Guides é um projeto comunitário operado por uma série de colaboradores voluntários ativos. A lista pública de membros da equipe [pode ser encontrada no GitHub](https://github.com/orgs/privacyguides/people). + +## Quem são os Guias de Privacidade? + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- Quando você navega em um site, fórum ou outro serviço de Guias de Privacidade. +- No information such as cookies are stored in the browser +- Quando você postar, enviar mensagens privadas ou participar de qualquer outra forma de um serviço de Guias de Privacidade. +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Como é que os Guias de Privacidade recolhem dados sobre mim? + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +Dados brutos como páginas visitadas, IPs de visitantes anonimizados e ações de visitantes serão retidos por 60 dias. Em circunstâncias especiais - tais como investigações prolongadas relativas a um ataque técnico - podemos preservar os dados registados por períodos mais longos para análise. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Que páginas você visita, +- O seu endereço IP anonimizado: Nós anonimizamos os últimos 3 bytes do seu IP, por exemplo 192.xxx.xxx.xxx.xxx. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +Usamos os dados da sua conta para identificá-lo no site e para criar páginas específicas para você, como a sua página de perfil. Também utilizaremos os dados da sua conta para publicar um perfil público para você em nossos serviços. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Que dados você coleta e por quê? + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Administrador de Serviços, Aragon Ventures LLC +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## Com quem é que os meus dados são partilhados? + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/about/privacytools.md b/i18n/pt/about/privacytools.md new file mode 100644 index 00000000..48c7f874 --- /dev/null +++ b/i18n/pt/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/about/services.md b/i18n/pt/about/services.md new file mode 100644 index 00000000..aacf0655 --- /dev/null +++ b/i18n/pt/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/about/statistics.md b/i18n/pt/about/statistics.md new file mode 100644 index 00000000..92e0e9b7 --- /dev/null +++ b/i18n/pt/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/advanced/communication-network-types.md b/i18n/pt/advanced/communication-network-types.md new file mode 100644 index 00000000..d88cd343 --- /dev/null +++ b/i18n/pt/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/advanced/dns-overview.md b/i18n/pt/advanced/dns-overview.md new file mode 100644 index 00000000..90a005f2 --- /dev/null +++ b/i18n/pt/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +O [Domain Name System (DNS)](https://en.wikipedia.org/wiki/Domain_Name_System) é a 'lista telefónica da Internet'. DNS traduz nomes de domínio para [IP](https://en.wikipedia.org/wiki/Internet_Protocol) endereços para que os navegadores e outros serviços possam carregar recursos da Internet, através de uma rede descentralizada de servidores. + +## O que é DNS? + +Quando você visita um site, um endereço numérico é devolvido. Por exemplo, quando você visita `privacyguides.org`, o endereço `192.98.54.105` é retornado. + +O DNS existe desde o [dos primeiros dias](https://en.wikipedia.org/wiki/Domain_Name_System#History) da Internet. Os pedidos DNS feitos para e dos servidores DNS são **não** geralmente encriptados. Em uma configuração residencial, um cliente recebe servidores pelo [ISP](https://en.wikipedia.org/wiki/Internet_service_provider) via [Dynamic Host Configuration Protocol (DHCP)](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Os pedidos DNS não encriptados são capazes de ser facilmente **surveilled** e **modificados** em trânsito. Em algumas partes do mundo, os ISPs são solicitados a fazer [filtragem DNS](https://en.wikipedia.org/wiki/DNS_blocking). Quando um usuário solicita o IP de um domínio que está bloqueado, o servidor pode não responder ou pode responder com um endereço IP diferente. Como o protocolo DNS não é criptografado, o ISP (ou qualquer operador de rede) pode usar [deep packet inspection (DPI)](https://en.wikipedia.org/wiki/Deep_packet_inspection) para monitorar as solicitações. Os ISPs também podem bloquear pedidos com base em características comuns, independentemente do servidor DNS utilizado. DNS não encriptado usa sempre [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 e usa sempre o [User Datagram Protocol (UDP)](https://en.wikipedia.org/wiki/User_Datagram_Protocol). + +Abaixo, discutimos e fornecemos um tutorial para provar o que um observador externo pode ver usando DNS regular não criptografado e [DNS criptografado](#what-is-encrypted-dns). + +### DNS não criptografado + +1. Usando [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (parte do [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) podemos monitorar e gravar o fluxo de pacotes da Internet. Este comando registra os pacotes que atendem às regras especificadas: + + ```bash + tshark -w /tmp/dns.pcap udp porto 53 e host 1.1.1.1 ou host 8.8.8.8 + ``` + +2. Podemos então usar [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) ou [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) para enviar a pesquisa DNS para ambos os servidores. Software como navegadores web fazem estas pesquisas automaticamente, a menos que estejam configurados para usar [DNS encriptado](#what-is-encrypted-dns). + + === "Linux, macOS" + + ``` + dig noall answer privacyguides.org @1.1.1.1.1 + dig noall answer privacyguides.org @8.8.8.8 + ``` + ==== "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. A seguir, queremos [analisar](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) os resultados: + + ==== "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +Se você executar o comando Wireguard acima, o painel superior mostra o "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", e o painel inferior mostra todos os dados sobre o frame selecionado. Soluções de filtragem e monitoramento empresarial (como as adquiridas pelos governos) podem fazer o processo automaticamente, sem interação humana, e podem agregar esses quadros para produzir dados estatísticos úteis para o observador da rede. + +| Não. | Hora | Fonte | Destino | Protocolo | Comprimento | Informações | +| ---- | -------- | --------- | --------- | --------- | ----------- | -------------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Consulta padrão 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Resposta de consulta padrão 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Consulta padrão 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Resposta de consulta padrão 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +Um observador pode modificar qualquer um destes pacotes. + +## O que é "DNS criptografado"? + +DNS criptografado pode se referir a um de vários protocolos, sendo os mais comuns: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) foi um dos primeiros métodos de encriptação de consultas DNS. O [protocolo](https://en.wikipedia.org/wiki/DNSCrypt#Protocol) opera em [porta 443](https://en.wikipedia.org/wiki/Well-known_ports) e funciona tanto com o [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) ou [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) protocolos de transporte. DNSCrypt nunca foi submetido ao processo [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nem foi submetido ao processo [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) , portanto não tem sido usado amplamente fora de alguns [implementações](https://dnscrypt.info/implementations). Como resultado, foi amplamente substituído pelo mais popular [DNS sobre HTTPS (DoH)](#dns-over-https-doh). + +### DNS sobre TLS (DoT) + +[**DNS sobre TLS (DoT)**](https://en.wikipedia.org/wiki/DNS_over_TLS) é outro método para encriptar a comunicação DNS que é definida em [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). O suporte foi implementado inicialmente em [Android 9](https://en.wikipedia.org/wiki/Android_Pie), [iOS 14](https://en.wikipedia.org/wiki/IOS_14), e no Linux em [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) na versão 237. A preferência na indústria tem se afastado do DoT para [DNS sobre HTTPS](#dns-over-https-doh) nos últimos anos, pois o DoT é um [protocolo complexo](https://dnscrypt.info/faq/) e tem conformidade variável com a RFC nas implementações que existem. DoT também opera em uma porta dedicada 853 e que pode ser facilmente bloqueada por firewalls restritivos. + +### DNS sobre HTTPS (DoH) + +[**DNS sobre HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) como definido em [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) consultas de pacotes no protocolo [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) e fornece segurança com [HTTPS](https://en.wikipedia.org/wiki/HTTPS). O suporte foi adicionado pela primeira vez em navegadores web como [Firefox 60](https://support.mozilla.org/en-US/kb/firefox-dns-over-https) e [Chrome 83](https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html). + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## O que é que uma festa exterior pode ver? + +Neste exemplo vamos registar o que acontece quando fazemos um pedido DoH: + +1. Primeiro, iniciar `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https e host 1.1.1.1" + ``` + +2. Segundo, faça um pedido com `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. Após fazer o pedido, podemos parar a captura de pacotes com CTRL C. + +4. Analisar os resultados em Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +Podemos ver o estabelecimento de conexão [e](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) e [aperto de mão TLS](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) que ocorre com qualquer conexão criptografada. Ao olhar para os pacotes de "dados de aplicação" que se seguem, nenhum deles contém o domínio que solicitamos ou o endereço IP devolvido. + +## Porque **não deveria** Eu uso DNS encriptado? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). Fazemos **não** sugerimos o uso de DNS criptografado para este fim. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. Se você estiver usando uma VPN, você deve usar os servidores DNS da sua VPN. Ao utilizar uma VPN, já está a confiar-lhes toda a sua actividade na rede. + +Quando fazemos uma pesquisa DNS, geralmente é porque queremos aceder a um recurso. Abaixo, discutiremos alguns dos métodos que podem revelar as suas actividades de navegação mesmo quando utiliza DNS encriptado: + +### Endereço IP + +A maneira mais simples de determinar a atividade de navegação pode ser olhar para os endereços IP que seus dispositivos estão acessando. Por exemplo, se o observador sabe que `privacyguides.org` está em `198.98.54.105`, e o seu dispositivo está solicitando dados de `198.98.54.105`, há uma boa chance de você estar visitando os Guias de Privacidade. + +Este método só é útil quando o endereço IP pertence a um servidor que só hospeda poucos sites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). Também não é muito útil se o servidor estiver hospedado atrás de um [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), o que é muito comum na Internet moderna. + +### Indicação do nome do servidor (SNI) + +A indicação do nome do servidor é normalmente usada quando um endereço IP hospeda muitos sites. Este pode ser um serviço como o Cloudflare, ou algum outro [ataque de negação de serviço](https://en.wikipedia.org/wiki/Denial-of-service_attack) protecção. + +1. Comece a capturar novamente com `tshark`. Adicionamos um filtro com nosso endereço IP para que você não capture muitos pacotes: + + ```bash + tshark -w /tmp/pg.pcap porto 443 e host 198.98.54.105 + ``` + +2. Depois visitamos [https://privacyguides.org](https://privacyguides.org). + +3. Depois de visitar o site, nós o que parar a captura de pacotes com CTRL C. + +4. A seguir queremos analisar os resultados: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + Veremos o [estabelecimento de conexão](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment), seguido pelo [aperto de mão TLS](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) para o site Guias de Privacidade. Em redor da moldura 5. verás um "Olá Cliente". + +5. Expandir o triângulo ▸ ao lado de cada campo: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Protocolo de Aperto de Mãos: Cliente Olá + ▸ Protocolo de Aperto de Mãos: Cliente Olá + ▸ Extensão: Server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. Podemos ver o [Server Name Indication (SNI)](https://en.wikipedia.org/wiki/Server_Name_Indication) valor que revela o site que estamos visitando. O comando `tshark` pode dar-lhe o valor directamente para todos os pacotes que contenham um valor SNI: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +Isto significa que mesmo que estejamos usando servidores DNS "Encriptados", o domínio provavelmente será divulgado através do SNI. O protocolo [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) traz consigo [Cliente Encriptado Olá](https://blog.cloudflare.com/encrypted-client-hello/), o que evita este tipo de fuga. + +Governos, em particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) e [Rússia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), ou já [começaram a bloquear](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) ou manifestaram o desejo de o fazer. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. Isto porque o [QUIC](https://en.wikipedia.org/wiki/QUIC) protocolo que faz parte do HTTP/3 requer que `ClientHello` também seja criptografado. + +### Protocolo de Status de Certificado Online (OCSP) + +Outra forma do seu navegador poder divulgar suas atividades de navegação é com o [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. Isto geralmente é feito através do protocolo [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) , significando que é **não** encriptado. + +O pedido OCSP contém o certificado "[número de série](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", que é único. Ele é enviado ao "OCSP respondedor" para verificar o seu estado. + +Podemos simular o que um navegador faria usando o comando [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) . + +1. Obtenha o certificado do servidor e use [`sed`](https://en.wikipedia.org/wiki/Sed) para manter apenas a parte importante e escrevê-la em um arquivo: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Obter o certificado intermediário. [Autoridades Certificadoras (AC)](https://en.wikipedia.org/wiki/Certificate_authority) normalmente não assinam um certificado diretamente; eles usam o que é conhecido como certificado "intermediário". + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. O primeiro certificado em `pg_and_intermediate.cert` é na verdade o certificado do servidor do passo 1. Podemos usar `sed` novamente para apagar até a primeira instância de TERMINAR: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Obtenha o OCSP respondedor para o certificado do servidor: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + O nosso certificado mostra o Lets Encrypt Responder ao certificado. Se quisermos ver todos os detalhes do certificado, podemos usar: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Comece a captura do pacote: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http + ``` + +6. Faça o pedido OCSP: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Abra a captura: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". Para o "Request" podemos ver o "serial number", expandindo o triângulo ▸ ao lado de cada campo: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ request + ▸ reqCert + serialNumber + ``` + + Para a "Resposta" também podemos ver o "número de série": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ Respostas Simples + ▸ certID + serialNumber + ``` + +8. Ou use `tshark` para filtrar os pacotes para o Número de Série: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +Se o observador da rede tiver o certificado público, que está disponível publicamente, ele pode fazer corresponder o número de série com esse certificado e, portanto, determinar o site que você está visitando a partir daí. O processo pode ser automatizado e pode associar endereços IP com números de série. Também é possível verificar [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs para o número de série. + +## Devo utilizar DNS encriptado? + +Nós fizemos este fluxograma para descrever quando você *deve* usar DNS criptografado: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN ou Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacidade --> | Yes | vpnOrTor + privacidade --> | No | obnoxious{ISP makes
obnoxious
redirecciona?} + obnóxio --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnóxio --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
DNS encriptado
com ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[Lista de servidores DNS recomendados](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## O que é a minimização do QNAME? + +Um QNAME é um "nome qualificado", por exemplo `privacyguides.org`. A minimização do QNAME reduz a quantidade de informação enviada do servidor DNS para o [servidor de nomes autorizado](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Em vez de enviar o domínio inteiro `privacyguides.org`, a minimização do QNAME significa que o servidor DNS irá pedir todos os registos que terminem em `.org`. Descrição técnica adicional é definida em [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## O que é a Sub-Rede do Cliente EDNS (ECS)? + +O [subrede do cliente EDNS](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) é um método para um resolvedor DNS recursivo para especificar um [sub-rede](https://en.wikipedia.org/wiki/Subnetwork) para o [host ou cliente](https://en.wikipedia.org/wiki/Client_(computing)) que está fazendo a consulta DNS. + +O objectivo é "acelerar" a entrega de dados, dando ao cliente uma resposta que pertence a um servidor que lhes está próximo, tal como um [content delivery network (CDN)](https://en.wikipedia.org/wiki/Content_delivery_network), que são frequentemente utilizados em streaming de vídeo e em aplicações web JavaScript. + +Este recurso tem um custo de privacidade, pois informa ao servidor DNS algumas informações sobre a localização do cliente. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/advanced/tor-overview.md b/i18n/pt/advanced/tor-overview.md new file mode 100644 index 00000000..ec345059 --- /dev/null +++ b/i18n/pt/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Recursos Adicionais + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.pt.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/pt/android.md b/i18n/pt/android.md new file mode 100644 index 00000000..e32b1159 --- /dev/null +++ b/i18n/pt/android.md @@ -0,0 +1,365 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +Notavelmente, o GrapheneOS suporta [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play). Os Serviços Google Play podem ser executados como um aplicativo de usuário regular e contidos em um perfil de trabalho ou usuário [perfil](/android/#android-security-privacy) de sua escolha. + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## Derivados AOSP + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + ![GrapheneOS logo](/assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](/assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS*** é a melhor escolha quando se trata de privacidade e segurança. GrapheneOS fornece [endurecimento adicional de segurança](https://en.wikipedia.org/wiki/Hardening_(computação)) e melhorias na privacidade. + +### GrapheneOS + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Os dispositivos de "suporte estendido" da GrapheneOS não possuem patches de segurança completos (atualizações de firmware) devido à descontinuação do suporte por parte do fabricante do equipamento original (OEM). + + Estes dispositivos não podem ser considerados completamente seguros. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +Para acomodar usuários que precisam dos Serviços do Google Play, CalyxOS opcionalmente inclui [MicroG](https://microg.org/). Com o MicroG, CalyxOS também agrupa no [Mozilla](https://location.services.mozilla.com/) e [DejaVu](https://github.com/n76/DejaVu) serviços de localização. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### CalyxOS + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo CalyxOS](/assets/img/android/calyxos.svg){ align=right } + + **CalyxOS*** é uma alternativa decente ao GrapheneOS. + Possui alguns recursos de privacidade no topo do AOSP, incluindo [Datura firewall](https://calyxos.org/docs/tech/datura-details), [Signal](https://signal.org) integração no aplicativo discador, e um botão de pânico embutido. CalyxOS também vem com atualizações de firmware e compilações assinadas, portanto [boot verificado](https://source.android.com/security/verifiedboot) é totalmente suportado. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS tem vulnerabilidade automática do kernel ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), menos blobs proprietários, um personalizado [hosts](https://divested.dev/index.php?page=dnsbl) arquivo, e [F-Droid](https://www.f-droid.org) como a loja de aplicativos. Inclui [UnifiedNlp](https://github.com/microg/UnifiedNlp) para localização da rede. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS também inclui correções do kernel do GrapheneOS e habilita todos os recursos de segurança do kernel disponíveis via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). Todos os kernels mais novos que a versão 3.4 incluem página completa [sanitização](https://lwn.net/Articles/334747/) e todos os ~22 kernels compilados por Clang têm [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) activado. However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Recursos de segurança e privacidade do Android + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Vários perfis de usuário (Configurações → Sistema → Vários usuários) são a maneira mais simples de isolar no Android. Com perfis de usuário você pode limitar um usuário de fazer chamadas, SMS ou instalar aplicativos no dispositivo. These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Remoção automática de [Exif](https://en.wikipedia.org/wiki/Exif) metadados (ativados por padrão) +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### DivestOS + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![DivestOS logo](/assets/img/android/divestos.svg){ align=right } + + **DivestOS** é um [soft-fork](https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software) de [LineageOS](https://lineageos.org/). + + DivestOS herda muitos [dispositivos suportados](https://divestos.org/index.php?page=devices&base=LineageOS) do LineageOS. + + Ele assinou builds, tornando possível ter [boot verificado](https://source.android.com/security/verifiedboot) em alguns dispositivos não-Pixel. + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +Os dados de cada usuário são criptografados usando sua própria chave de criptografia exclusiva, e os arquivos do sistema operacional são deixados não criptografados. O Boot Verificado garante a integridade dos arquivos do sistema operacional, impedindo que um adversário com acesso físico possa adulterar ou instalar malware no dispositivo. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Apenas o Google e os aplicativos de terceiros verificados podem acessar os dados da conta +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## Aplicações recomendadas + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Perfis de usuário + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + DivestOS atualização de firmware [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) varia entre os dispositivos que suporta. + + Para telefones Pixel, ainda recomendamos o uso de GrapheneOS ou CalyxOS. + + Para outros dispositivos suportados, o DivestOS é uma boa alternativa. downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + ![logo Orbot](/assets/img/android/orbot.svg){ align=right } + + **Orbot** é um aplicativo proxy gratuito que roteia suas conexões através da Rede Tor. + + [Visite orbot.app](https://orbot.app/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:pg-f-droid: F-Droid](https://guardianproject.info/fdroid) + - [:fontawesome-brands-github: GitHub](https://github.com/guardianproject/orbot) + - [:fontawesome-brands-gitlab: GitLab](https://gitlab.com/guardianproject/orbot) + +### Perfil de trabalho + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Orbot está frequentemente desatualizado no [repositório F-Droid](https://guardianproject.info/fdroid) e [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) do Projeto Guardian, então considere fazer o download diretamente do [repositório GitHub](https://github.com/guardianproject/orbot). Todas as versões são assinadas usando a mesma assinatura, portanto devem ser compatíveis umas com as outras. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- ⚙️ Configurações → Google → Anúncios +- ⚙️ Configurações → Privacidade → Anúncios +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Bota Verificada + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Logotipo do Abrigo](/assets/img/android/shelter.svg){ align=right } + + **Shelter** é um aplicativo que ajuda você a aproveitar o perfil de trabalho do Android para isolar outros aplicativos. O Shelter suporta o bloqueio de busca de contatos entre perfis e compartilhamento de arquivos entre perfis através do gerenciador de arquivos padrão ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Considere as opções de preço e promoções oferecidas em [tijolo e argamassa](https://en.wikipedia.org/wiki/Brick_and_mortar) lojas. +- Microphone permission not required unless you want to record sound + +!!! note + + Como CalyxOS inclui um controlador de dispositivos, recomendamos o uso de seu perfil de trabalho embutido. + + Recomenda-se um abrigo sobre [Insular](https://secure-system.gitlab.io/Insular/) e [Island](https://github.com/oasisfeng/island) pois suporta [bloqueio de busca de contatos](https://secure-system.gitlab.io/Insular/faq.html). If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### VPN Killswitch + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Logótipo do auditor](/assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](/assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** é um aplicativo que utiliza recursos de segurança de hardware para fornecer monitoramento de integridade de dispositivos para [dispositivos suportados](https://attestation.app/about#device-support). Atualmente trabalha com GrapheneOS e com o sistema operacional de estoque do dispositivo. [Visite attestation.app](https://attestation.app){ .md-button .md-button--primary } + + **Downloads:** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor) + - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/Auditor) + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### Alternativas Globais + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Orbot + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Secure camera logo](/assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](/assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** é um aplicativo de câmera focado em privacidade e segurança que pode capturar imagens, vídeos e códigos QR. + + As extensões do fornecedor CameraX (Portrait, HDR, Night Sight Sight, Face Retouch e Auto) também são suportadas nos dispositivos disponíveis. [Visite github.com](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + + **Downloads:** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Abrigo + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### Droid-ify + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### Auditor + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Software + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/assets/img/account-deletion/exposed_passwords.png b/i18n/pt/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/pt/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/pt/assets/img/android/rss-apk-dark.png b/i18n/pt/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/pt/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/pt/assets/img/android/rss-apk-light.png b/i18n/pt/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/pt/assets/img/android/rss-apk-light.png differ diff --git a/i18n/pt/assets/img/android/rss-changes-dark.png b/i18n/pt/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/pt/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/pt/assets/img/android/rss-changes-light.png b/i18n/pt/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/pt/assets/img/android/rss-changes-light.png differ diff --git a/i18n/pt/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/pt/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/pt/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt/assets/img/how-tor-works/tor-encryption.svg b/i18n/pt/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/pt/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt/assets/img/how-tor-works/tor-path-dark.svg b/i18n/pt/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/pt/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt/assets/img/how-tor-works/tor-path.svg b/i18n/pt/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/pt/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt/assets/img/multi-factor-authentication/fido.png b/i18n/pt/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/pt/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/pt/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/pt/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/pt/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/pt/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/pt/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/pt/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/pt/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/pt/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/pt/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/pt/basics/account-creation.md b/i18n/pt/basics/account-creation.md new file mode 100644 index 00000000..65cb2148 --- /dev/null +++ b/i18n/pt/basics/account-creation.md @@ -0,0 +1,83 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/basics/account-deletion.md b/i18n/pt/basics/account-deletion.md new file mode 100644 index 00000000..8b5f315b --- /dev/null +++ b/i18n/pt/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Provedores de VPN + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/basics/common-misconceptions.md b/i18n/pt/basics/common-misconceptions.md new file mode 100644 index 00000000..3d494826 --- /dev/null +++ b/i18n/pt/basics/common-misconceptions.md @@ -0,0 +1,62 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.pt.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/pt/basics/common-threats.md b/i18n/pt/basics/common-threats.md new file mode 100644 index 00000000..70d894a1 --- /dev/null +++ b/i18n/pt/basics/common-threats.md @@ -0,0 +1,152 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.pt.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/pt/basics/email-security.md b/i18n/pt/basics/email-security.md new file mode 100644 index 00000000..72ce14ae --- /dev/null +++ b/i18n/pt/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/basics/multi-factor-authentication.md b/i18n/pt/basics/multi-factor-authentication.md new file mode 100644 index 00000000..8808043a --- /dev/null +++ b/i18n/pt/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'O uso de AMF forte pode parar mais de 99% dos acessos não autorizados à conta, e é fácil de configurar nos serviços que você já usa.' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +A idéia por trás do AMF é que mesmo que um hacker (ou adversário) seja capaz de descobrir sua senha (algo que você *sabe*), eles ainda precisarão de um dispositivo que você possui como o seu telefone (algo que você *tem*), a fim de gerar o código necessário para entrar na sua conta. Os métodos de AMF variam na segurança com base nesta premissa: quanto mais difícil for para um atacante ter acesso ao seu método AMF, melhor. + +Receber códigos de **SMS** ou **email** são uma das formas mais fracas de proteger as suas contas com AMF. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## Comparação do Método AMF + +### SMS ou e-mail MFA + +**Notificações Push** assume a forma de uma mensagem a ser enviada para um aplicativo no seu telefone pedindo-lhe para confirmar novos logins de conta. Este método é muito melhor que SMS ou e-mail, uma vez que um atacante normalmente não seria capaz de receber estas notificações push sem ter um dispositivo já conectado, o que significa que eles precisariam comprometer um dos seus outros dispositivos primeiro. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Notificações Push + +Todos nós cometemos erros, e há o risco de que um usuário possa aceitar a tentativa de login por acidente. As autorizações de login de notificação push são normalmente enviadas para *todos* seus dispositivos de uma só vez, ampliando a disponibilidade do código MFA se você tiver muitos dispositivos. + +A segurança da notificação push AMF depende tanto da qualidade do aplicativo, do componente servidor e da confiança do desenvolvedor que o produz. A instalação de um aplicativo também pode exigir que você aceite privilégios invasivos que concedam acesso a outros dados em seu dispositivo. + +**TOTP** é uma das formas mais comuns de AMF disponível. Quando um usuário configura o TOTP, ele geralmente é obrigado a digitalizar um [QR Code](https://en.wikipedia.org/wiki/QR_code) que estabelece um "segredo compartilhado" com o serviço que pretende utilizar. O segredo compartilhado é protegido dentro dos dados do aplicativo autenticador, e às vezes é protegido por uma senha. + +### Palavra-passe única baseada no tempo (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +Se você tem uma chave de segurança de hardware com suporte a TOTP (como uma YubiKey com [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), recomendamos que você armazene os seus "segredos compartilhados" no hardware. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +Ao contrário de [FIDO2 / U2F](#fido2-u2f), TOTP não oferece protecção contra [phishing](https://en.wikipedia.org/wiki/Phishing) ou ataques de reutilização. Se um adversário obtém um código válido de você, ele pode usá-lo quantas vezes quiser até que expire (geralmente 60 segundos). A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Um adversário poderia criar um site para imitar um serviço oficial, numa tentativa de enganá-lo para dar o seu nome de usuário, senha e código TOTP atual. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Chaves de segurança do hardware + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +Yubico OTP é um protocolo de autenticação tipicamente implementado em chaves de segurança de hardware. Quando um utilizador decide utilizar o Yubico OTP, a chave irá gerar um ID público, um ID privado e uma Chave Secreta que é depois carregada para o servidor Yubico OTP. + +#### Yubico OTP + +Ao entrar em um site, tudo o que um usuário precisa fazer é tocar fisicamente a chave de segurança. A chave de segurança irá emular um teclado e imprimir uma senha única no campo da senha. + +O serviço irá então reencaminhar a senha única para o servidor OTP Yubico para validação. Um contador é incrementado tanto na chave como no servidor de validação do Yubico. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](/assets/img/multi-factor-autenticação/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO2 / U2F + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. Ele usa autenticação de chave pública e é mais seguro que os segredos compartilhados usados nos métodos Yubico OTP e TOTP, pois inclui o nome de origem (geralmente, o nome do domínio) durante a autenticação. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +Se um site ou serviço suportar FIDO2 / U2F para a autenticação, é altamente recomendável que o utilize em relação a qualquer outra forma de AMF. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Ao configurar o seu método AMF, tenha em mente que ele é apenas tão seguro quanto o seu método de autenticação mais fraco que você usa. It also does not use any third-party cloud server for authentication. Por exemplo, se você já estiver usando TOTP, você deve desativar o e-mail e SMS MFA. Se já estiver a utilizar o FIDO2 / U2F, não deve utilizar o Yubico OTP ou TOTP na sua conta. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## Recomendações Gerais + +Ao usar TOTP com um aplicativo autenticador, certifique-se de fazer backup das chaves de recuperação, do próprio aplicativo ou copie os "segredos compartilhados" para outra instância do aplicativo em um telefone diferente ou em um container criptografado (por exemplo [VeraCrypt](/encryption/#veracrypt)). + +### Qual o método a utilizar? + +Ao comprar uma chave de segurança, é importante que você altere as credenciais padrão, configure a proteção por senha para a chave e ative a confirmação por toque se a sua chave suportar tal recurso. Produtos como o [YubiKey](#yubikey) têm múltiplas interfaces com credenciais separadas para cada uma delas, portanto você deve passar por cima de cada interface e configurar a proteção também. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Cópias de segurança + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Configuração inicial + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email e SMS + +Além de proteger apenas os logins do seu site, a autenticação multi-factor pode ser usada para proteger os seus logins locais, chaves ssh ou mesmo bases de dados de senhas também. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## Mais lugares para configurar o AMF + +Yubico tem um guia [Usando o seu YubiKey como Smart Card em macOS](https://support.yubico.com/hc/en-us/articles/360016649059) que o pode ajudar a configurar o seu YubiKey em macOS. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool SIM +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. A maioria das coisas deve ser a mesma independentemente da distribuição, no entanto os comandos do gerenciador de pacotes, como "apt-get" e nomes de pacotes podem ser diferentes. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### SO Qubes + +As bases de dados KeePass e KeePassXC podem ser protegidas usando Challenge-Response ou HOTP como um segundo factor de autenticação. Yubico forneceu um documennt para KeePass [Usando a sua YubiKey com KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) e também existe um no website [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) . + +### SSH + +#### Chaves de Segurança de Hardware + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Palavra-passe única baseada no tempo (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (e KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/basics/passwords-overview.md b/i18n/pt/basics/passwords-overview.md new file mode 100644 index 00000000..b6030899 --- /dev/null +++ b/i18n/pt/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Redes Auto-Contidas + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Cópias de segurança + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/basics/threat-modeling.md b/i18n/pt/basics/threat-modeling.md new file mode 100644 index 00000000..5e6cbca5 --- /dev/null +++ b/i18n/pt/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "evergreen" +icon: 'O que são modelos de ameaça?' +--- + +Equilibrar segurança, privacidade e usabilidade é uma das primeiras e mais difíceis tarefas que você enfrentará na sua jornada de privacidade. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +Se você quisesse usar o **mais** ferramentas seguras disponíveis, você teria que sacrificar *muito* de usabilidade. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. É por isso que os modelos de ameaça são importantes. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. O que é que eu quero proteger? +2. De quem eu quero protegê-lo? +3. Qual é a probabilidade de eu precisar de o proteger? +4. Quão más são as consequências se eu falhar? +5. Quantos problemas estou disposto a enfrentar para tentar evitar possíveis consequências? + +### O que é que eu quero proteger? + +Um "bem" é algo que você valoriza e quer proteger. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Os seus próprios dispositivos também podem ser bens. + +*Faça uma lista dos seus bens: dados que você guarda, onde são guardados, quem tem acesso a eles e o que impede outros de acederem a eles.* + +### De quem eu quero protegê-lo? + +Para responder a esta pergunta, é importante identificar quem pode querer ter como alvo você ou suas informações. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. A sua lista pode incluir indivíduos, uma agência governamental ou corporações.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### Qual é a probabilidade de eu precisar de o proteger? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. Embora a sua operadora de celular tenha a capacidade de acessar todos os seus dados, o risco de que eles coloquem seus dados particulares online para prejudicar sua reputação é baixo. + +É importante distinguir entre o que pode acontecer e a probabilidade de acontecer. Por exemplo, há uma ameaça de colapso do seu edifício, mas o risco de isso acontecer é muito maior em São Francisco (onde os terremotos são comuns) do que em Estocolmo (onde eles não são). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. Em outros casos, as pessoas desconsideram os altos riscos porque não vêem a ameaça como um problema. + +*Escreva quais ameaças você vai levar a sério, e quais podem ser muito raras ou inofensivas (ou muito difíceis de combater) para se preocupar.* + +### Quão más são as consequências se eu falhar? + +Há muitas maneiras de um adversário poder ter acesso aos seus dados. Por exemplo, um adversário pode ler suas comunicações privadas enquanto elas passam pela rede, ou podem apagar ou corromper seus dados. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. Em contraste, um adversário político pode desejar ter acesso a conteúdo secreto e publicar esse conteúdo sem que você saiba. + +O planejamento de segurança envolve compreender quão ruins podem ser as conseqüências se um adversário conseguir ter acesso a um de seus ativos. Para determinar isso, você deve considerar a capacidade do seu adversário. For example, your mobile phone provider has access to all of your phone records. Um hacker em uma rede Wi-Fi aberta pode acessar suas comunicações não criptografadas. O seu governo pode ter capacidades mais fortes. + +*Escreva o que o seu adversário pode querer fazer com os seus dados privados.* + +### Quantos problemas estou disposto a enfrentar para tentar evitar possíveis consequências? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Sua avaliação de risco lhe permitirá planejar a estratégia certa para você, equilibrando conveniência, custo e privacidade. + +Por exemplo, um advogado que representa um cliente em um caso de segurança nacional pode estar disposto a ir mais longe para proteger as comunicações sobre esse caso, como o uso de e-mail criptografado, do que uma mãe que envia regularmente e-mails com vídeos engraçados de gatos para sua filha. + +*Escreva as opções que você tem disponíveis para ajudar a mitigar suas ameaças únicas. Observe se você tem alguma restrição financeira, técnica ou social.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**O que você quer proteger? (Ou, *o que é que você tem que vale a pena proteger?*)** +: + +Seus bens podem incluir jóias, eletrônicos, documentos importantes ou fotos. + +**De quem você quer protegê-lo?** +: + +Os seus adversários podem incluir assaltantes, companheiros de quarto ou convidados. + +**Qual é a probabilidade de precisar de o proteger?** +: + +O seu bairro tem um histórico de assaltos? How trustworthy are your roommates or guests? Quais são as capacidades dos seus adversários? Quais são os riscos que você deve considerar? + +**Quão más são as consequências se falhar?** +: + +Tem alguma coisa na sua casa que não possa substituir? Do you have the time or money to replace those things? Você tem um seguro que cobre bens roubados de sua casa? + +**Quantos problemas você está disposto a passar para evitar essas consequências?** +: + +Você está disposto a comprar um cofre para documentos sensíveis? Tem dinheiro para comprar um cadeado de alta qualidade? Tem tempo para abrir uma caixa de segurança no seu banco local e guardar lá os seus valores? + +Só depois de se ter feito estas perguntas é que estará em condições de avaliar que medidas tomar. Se os seus bens são valiosos, mas a probabilidade de um arrombamento é baixa, então você pode não querer investir muito dinheiro numa fechadura. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Fazer um plano de segurança o ajudará a entender as ameaças que são únicas para você e a avaliar seus ativos, seus adversários e as capacidades de seus adversários, juntamente com a probabilidade de riscos que você enfrenta. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Fontes + +- [Autodefesa de Vigilância EFF: Seu Plano de Segurança](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/basics/vpn-overview.md b/i18n/pt/basics/vpn-overview.md new file mode 100644 index 00000000..06129b83 --- /dev/null +++ b/i18n/pt/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/calendar.md b/i18n/pt/calendar.md new file mode 100644 index 00000000..8c4526bd --- /dev/null +++ b/i18n/pt/calendar.md @@ -0,0 +1,89 @@ +--- +title: "Clientes de e-mail" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Software como um serviço (SaaS) apenas + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. [Visite tutanota.com](https://tutanota.com/calendar){ .md-button .md-button--primary } [Política de Privacidade](https://tutanota.com/privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.tutao.tutanota) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:fontawesome-brands-github: Source](https://github.com/tutao/tutanota) + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Auto-hospedagem + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Todos os dados armazenados dentro dele são encriptados de ponta a ponta quando armazenados nos servidores do ProtonMail. [Visite calendar.protonmail.com](https://calendar.protonmail.com){ .md-button .md-button--primary } [Política de Privacidade](https://protonmail.com/privacy-policy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:fontawesome-brands-github: Fonte](https://github.com/ProtonMail/WebClients) Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/cloud.md b/i18n/pt/cloud.md new file mode 100644 index 00000000..380bf0ab --- /dev/null +++ b/i18n/pt/cloud.md @@ -0,0 +1,63 @@ +--- +title: "Email" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +Confie em seu provedor usando uma alternativa abaixo que suporta [criptografia de ponta a ponta (E2EE)](https://wikipedia.org/wiki/End-to-end_encryption). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo Proton Drive](/assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** é um serviço geral de armazenamento de arquivos criptografados (E2EE) de ponta a ponta pelo popular provedor de e-mail criptografado [ProtonMail](https://protonmail.com). + + [Visite drive.protonmail.com](https://drive.protonmail.com){ .md-button .md-button--primary } [Política de Privacidade](https://protonmail.com/privacy-policy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-github: Fonte](https://github.com/ProtonMail/WebClients) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/data-redaction.md b/i18n/pt/data-redaction.md new file mode 100644 index 00000000..fae1a0dc --- /dev/null +++ b/i18n/pt/data-redaction.md @@ -0,0 +1,164 @@ +--- +title: "Ferramentas de encriptação" +icon: material/tag-remove +--- + +Ao partilhar ficheiros, certifique-se de que remove os metadados associados. Os arquivos de imagem geralmente incluem [EXIF](https://en.wikipedia.org/wiki/Exif) dados. As fotos às vezes até incluem [GPS](https://en.wikipedia.org/wiki/Global_Positioning_System) coordenadas nos metadados do arquivo. + +## Desktop + +### ExifCleaner + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. Ele suporta processamento em lote de vários núcleos e modo escuro. + + [Visite exifcleaner.com](https://exifcleaner.com){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-apple: macOS](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-linux: Linux](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-github: Source](https://github.com/szTheory/exifcleaner) + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### Exif Scrambled Exif + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + Pode remover dados [EXIF](https://en.wikipedia.org/wiki/Exif) para muitos formatos de arquivo e foi traduzido para [many](https://gitlab.com/juanitobananas/scrambled-exif/-/tree/master/app/src/main/res) idiomas. + + [Visite gitlab.com](https://gitlab.com/juanitobananas/scrambled-exif){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.jarsilio.android.scrambledeggsif) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.jarsilio.android.scrambledeggsif) + - [:fontawesome-brands-gitlab: Source](https://gitlab.com/juanitobananas/scrambled-exif) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. 17.1 e 18.1 característica GrapheneOS por rede completa [randomização MAC](https://en.wikipedia.org/wiki/MAC_address#Randomization) opção, e [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) controlo, e reinicialização automática/Wi-Fi/Bluetooth [opções de timeout](https://grapheneos.org/features). + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Imagepipe + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? Isto significa que não requer permissão para aceder directamente a conteúdos ou ficheiros. + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + ![logotipo PrivacyBlur](/assets/img/android/privacyblur.svg){ align=right } + + **PrivacyBlur*** é uma aplicação gratuita que pode desfocar porções sensíveis de imagens antes de as partilhar online. [Visite privacyblur.app](https://privacyblur.app/){ .md-button .md-button--primary } + + **Downloads:** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.mathema.privacyblur/) + - [:fontawesome-brands-github: GitHub](https://github.com/MATHEMA-GmbH/privacyblur) For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Linha de comando + +### Metapho + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + Foi traduzido para [many](https://codeberg.org/Starfish/Imagepipe#translations) idiomas. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/desktop-browsers.md b/i18n/pt/desktop-browsers.md new file mode 100644 index 00000000..1524707e --- /dev/null +++ b/i18n/pt/desktop-browsers.md @@ -0,0 +1,259 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Bromite](/assets/img/browsers/bromite.svg){ align=right } + + **Bromite** é um navegador [Chromium](https://en.wikipedia.org/wiki/Chromium_(web_browser))- com melhorias de privacidade e segurança, bloqueio de anúncios incorporado e algumas impressões digitais aleatórias. + + [Visite bromite.org](https://www.bromite.org){ .md-button .md-button--primary } [Política de Privacidade](https://www.bromite.org/privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-android: Android](https://www.bromite.org/fdroid) + - [:fontawesome-brands-github: Fonte](https://github.com/bromite/bromite) downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +Estas opções podem ser encontradas na página *Privacidade & Segurança* configurações ( ≡ → Configurações → Privacidade & Segurança). + +##### Enhanced Tracking Protection + +- Selecione: "Restrito". + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- Desligue: "Sugestões da web" + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- Selecione: "Activar o modo HTTPS-Only em todas as janelas". +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- Selecione: Use sempre ligações seguras. + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Extensões + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Bromite + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Safari](/assets/img/browsers/safari.svg){ align=right } + + **Safari** é o navegador padrão no iOS. + + Inclui [características de privacidade](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0), tais como Proteção de Rastreamento Inteligente, Relatório de Privacidade, abas isoladas de Navegação Privada, iCloud Private Relay, e atualizações automáticas de HTTPS. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- Selecione: "Abrir links em abas incógnitas sempre". + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensões + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Recursos Adicionais + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### AdGuard para Safari + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Não recomendamos a instalação do ToS;DR como uma extensão do navegador. + + A mesma informação é fornecida no site deles. downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.pt.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/pt/desktop.md b/i18n/pt/desktop.md new file mode 100644 index 00000000..0d2d0d16 --- /dev/null +++ b/i18n/pt/desktop.md @@ -0,0 +1,182 @@ +--- +title: "Armazenamento em nuvem" +icon: fontawesome/brands/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Distribuições Tradicionais + +### Estação de Trabalho Fedora + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Fedora](/assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** é a nossa distribuição recomendada para usuários novos no Linux. A Fedora geralmente adota novas tecnologias antes de outras distribuições, por exemplo, [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), e em breve, [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). Estas novas tecnologias muitas vezes vêm com melhorias na segurança, privacidade e usabilidade em geral. + + [Visite getfedora.org](https://getfedora.org/){ .md-button .md-button--primary } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo do openSUSE Tumbleweed](/assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** é uma distribuição estável [lançamento rolante](https://en.wikipedia.org/wiki/Rolling_release). + + O openSUSE Tumbleweed tem um sistema [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) que usa [Btrfs](https://en.wikipedia.org/wiki/Btrfs) e [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) para garantir que os instantâneos possam ser rolados de volta caso haja algum problema. + + [Visite get.opensuse.org](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arco Linux + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Arch logo](/assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** é uma distribuição leve, faça-você-mesmo (faça você mesmo), o que significa que você só recebe o que você instala. Para mais informações consulte o seu [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [Visite archlinux.org](https://archlinux.org/){ .md-button .md-button--primary } + +Sendo uma distribuição DIY, o usuário é [esperado para configurar e manter](/linux-desktop/#arch-based-distributions) seu sistema. Arch tem um [instalador oficial](https://wiki.archlinux.org/title/Archinstall) para tornar o processo de instalação um pouco mais fácil. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Distribuições imutáveis + +### Fedora Silverblue + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Fedora Silverblue](/assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** e **Fedora Kinoite*** são variantes imutáveis do Fedora com um forte foco nos fluxos de trabalho dos contentores. Silverblue vem com o ambiente de trabalho [GNOME](https://www.gnome.org/) enquanto que a Kinoite vem com [KDE](https://kde.org/). Silverblue e Kinoite seguem o mesmo calendário de lançamento da Estação de Trabalho Fedora, beneficiando das mesmas atualizações rápidas e ficando muito perto do upstream. + + [Visite silverblue.fedoraproject.org](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + +Após a atualização estar completa, o usuário reiniciará o sistema para a nova implantação. `rpm-ostree` mantém duas implantações do sistema para que um usuário possa facilmente reverter se algo quebrar na nova implantação. Há também a opção de fixar mais implantações conforme necessário. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +Como alternativa aos Flatpaks, existe a opção de [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) para criar [Podman](https://podman.io) containers com um diretório home compartilhado com o sistema operacional host e imitar um ambiente Fedora tradicional, que é um [recurso útil](https://containertoolbx.org) para o desenvolvedor perspicaz. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo NixOS](/assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS é uma distribuição independente baseada no gerenciador de pacotes Nix com foco na reprodutibilidade e confiabilidade. + + [Visite nixos.org](https://nixos.org/){ .md-button .md-button--primary } + +O NixOS também fornece atualizações atômicas; primeiro ele baixa (ou constrói) os pacotes e arquivos para a nova geração do sistema e depois muda para ele. Existem diferentes maneiras de mudar para uma nova geração; você pode dizer ao NixOS para ativá-lo após o reinício ou você pode mudar para ele em tempo de execução. Você também pode *testar* a nova geração mudando para ela em tempo de execução, mas não definindo-a como a geração atual do sistema. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +Nix é um gerenciador de pacotes baseado no código fonte; se não houver um pré-cache binário disponível, Nix irá apenas construir o pacote a partir do código fonte usando sua definição. Ele constrói cada pacote em um ambiente sandboxed *puro* , que é o mais independente possível do sistema hospedeiro, tornando assim os binários reprodutíveis. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Distribuições Anónimas-Focusadas + +### Whonix + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Whonix logo](/assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** é baseado em [Kicksecure](https://www.whonix.org/wiki/Kicksecure), um garfo focado na segurança do Debian. O seu objectivo é proporcionar privacidade, segurança e anonimato na Internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +As futuras versões da Whonix provavelmente incluirão [políticas completas do sistema Apparmor](https://github.com/Whonix/apparmor-profile-everything) e um [lançador de aplicativos sandbox](https://www.whonix.org/wiki/Sandbox-app-launcher) para confinar totalmente todos os processos no sistema. + +Whonix é melhor usado [em conjunto com Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers). + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Caudas + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + !(/assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** é um sistema operacional live baseado no Debian que roteia todas as comunicações através do Tor. Pode arrancar em quase qualquer computador a partir de um DVD, pen USB ou sdcard. + + O seu objectivo é preservar a privacidade e o anonimato, contornando a censura e não deixando qualquer vestígio de si no computador em que é utilizado. + +Acredita-se frequentemente que [open source](https://en.wikipedia.org/wiki/Open-source_software) software é intrinsecamente seguro porque o código fonte está disponível. Há uma expectativa de que a verificação da comunidade ocorra regularmente; no entanto, isto nem sempre é [o caso](https://seirdy.one/2022/02/02/floss-security.html). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### SO Qubes + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo do SO Qubes](/assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes*** é um sistema operacional open-source projetado para fornecer uma forte segurança para a computação desktop. Qubes é baseado no Xen, o Sistema X Window e Linux, e pode executar a maioria das aplicações Linux e utilizar a maioria dos drivers Linux. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/dns.md b/i18n/pt/dns.md new file mode 100644 index 00000000..35783616 --- /dev/null +++ b/i18n/pt/dns.md @@ -0,0 +1,147 @@ +--- +title: "Introdução ao DNS" +icon: material/dns +--- + +!!! Devo utilizar DNS encriptado? + + DNS criptografado com uma terceira parte só deve ser usado para contornar redirecionamentos e bloqueio de DNS quando você pode ter certeza de que não haverá nenhuma consequência ou você está interessado em um provedor que faz alguma filtragem rudimentar. DNS criptografado não o ajudará a ocultar qualquer atividade de navegação. + + [Saiba mais sobre DNS](technology/dns.md){ .md-button } + +## Provedores recomendados + +| DNS | Política de Privacidade | Protocolo | Protocolos | Logging | ECS | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | --------- | ----------------------------------------------------------- | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Comercial | Cleartext
DoH
DoT
DNSCrypt | 4 | Não Filter list being used can be found here. [**DNS sobre HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) como definido em [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) consultas de pacotes no protocolo [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) e fornece segurança com [HTTPS](https://en.wikipedia.org/wiki/HTTPS). | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Comercial | Cleartext
DoH
DoT | 4 | Não | +| [**ControlID**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Comercial | Cleartext
DoH
DoT | 4 | Não | +| [**IVPN**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | Comercial | DoH
DoT | 4 | Não Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**PróximoDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Comercial | Cleartext
DoH
DoT
DNSCrypt | Opcional[^5] | Não | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Comercial | Some[^6] | Opcional[^5] | Based on server choice, Malware blocking by default. | + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Deve suportar [DNSSEC](technology/dns.md#what-is-dnssec-and-when-is-it-used) +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## DNS não criptografado + +### Android + +As últimas versões do iOS, iPadOS, tvOS e macOS, suportam tanto DoT como DoH. Ambos os protocolos são suportados nativamente através de [perfis de configuração](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) ou através de [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +### Dispositivos Apple + +Após a instalação de um perfil de configuração ou de um aplicativo que utiliza a API de configurações DNS, a configuração DNS pode ser selecionada. Se uma VPN estiver activa, a resolução dentro do túnel VPN utilizará as definições DNS da VPN e não as definições de todo o seu sistema. + +A Apple não fornece uma interface nativa para a criação de perfis DNS criptografados. [Criador de perfil DNS seguro](https://dns.notjakob.com/tool.html) é uma ferramenta não oficial para criar os seus próprios perfis DNS encriptados, no entanto eles não serão assinados. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. Informações Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + ![logótipo DNSCloak](/assets/img/ios/dnscloak.png){ align=right } + + **DNSCloak** é um cliente iOS de código aberto que suporta [DNS-over-HTTPS](/dns/#dns-over-https-doh), [DNSCrypt](/dns/#dnscrypt), e [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) opções como respostas DNS em cache, consultas DNS de registo local, e listas de blocos personalizadas. Os usuários podem [adicionar resolvedores personalizados por carimbo DNS](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5). + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### DNS + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo dnscrypt-proxy](/assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** é um proxy DNS com suporte para [DNSCrypt](/dns/#dnscrypt), [DNS-over-HTTPS](/dns/#dns-over-https-doh), e [DNS anonimizado](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + [Visite github.com](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .md-button .md-button--primary } [Política de Privacidade](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + **Downloads*** + - [:fontawesome-brands-github: Fonte](https://github.com/DNSCrypt/dnscrypt-proxy) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### DNSCrypt + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### RethinkDNS + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### DNSCloak + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.pt.txt" + +[^1]: Armazenamos métricas agregadas de desempenho do nosso servidor DNS, nomeadamente o número de pedidos completos para um determinado servidor, o número de pedidos bloqueados, a velocidade de processamento dos pedidos. Nós mantemos e armazenamos a base de dados de domínios solicitados nas últimas 24 horas. Precisamos dessas informações para identificar e bloquear novos rastreadores e ameaças. Também registramos quantas vezes este ou aquele rastreador foi bloqueado. Precisamos desta informação para remover regras desactualizadas dos nossos filtros.[https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: O Cloudflare recolhe e armazena apenas os dados limitados da consulta DNS que são enviados para o resolvedor 1.1.1.1. O serviço resolver 1.1.1.1 não registra dados pessoais, e a maior parte dos dados de consulta limitados não identificáveis pessoalmente é armazenada apenas por 25 horas.[https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/pt/email-clients.md b/i18n/pt/email-clients.md new file mode 100644 index 00000000..2f6cfcdf --- /dev/null +++ b/i18n/pt/email-clients.md @@ -0,0 +1,270 @@ +--- +title: "Partilha de ficheiros" +icon: material/email-open +--- + +Nossa lista de recomendações contém clientes de e-mail que suportam tanto [OpenPGP](/encryption/#openpgp) e autenticação forte como [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth permite-lhe utilizar [Multi-Factor Authentication](/multi-factor-authentication) e prevenir o roubo de contas. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo Thunderbird](/assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** é um cliente gratuito, de código aberto, email multiplataforma, newsgroup, news feed, e chat (XMPP, IRC, Twitter) desenvolvido pela comunidade Thunderbird, e anteriormente pela Fundação Mozilla. + + [Visite thunderbird.net](https://www.thunderbird.net){ .md-button .md-button--primary } [Política de Privacidade](https://www.mozilla.org/privacy/thunderbird){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://www.thunderbird.net) + - [:fontawesome-brands-apple: macOS](https://www.thunderbird.net) + - [:fontawesome-brands-linux: Linux](https://www.thunderbird.net) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.Thunderbird) + - [:fontawesome-brands-git: Source](https://hg.mozilla.org/comm-central) downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Firefox + +We recommend changing some of these settings to make Thunderbird a little more private. + +Estas opções podem ser encontradas na página *Privacidade & Segurança* configurações ( ≡ → Configurações → Privacidade & Segurança). + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo do Mailvelope](/assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** é uma extensão do navegador que permite a troca de e-mails criptografados seguindo o padrão de criptografia OpenPGP. + + [Visite mailvelope.com](https://www.mailvelope.com){ .md-button .md-button--primary } [Política de Privacidade](https://www.mailvelope.com/en/privacy-policy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + - [:fontawesome-brands-github: Source](https://github.com/mailvelope/mailvelope) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![K-9 Logotipo do correio](/assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail*** é uma aplicação de correio independente que suporta tanto caixas de correio POP3 como IMAP, mas só suporta push mail para IMAP. [Visite k9mail.app](https://k9mail.app){ .md-button .md-button--primary } [Política de Privacidade](https://k9mail.app/privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.fsck.k9) + - [:fontawesome-brands-github: Source](https://github.com/k9mail) + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo FairEmail](/assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** é uma aplicação de e-mail de código aberto mínima, utilizando padrões abertos (IMAP, SMTP, OpenPGP) com um baixo consumo de dados e bateria. + + [Visite email.faircode.eu](https://email.faircode.eu){ .md-button .md-button--primary } [Política de Privacidade](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .md-button } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/eu.faircode.email/) + - [:fontawesome-brands-github: Source](https://github.com/M66B/FairEmail) + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + ![logo Canary Mail](/assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** é um cliente de e-mail pago concebido para tornar a encriptação end-to-end sem falhas com funcionalidades de segurança, tais como um bloqueio biométrico da aplicação. [Visite canarymail.io](https://canarymail.io){ .md-button .md-button--primary } [Política de Privacidade](https://canarymail.io/privacy.html){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://download.canarymail.io/get_windows) + - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/app/id1236045954) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1236045954) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + +### Kontact (KDE) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/email.md b/i18n/pt/email.md new file mode 100644 index 00000000..e3ab3eb9 --- /dev/null +++ b/i18n/pt/email.md @@ -0,0 +1,487 @@ +--- +title: "Provedores de e-mail privados" +icon: material/email +--- + +Encontre um provedor de e-mail seguro que manterá sua privacidade em mente. Não se contente com plataformas suportadas por anúncios. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +Para tudo o resto, recomendamos uma variedade de fornecedores de e-mail baseados em modelos de negócio sustentáveis e que incorporem funcionalidades de segurança e de privacidade. + +## Serviços de e-mail recomendados + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + Ao utilizar tecnologia de criptografia de ponta a ponta (E2EE) como o OpenPGP, o e-mail ainda terá alguns metadados que não são criptografados no cabeçalho do e-mail. Leia mais sobre os metadados de e-mail. + + O OpenPGP também não suporta Forward secrecy, o que significa que se a sua chave privada ou a do destinatário for roubada, todas as mensagens anteriores criptografadas com ela serão expostas. Como posso proteger as minhas chaves privadas? + +### ProtonMail + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Ao invés de usar o e-mail para conversas prolongadas, considere a possibilidade de usar um meio que suporte o sigilo do Forward. [Mensageiros Instantâneos Recomendados](real-time-communication.md){ .md-button } Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + As contas gratuitas têm algumas limitações, tais como não ser capaz de procurar no corpo do texto e não ter acesso à [ProtonMail Bridge](https://protonmail.com/bridge), que requer um [cliente de e-mail recomendado](e-mail-clients.md) (por exemplo, Thunderbird). downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). verificar "Segurança da Conta". A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. Verifique "Criptografia de E-mail". + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar ".onion Service" (Serviço de cebola) + + ![logo ProtonMail](/assets/img/email/protonmail.svg){ align=right } + + **ProtonMail** é um serviço de e-mail com foco em privacidade, criptografia, segurança e facilidade de uso. Eles estão em operação desde **2013***. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. nota Consulte a [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + O ProtonMail suporta TOTP [autenticação de dois factores](https://protonmail.com/support/knowledge-base/two-factor-authentication/) apenas. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verifique "Domínios e Pseudônimos Personalizados". + + ProtonMail suporta [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) [autenticação de dois fatores](https://protonmail.com/support/knowledge-base/two-factor-authentication/) apenas. O uso de uma chave de segurança [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) ainda não é suportado. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. info "Formas de pagamento privadas + + ProtonMail tem [criptografia de acesso zero](https://protonmail.com/blog/zero-access-encryption) em repouso para seus e-mails, [contatos do catálogo de endereços](https://protonmail.com/blog/encrypted-contacts-manager), e [calendars](https://protonmail.com/blog/protoncalendar-security-model). Isto significa que as mensagens e outros dados armazenados na sua conta só são legíveis por si. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + O ProtonMail também suporta a descoberta de chaves públicas via HTTP a partir do seu [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. aviso "Métodos de pagamento privados". + + Proton Mail doesn't offer a digital legacy feature. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. info "Segurança de Dados + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Clientes móveis". + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar ".onion Service" (Serviço de cebola) + + Mailbox.org permite aos usuários usar seu próprio domínio e eles suportam [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using catch-all alias with own domain) endereços. Mailbox.org também suporta [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What é um pseudônimo e como utilizá-lo), o que é útil para usuários que não querem comprar um domínio. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. cheque "Formas de pagamento privadas". + + Mailbox.org não aceita Bitcoin ou quaisquer outras moedas criptográficas como resultado de seu processador de pagamento BitPay suspender operações na Alemanha. No entanto, eles aceitam dinheiro pelo correio, pagamento em dinheiro para conta bancária, transferência bancária, cartão de crédito, PayPal e alguns processadores específicos da Alemanha: paydirekt e Sofortüberweisung. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. nota Consulte a [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Mailbox.org suporta [autenticação de dois fatores](https://kb.mailbox.org/display/MBOKBEN/How para usar autenticação de dois fatores - 2FA) apenas para o seu webmail. Você pode usar ou [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) ou um [Yubikey](https://en.wikipedia.org/wiki/YubiKey) através do [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Padrões web como [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) ainda não são suportados. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. cheque "Formas de pagamento privadas". + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. info "Formas de pagamento privadas + + Mailbox.org tem [criptografia integrada](https://kb.mailbox.org/display/MBOKBEN/Send e-mails criptografados com Guard) em seu webmail, o que simplifica o envio de mensagens aos usuários com chaves públicas OpenPGP. Eles também permitem que [destinatários remotos descriptografem um e-mail](https://kb.mailbox.org/display/MBOKBEN/My destinatário não usa PGP) nos servidores da Mailbox.org. Esta funcionalidade é útil quando o destinatário remoto não tem o OpenPGP e não consegue desencriptar uma cópia do e-mail na sua própria caixa de correio. + + Mailbox.org também suporta a descoberta de chaves públicas via HTTP a partir de seu [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. aviso "Segurança de Dados". + + Você pode acessar sua conta Mailbox.org via IMAP/SMTP usando seu [.onion service](https://kb.mailbox.org/display/MBOKBEN/The Tor exit node of mailbox.org). No entanto, a sua interface de webmail não pode ser acessada através do seu serviço .onion, e os usuários podem experimentar erros no certificado TLS. Alternatively, you can nominate a person by name and address. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. info "Segurança de Dados + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Clientes móveis". + + ![Disroot logo](/assets/img/email/disroot.svg#only-light){ align=right } + ![Disroot logo](/assets/img/email/disroot-dark.svg#only-dark){ align=right } + + **Disroot** oferece e-mail entre [outros serviços](https://disroot.org/en/#services). O serviço é mantido por voluntários e sua comunidade. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### Desarraigar + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Disroot permite que os utilizadores utilizem o seu próprio domínio. Eles têm pseudônimos, porém você deve [aplicar manualmente](https://disroot.org/en/forms/alias-request-form) para eles. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar ".onion Service" (Serviço de cebola) + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. Tutanota não tem planos de puxar e-mails de [contas de e-mail externas](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) usando o protocolo [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) . + + Disroot suporta [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) autenticação de dois fatores apenas para webmail. Eles não permitem [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) autenticação da chave de segurança. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. nota Consulte a [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Disroot usa criptografia de disco completa. No entanto, não parece ser "acesso zero", o que significa que é tecnicamente possível para eles descriptografar os dados que têm se não forem adicionalmente encriptados com uma ferramenta como OpenPGP. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. cheque "Formas de pagamento privadas". + + Disroot permite o envio de e-mails criptografados a partir de sua aplicação de webmail usando OpenPGP. No entanto, Disroot não integrou um Web Key Directory (WKD) para os utilizadores na sua plataforma. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. info "Formas de pagamento privadas + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. aviso "Métodos de pagamento privados". + + StartMail does not offer a digital legacy feature. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. info "Segurança de Dados + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Clientes móveis". + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. aviso "Criptografia de e-mail". + +### Software como um serviço (SaaS) apenas + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar ".onion Service" (Serviço de cebola) + + Tutanota suporta [autenticação de dois fatores](https://tutanota.com/faq#2fa). Os usuários podem usar [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) ou [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. Tutanota não tem planos de puxar e-mails de [contas de e-mail externas](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) usando o protocolo [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) . + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. nota Consulte a [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verifique "Domínios e Pseudônimos Personalizados". + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). O serviço é mantido por voluntários e sua comunidade. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. aviso "Métodos de pagamento privados". + + Tutanota doesn't offer a digital legacy feature. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. info "Segurança de Dados + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Clientes móveis". + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Visão Geral da Criptografia de E-mail + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### StartMail + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- Criptografa os dados da conta em repouso. +- A criptografia integrada do webmail proporciona conveniência aos usuários que desejam melhorar ao não ter [E2EE](https://en.wikipedia.org/wiki/End-to-end_encryption) criptografia. +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### CTemplar + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- Criptografa os dados da conta em repouso com criptografia de acesso zero. +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Visão Geral dos Metadados de Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Framadate + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Jurisdição + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**O melhor caso:** + +- Operando fora dos EUA ou de outros países da Five Eyes. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Protecção do webmail com [autenticação de dois factores (2FA)](https://en.wikipedia.org/wiki/Multi-factor_authentication), tal como [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm). +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Tecnologia + +We prefer our recommended providers to collect as little data as possible. + +**O melhor caso:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Privacidade + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**O melhor caso:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Programas de recompensa de bugs e/ou um processo coordenado de divulgação de vulnerabilidades. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Segurança + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**O melhor caso:** + +- Esquemas de Criptografia Fortes: OpenVPN com autenticação SHA-256; RSA-2048 ou melhor aperto de mão; AES-256-GCM ou AES-256-CBC encriptação de dados. + +**Best Case:** + +- A Encriptação mais forte: RSA-4096. +- Perfect Forward Secrecy (PFS). + +### Confiança + +With the email providers we recommend we like to see responsible marketing. + +**O melhor caso:** + +- Deve auto-instalar análises (sem Google Analytics, etc.). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Fazer garantias de protecção do anonimato a 100%. Quando alguém afirma que algo é 100%, significa que não há certeza de fracasso. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Impressão digital do navegador](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Deve auto-instalar análises (sem Google Analytics, etc.). This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Marketing + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/encryption.md b/i18n/pt/encryption.md new file mode 100644 index 00000000..7f3aeb76 --- /dev/null +++ b/i18n/pt/encryption.md @@ -0,0 +1,377 @@ +--- +title: "Software de encriptação" +icon: material/file-lock +--- + +A encriptação de dados é a única forma de controlar quem pode acessá-los. Se você não estiver usando software de criptografia para o seu disco rígido, e-mails ou arquivos, você deve escolher uma opção aqui. + +## Multi-plataforma + +As opções listadas aqui são multi-plataforma e excelentes para criar backups criptografados dos seus dados. + +### VeraCrypt + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo VeraCrypt](/assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](/assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** é um utilitário freeware disponível na fonte, utilizado para encriptação on-the-fly. Ele pode criar um disco virtual encriptado dentro de um ficheiro, encriptar uma partição ou encriptar todo o dispositivo de armazenamento com autenticação pré-boot. + + [Visite veracrypt.fr](https://veracrypt.fr){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-apple: macOS](https://www.veracrypt.fr/pt/Downloads.html) + - [:fontawesome-brands-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-git: Source](https://www.veracrypt.fr/code) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +O VeraCrypt é um garfo do projeto TrueCrypt descontinuado. De acordo com seus desenvolvedores, melhorias de segurança foram implementadas e questões levantadas pela auditoria inicial do código TrueCrypt foram abordadas. + +Ao encriptar com VeraCrypt, o utilizador tem a opção de seleccionar de diferentes [funções hash](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). Sugerimos aos utilizadores **apenas** seleccione [SHA-512](https://en.wikipedia.org/wiki/SHA-512) e deve ficar com o [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) cifra de bloco. The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Truecrypt foi [auditada várias vezes](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits) e VeraCrypt também foi [auditada separadamente](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +### Criptomador + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo do criptomator](/assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** facilita o carregamento de ficheiros para a nuvem num sistema de ficheiros virtual encriptado. [Visite cryptomator.org](https://cryptomator.org){ .md-button .md-button--primary } [Política de Privacidade](https://cryptomator.org/privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://cryptomator.org/downloads) + - [:fontawesome-brands-apple: macOS](https://cryptomator.org/downloads) + - [:fontawesome-brands-linux: Linux](https://cryptomator.org/downloads) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.cryptomator.cryptomator) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:fontawesome-brands-android: F-Droid repo](https://cryptomator.org/android) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:fontawesome-brands-github: Source](https://github.com/cryptomator) It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### Picocrypt + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Picocrypt](/assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** é uma pequena e simples ferramenta de encriptação que fornece uma encriptação moderna. Picocrypt usa a cifra segura XChaCha20 e a função de derivação da chave Argon2id para proporcionar um alto nível de segurança. + + Ele usa os módulos x/crypto padrão da Go para suas funcionalidades de criptografia. [Visite github.com](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:fontawesome-brands-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:fontawesome-brands-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + - [:fontawesome-brands-github: Source](https://github.com/HACKERALERT/Picocrypt) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## Sistema operacional incluído Criptografia de disco completo (FDE) + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![BitLocker logo](/assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** é a solução de encriptação de volume completo, em conjunto com o Microsoft Windows. O principal motivo pelo qual o recomendamos é devido ao seu [uso do TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), uma empresa forense, escreveu sobre isso em [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [Visite microsoft.com](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .md-button .md-button--primary } + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. Também, FileVault deve ser habilitado **após** uma instalação macOS completa como mais gerador de números pseudorandomais ([PRNG](https://support.apple.com/guide/security/random-number-generation-seca0c73a75b/web)) [entropia](https://en.wikipedia.org/wiki/Entropy_(computing)) estará disponível. + + Para habilitar o BitLocker nas edições "Home" do Windows, você deve ter partições formatadas com um módulo [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) e ter um [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) (v1.2, 2.0 ) dedicado. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powerhell Get-Disk 0 | findstr GPT && echo Este é um disco do sistema GPT! + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Feche o prompt de comando, e entre no PowerShell: + + ``` + manage-bde c: -protectores -add -rp -tpm + manage-bde -protectores -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![FileVault logo](/assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** é a solução de encriptação de volume on-the-fly integrada em macOS. FileVault é recomendado porque [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) recursos de segurança de hardware presentes em um SoC de silício Apple ou Chip de Segurança T2. + + [Visite support.apple.com](https://support.apple.com/en-us/HT204837){ .md-button .md-button--primary } + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Configuração da Chave Unificada Linux (LUKS) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![LUKS logo](/assets/img/encryption-software/luks.png){ align=right } + + **LUKS*** é o método padrão de criptografia de disco completo para Linux. Ele pode ser usado para criptografar volumes completos, partições ou criar containers criptografados. + + [Visite gitlab.com](https://gitlab.com/cryptsetup/cryptsetup){ .md-button .md-button--primary } + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Abrindo recipientes encriptados + Recomendamos abrir recipientes e volumes com `udisksctl`, pois este utiliza [Polkit](https://en.wikipedia.org/wiki/Polkit). A maioria dos gestores de ficheiros, tais como os incluídos em ambientes de desktop populares, consegue desbloquear ficheiros encriptados. Ferramentas como [udiskie](https://github.com/coldfix/udiskie) podem ser executadas na bandeja do sistema e fornecer uma interface de usuário útil. + ``` + udisksctl loop-setup -f /path-tofile + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + Recomendamos que você sempre [faça backup dos seus cabeçalhos LUKS](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) em caso de falha parcial da unidade. Isto pode ser feito com: + + ``` + cryptsetup luksHeaderBackup /device/device --header-backup-file /mnt/backup/file.img + ``` + +## Navegador baseado em + +Ferramentas com interfaces de linha de comando são úteis para intergrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### chapéu.sh + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![hat.sh logo](/assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](/assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh*** é uma aplicação web que fornece criptografia segura de arquivos do lado do cliente no seu navegador. Também pode ser auto-hospedado e é útil se você precisar criptografar um arquivo, mas não pode instalar qualquer software no seu dispositivo, devido às políticas organizacionais. + + [Visite hat.sh](https://hat.sh){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-github: Fonte](https://github.com/sh-dv/hat.sh) + +## Linha de comando + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo Kryptor](/assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** é uma ferramenta de criptografia e assinatura de arquivos livre e de código aberto que faz uso de algoritmos criptográficos modernos e seguros. Pretende ser uma versão melhor de [age](https://github.com/FiloSottile/age) e [Minisign](https://jedisct1.github.io/minisign/) para fornecer uma alternativa simples e amigável ao GPG. + + [Visite kryptor.co.uk](https://www.kryptor.co.uk){ .md-button .md-button--primary } [Política de Privacidade](https://www.kryptor.co.uk/features#privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://www.kryptor.co.uk) + - [:fontawesome-brands-apple: macOS](https://www.kryptor.co.uk) + - [:fontawesome-brands-linux: Linux](https://www.kryptor.co.uk) + - [:fontawesome-brands-github: Fonte](https://github.com/samuel-lucas6/Kryptor) downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Túmulo + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Logotipo da Tumba](/assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** é uma shell wrapper de linha de comando para LUKS. Ele suporta esteganografia através de [ferramentas de terceiros](https://github.com/dyne/Tomb#how-does-it-work). + + [Visite dyne.org](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-github: Fonte](https://github.com/dyne/Tomb) + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. Dica "Use padrões futuros ao gerar uma chave". For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + Quando [gerando chaves](https://www.gnupg.org/gph/en/manual/c14.html) sugerimos utilizar o comando `future-default`, pois isto instruirá o GnuPG a utilizar criptografia moderna como [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) e [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### Guarda de Privacidade GNU + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![GNU Privacy Guard logo](/assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** é uma alternativa GPL-licenciada ao conjunto de software criptográfico PGP. GnuPG está em conformidade com [RFC 4880](https://tools.ietf.org/html/rfc4880), que é a especificação atual da IETF do OpenPGP. O projeto GnuPG tem trabalhado em um [rascunho atualizado](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) numa tentativa de modernizar o OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [Visite gnupg.org](https://gnupg.org){ .md-button .md-button--primary } [Política de Privacidade](https://gnupg.org/privacy-policy.html){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html) + - [:fontawesome-brands-apple: macOS](https://gpgtools.org) + - [:fontawesome-brands-linux: Linux](https://gnupg.org/download/index.html#binary) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:fontawesome-brands-git: Fonte](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![GPG4win logo](/assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** é um pacote para Windows da [Intevation and g10 Code](https://gpg4win.org/impressum.html). Inclui [várias ferramentas](https://gpg4win.org/about.html) que auxiliam os usuários do PGP no Microsoft Windows. O projeto foi iniciado e originalmente [financiado por](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) pelo Escritório Federal de Segurança da Informação (BSI) da Alemanha em 2005. + + [Visite gpg4win.org](https://gpg4win.org){ .md-button .md-button--primary } [Política de Privacidade](https://gpg4win.org/privacy-policy.html){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html) + - [:fontawesome-brands-git: Fonte](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary) downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### Suíte GPG + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo OpenKeychain](/assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** é uma implementação Android do GnuPG. É normalmente exigido por clientes de e-mail como [K-9 Mail](/email-clients/#k-9-mail) e [FairEmail](/email-clients/#fairemail) e outros aplicativos Android para fornecer suporte à criptografia. Cure53 concluiu uma [auditoria de segurança](https://www.openkeychain.org/openkeychain-3-6) da OpenKeychain 3.6 em outubro de 2015. Detalhes técnicos sobre a auditoria e as soluções OpenKeychain podem ser encontrados [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [Visite openkeychain.org](https://www.openkeychain.org){ .md-button .md-button--primary } [Política de Privacidade](https://www.openkeychain.org/help/privacy-policy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/org.sufficientlysecure.keychain/) + - [:fontawesome-brands-git: Source](https://github.com/open-keychain/open-keychain) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/file-sharing.md b/i18n/pt/file-sharing.md new file mode 100644 index 00000000..2c3f4ecf --- /dev/null +++ b/i18n/pt/file-sharing.md @@ -0,0 +1,169 @@ +--- +title: "Ferramentas de Autenticação Multi-Factor" +icon: material/share-variant +--- + +Descubra como partilhar os seus ficheiros em privado entre os seus dispositivos, com os seus amigos e família, ou anonimamente online. + +## Gestores de senhas + +### OnionShare + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo OnionShare](/assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** é uma ferramenta de código aberto que lhe permite partilhar de forma segura e anónima um ficheiro de qualquer tamanho. Funciona iniciando um servidor web acessível como um serviço Tor onion, com um URL indiscutível que você pode compartilhar com os destinatários para baixar ou enviar arquivos. [Visite onionshare.org](https://onionshare.org){ .md-button .md-button--primary } [:pg-tor:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://onionshare.org/#download) + - [:fontawesome-brands-apple: macOS](https://onionshare.org/#download) + - [:fontawesome-brands-linux: Linux](https://onionshare.org/#download) + - [:fontawesome-brands-github: Fonte](https://github.com/onionshare/onionshare) You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### Buraco de Verme Mágico + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo FreedomBox](/assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** é um sistema operacional projetado para ser executado em um [computador de placa única (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). O objetivo é facilitar a configuração de aplicações de servidor que você pode querer auto-hospedar. + + [Visite freedombox.org](https://freedombox.org){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-git: Fonte](https://salsa.debian.org/freedombox-team/freedombox) downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## Sincronização de arquivos + +### Nextcloud (Client-Server) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo do LibreOffice](/assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** é uma suite de escritório gratuita e de código aberto com amplas funcionalidades. + + [Visite libreoffice.org](https://www.libreoffice.org){ .md-button .md-button--primary } [Política de Privacidade](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-apple: macOS](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/) + - [:pg-flathub: Flatpak](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + - [:pg-openbsd: OpenBSD](https://openports.se/editors/libreoffice) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/misc/libreoffice) + - [:fontawesome-brands-google-play: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-app-store-ios: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-git: Source](https://www.libreoffice.org/about-us/source-code) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! Isto permite-nos fornecer recomendações completamente objectivas. Desenvolvemos um conjunto claro de requisitos para qualquer provedor de VPN que deseje ser recomendado, incluindo criptografia forte, auditorias de segurança independentes, tecnologia moderna, e muito mais. + + ![OnlyOffice logo](/assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** é uma alternativa, é uma suite de escritório gratuita e de código aberto com uma extensa funcionalidade. + +### Syncthing (P2P) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/frontends.md b/i18n/pt/frontends.md new file mode 100644 index 00000000..9905b316 --- /dev/null +++ b/i18n/pt/frontends.md @@ -0,0 +1,283 @@ +--- +title: "Gestores de senhas" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## Clientes + +### Librarian + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Reddit + +### Nitter + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### FreeTube + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/index.md b/i18n/pt/index.md new file mode 100644 index 00000000..6e425673 --- /dev/null +++ b/i18n/pt/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.pt.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/kb-archive.md b/i18n/pt/kb-archive.md new file mode 100644 index 00000000..15766695 --- /dev/null +++ b/i18n/pt/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integração da Remoção de Metadados](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/meta/brand.md b/i18n/pt/meta/brand.md new file mode 100644 index 00000000..35a2225f --- /dev/null +++ b/i18n/pt/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/meta/git-recommendations.md b/i18n/pt/meta/git-recommendations.md new file mode 100644 index 00000000..8e02a1f8 --- /dev/null +++ b/i18n/pt/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/meta/uploading-images.md b/i18n/pt/meta/uploading-images.md new file mode 100644 index 00000000..7d49049b --- /dev/null +++ b/i18n/pt/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/meta/writing-style.md b/i18n/pt/meta/writing-style.md new file mode 100644 index 00000000..e1e044e0 --- /dev/null +++ b/i18n/pt/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/mobile-browsers.md b/i18n/pt/mobile-browsers.md new file mode 100644 index 00000000..b855d61d --- /dev/null +++ b/i18n/pt/mobile-browsers.md @@ -0,0 +1,196 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Bromite + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Safari](/assets/img/browsers/safari.svg){ align=right } + + **Safari** é o navegador padrão no iOS. + + Inclui [características de privacidade](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0), tais como Proteção de Rastreamento Inteligente, Relatório de Privacidade, abas isoladas de Navegação Privada, iCloud Private Relay, e atualizações automáticas de HTTPS. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- Selecione: "Abrir links em abas incógnitas sempre". + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Origem do uBlock + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo AdGuard](/assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for Safari** é uma extensão gratuita e de código aberto para bloqueio de conteúdo do Safari que usa a API nativa [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). Sugerimos activar os filtros labled *#recommended* sob "Ad Blocking" e "Privacy" [bloqueadores de conteúdo](https://kb.adguard.com/en/safari/overview#content-blockers). + + Os filtros *#recommended* também podem ser ativados para os bloqueadores de conteúdo "Social Widgets" e "Annoyances", mas eles podem quebrar algumas funções das mídias sociais. + +#### Firefox + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/multi-factor-authentication.md b/i18n/pt/multi-factor-authentication.md new file mode 100644 index 00000000..efa783d1 --- /dev/null +++ b/i18n/pt/multi-factor-authentication.md @@ -0,0 +1,151 @@ +--- +title: "Autenticadores Multi-Factor" +icon: 'O uso de AMF forte pode parar mais de 99% dos acessos não autorizados à conta, e é fácil de configurar nos serviços que você já usa.' +--- + +## Chaves de Segurança de Hardware + +### YubiKey + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![YubiKeys](/assets/img/multi-factor-authentication/yubikey.png) As **YubiKeys** estão entre as chaves de segurança mais populares. Alguns modelos YubiKey têm uma vasta gama de características, como por exemplo: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), [Yubico OTP](https://developers.yubico.com/OTP/), [PIV](https://en.wikipedia.org/wiki/FIPS_201), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP e HOTP](https://developers.yubico.com/OATH/) autenticação. + + Um dos benefícios do YubiKey é que uma chave pode fazer quase tudo (YubiKey 5), que você poderia esperar de uma chave de segurança de hardware. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. Recomendamos vivamente que seleccione chaves da série YubiKey 5. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +Para modelos que suportam HOTP e TOTP, existem 2 slots na interface OTP que podem ser utilizados para HOTP e 32 slots para armazenar segredos TOTP. Estes segredos são armazenados encriptados na chave e nunca os expõe aos dispositivos em que estão ligados. Uma vez que uma semente (segredo compartilhado) é dada ao Yubico Authenticator, ele só dará os códigos de seis dígitos, mas nunca a semente. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! atenção + O firmware do YubiKeys não são de código aberto e não são actualizáveis. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. O **Nitrokey 3** listado terá um conjunto de recursos combinados. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +Para os modelos que suportam HOTP e TOTP, existem 3 slots para HOTP e 15 para TOTP. Alguns Nitrokeys podem agir como um gerenciador de senhas. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + O aplicativo Nitrokey, embora compatível com Librem Keys, requer o `libnitrokey` versão 3.6 ou superior para reconhecê-los. Atualmente, o pacote está desatualizado no Windows, macOS e no repositório da maioria das distribuições Linux, então você provavelmente terá que compilar você mesmo o aplicativo Nitrokey para colocá-lo funcionando com a Chave Librem. No Linux, você pode obter uma versão atualizada de [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Aplicativos Autenticadores + +As aplicações autenticadoras implementam um padrão de segurança adotado pela Internet Engineering Task Force (IETF) chamado **Senhas únicas baseadas no tempo**, ou **TOTP**. Este é um método onde os sites compartilham um segredo com você que é usado pelo seu aplicativo autenticador para gerar um código de seis (geralmente) dígitos baseado na hora atual, que você entra enquanto faz o login para que o site seja verificado. Normalmente estes códigos são regenerados a cada 30 segundos, e assim que um novo código é gerado, o antigo torna-se inútil. Mesmo que um hacker receba um código de seis dígitos, não há maneira de reverter esse código para obter o segredo original, ou ser capaz de prever o que qualquer código futuro pode ser. + +Recomendamos vivamente que utilize aplicações TOTP móveis em vez de alternativas de desktop, uma vez que o Android e o IOS têm melhor segurança e isolamento de aplicações do que a maioria dos sistemas operativos desktop. + +### Aegis Authenticator (Android) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo Aegis](/assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** é uma aplicação gratuita, segura e de código aberto para gerir os seus tokens de verificação em 2 passos para os seus serviços online. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo Raivo OTP](/assets/img/multi-factor-autenticação/raivo-otp.png){ align=right } + + **Raivo OTP*** é um cliente nativo, leve e seguro baseado no tempo (TOTP) & cliente com senha baseada em contador (HOTP) para iOS. Raivo OTP oferece backup iCloud opcional & sync. Raivo OTP também está disponível para MacOS na forma de um aplicativo de barra de status, porém o aplicativo Mac não funciona independentemente do aplicativo iOS. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/news-aggregators.md b/i18n/pt/news-aggregators.md new file mode 100644 index 00000000..d2430782 --- /dev/null +++ b/i18n/pt/news-aggregators.md @@ -0,0 +1,185 @@ +--- +title: "Comunicação em Tempo Real" +icon: material/rss +--- + +A [agregador de notícias](https://en.wikipedia.org/wiki/News_aggregator) é uma forma de acompanhar os seus blogs e sites de notícias favoritos. + +## Clientes agregadores + +### Leitor Fluente + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo Fluent Reader](/assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** é um agregador de notícias seguro em várias plataformas que possui recursos de privacidade úteis, como exclusão de cookies na saída, [políticas de segurança de conteúdo (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) e suporte a proxy, o que significa que você pode usá-lo sobre [Tor](/self-contained-networks/#tor). [Visite hyliu.me](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } [Política de Privacidade](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://hyliu.me/fluent-reader) + - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/app/id1520907427) + - [:fontawesome-brands-github: Source](https://github.com/yang991178/fluent-reader.git) + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Alimentadores GNOME + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo GNOME Feeds](/assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds*** é um [RSS](https://en.wikipedia.org/wiki/RSS) e [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) leitor de notícias para [GNOME](https://www.gnome.org). Tem uma interface simples e é bastante rápida. + + [Visite gfeeds.gabmus.org](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.gabmus.gfeeds) + - [:fontawesome-brands-gitlab: Fonte](https://gitlab.gnome.org/World/gfeeds) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Akregator + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Akregator](/assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** é um leitor de notícias que faz parte do projecto [KDE](https://kde.org). + + Ele vem com uma pesquisa rápida, funcionalidade avançada de arquivamento e um navegador interno para facilitar a leitura de notícias. [Visite kde.org](https://apps.kde.org/akregator){ .md-button .md-button--primary } [Política de Privacidade](https://kde.org/privacypolicy-apps){ .md-button } + + **Downloads*** + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.kde.akregator) + - [:fontawesome-brands-git: Fonte](https://invent.kde.org/pim/akregator) + +### Leitor de Notícias Handy + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Logotipo do Handy News Reader](/assets/img/news-aggregators/handy-news-reader.svg){ align=right } + + **Handy News Reader** é um garfo de [Flym](https://github.com/FredJul/Flym) que tem muitos [features](https://github.com/yanus171/Handy-News-Reader#features) e funciona bem com pastas de feeds RSS. Ele suporta [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) e [RDF](https://en.wikipedia.org/wiki/RDF%2FXML). + + [Visite yanus171.github.io](https://yanus171.github.io/Handy-News-Reader/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=ru.yanus171.feedexfork) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/ru.yanus171.feedexfork/) + - [:fontawesome-brands-github: Source](https://github.com/yanus171/Handy-News-Reader) downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### NetNewsWire + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![NetNewsWire logo](/assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** um leitor de alimentação livre e de código aberto para macOS e iOS com foco em um design nativo e conjunto de recursos. Tem uma interface simples e é bastante rápida. + + [Visite netnewswire.com](https://netnewswire.com/){ .md-button .md-button--primary } [Política de Privacidade](https://netnewswire.com/privacypolicy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-apple: macOS](https://netnewswire.com) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:fontawesome-brands-github: Source](https://github.com/Ranchero-Software/NetNewsWire) + +### Miniflux + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo Miniflux](/assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Logotipo Miniflux](/assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** é um agregador de notícias baseado na web que você pode auto-hospedar. Ele suporta [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) e [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [Visite miniflux.app](https://miniflux.app){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-github: Fonte](https://github.com/miniflux) downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Barco de notícias + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo do Newsboat](/assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** é um leitor de RSS/Atom feed para a consola de texto. É um garfo mantido ativamente de [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). É muito leve, e ideal para uso sobre [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [Visite newsboat.org](https://newsboat.org){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-github: Fonte](https://github.com/newsboat/newsboat) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Youtube + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Reddit + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Escolha uma instância e defina `nitter_instance`. + 2. Substitua `twitter_account` pelo nome da conta. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### Twitter + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/notebooks.md b/i18n/pt/notebooks.md new file mode 100644 index 00000000..f4b29bf8 --- /dev/null +++ b/i18n/pt/notebooks.md @@ -0,0 +1,125 @@ +--- +title: "Cadernos de notas" +icon: material/notebook-edit-outline +--- + +Mantenha um registo das suas notas e diários sem os entregar a terceiros. + +Se você está usando atualmente uma aplicação como Evernote, Google Keep ou Microsoft OneNote, sugerimos que você escolha uma alternativa aqui que suporte [Encriptação de ponta a ponta (E2EE)](https://en.wikipedia.org/wiki/End-to-end_encryption). + +## Baseado nas nuvens + +### Joplin + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Joplin logo](/assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** é uma aplicação gratuita, de código aberto e com todas as funcionalidades de tomar e fazer notas, que pode lidar com um grande número de notas marcadas organizadas em cadernos e tags. Ele oferece criptografia de ponta a ponta e pode sincronizar através de Nextcloud, Dropbox, e muito mais. Também oferece fácil importação do Evernote e de notas de texto simples. + + [Visite joplinapp.org](https://joplinapp.org/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-firefox-browser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:pg-f-droid: F-Droid](https://f-droid.org/pt/packages/net.cozic.joplin) + - [:fontawesome-brands-android: Android](https://joplinapp.org/#mobile-applications) + - [:fontawesome-brands-github: GitHub](https://github.com/laurent22/joplin) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). aviso + +### Notas Padrão + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Nota: A partir de Dezembro de 2018, o Joplin não suporta a protecção por senha/pino para a aplicação em si ou para as notas/portáteis individuais. Os dados ainda estão criptografados em trânsito e em local sincronizado usando sua chave mestra. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo Standard Notes](/assets/img/notebooks/standard-notes.svg){ align=right } + + Standard Notes é uma aplicação simples e privada que torna as suas notas fáceis e disponíveis onde quer que esteja. Possui criptografia de ponta a ponta em cada plataforma, e uma poderosa experiência de desktop com temas e editores personalizados. + + Também tem sido [auditado independentemente (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). [Visite standardnotes.org](https://standardnotes.org/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://standardnotes.org/#get-started) + - [:fontawesome-brands-apple: macOS](https://standardnotes.org/#get-started) + - [:fontawesome-brands-linux: Linux](https://standardnotes.org/#get-started) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1285392450) + - [:octicons-browser-16: Browser](https://app.standardnotes.org/) + - [:fontawesome-brands-github: GitHub](https://github.com/standardnotes) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Vale a pena mencionar + +### Org-mode + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/os/android-overview.md b/i18n/pt/os/android-overview.md new file mode 100644 index 00000000..2d5c0254 --- /dev/null +++ b/i18n/pt/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. atenção This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/os/linux-overview.md b/i18n/pt/os/linux-overview.md new file mode 100644 index 00000000..c548d2bb --- /dev/null +++ b/i18n/pt/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Visão geral do Linux +icon: fontawesome/brands/linux +--- + +Existe uma crença comum que o *software* de [código aberto](https://pt. wikipedia. org/wiki/Software_de_c%C3%B3digo_aberto) é intrinsecamente seguro porque o código-fonte está disponível. Existe uma expectativa de que a verificação por parte da comunidade ocorre regularmente; contudo, esse nem sempre é [o caso](https://seirdy. one/2022/02/02/floss-security. html). A segurança do código está dependente de uma série de factores, tais como atividade do projecto, a experiência do programador, o nível de rigor aplicado em [revisões de código](https://en. wikipedia. org/wiki/Code_review) e a quantas vezes é dada atenção a partes específicas do [base de código](https://en. wikipedia. org/wiki/Codebase), que podem permanecer intocadas durante anos. + +Neste momento, a utilização de GNU/Linux em computadores pessoais tem algumas áreas que poderiam ser melhoradas quando comparadas com os seus equivalentes proprietários, por exemplo: + +- Uma cadeia de inicialização verificada, ao contrário do [Secure Boot](https://support. apple. com/guide/security/startup-security-utility-secc7b34e5b5/web) (com o [Secure Enclave](https://support. apple. com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), o [Verified Boot](https://source. android. com/security/verifiedboot) do Android ou [processo de boot](https://docs. microsoft. com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) com [TPM](https://docs. microsoft. com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm) do Microsoft Windows. Estas funcionalidades e tecnologias de hardware podem ajudar a prevenir manipulações persistentes por malware ou a "[evil maid attacks](https://en. wikipedia. org/wiki/Evil_Maid_attack)" +- Solução de sandboxing forte como a encontrada no [macOS](https://developer. apple. com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox. html), [ChromeOS](https://chromium. googlesource. com/chromiumos/docs/+/HEAD/sandboxing. md) e [Android](https://source. android. com/security/app-sandbox). As soluções de sandboxing mais comuns em Linux, tais como [Flatpak](https://docs. flatpak. org/en/latest/sandbox-permissions. html) e [Firejail](https://firejail. wordpress. com/) ainda têm um longo caminho a percorrer +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Recomendações Gerais + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/os/qubes-overview.md b/i18n/pt/os/qubes-overview.md new file mode 100644 index 00000000..02c22221 --- /dev/null +++ b/i18n/pt/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Recursos Adicionais + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/passwords.md b/i18n/pt/passwords.md new file mode 100644 index 00000000..545ef14a --- /dev/null +++ b/i18n/pt/passwords.md @@ -0,0 +1,255 @@ +--- +title: "Redes Auto-Contidas" +icon: material/form-textbox-password +--- + +Fique seguro e protegido on-line com um gerenciador de senhas criptografado e de código aberto. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + ![logotipo KeepassXC](/assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** é um garfo comunitário do KeePassX, uma porta nativa multi-plataforma do KeePass Password Safe, com o objectivo de o alargar e melhorar com novas funcionalidades e correcções de bugs para fornecer um gestor de senhas moderno, totalmente multi-plataforma e de código aberto. [Visite keepassxc.org](https://keepassxc.org){ .md-button .md-button--primary } [Política de Privacidade](https://keepassxc.org/privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://keepassxc.org/download/#windows) + - [:fontawesome-brands-apple: macOS](https://keepassxc.org/download/#mac) + - [:fontawesome-brands-linux: Linux](https://keepassxc.org/download/#linux) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + - [:fontawesome-brands-github: Source](https://github.com/keepassxreboot/keepassxc) + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Baseado nas nuvens + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### KeepassXC + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + KeepassXC armazena seus dados de exportação como [comma-separated values (CSV)](https://en.wikipedia.org/wiki/Comma-separated_values). Isto pode significar perda de dados se você importar este arquivo para outro gerenciador de senhas. Aconselhamo-lo a verificar cada registo manualmente. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### KeepassDX + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo KeepassDX](/assets/img/password-management/keepassdx.svg){ align=right } + + **KeepassDX*** é um gerenciador de senhas leve para Android, permite editar dados criptografados em um único arquivo no formato KeePass e pode preencher os formulários de uma forma segura. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) permite desbloquear conteúdos cosméticos e recursos de protocolo não-padrão, mas, mais importante, ajuda e incentiva o desenvolvimento. Para mais detalhes, recomendamos que veja o seu [FAQ](https://github.com/Kunzisoft/KeePassDX/wiki/FAQ). [Visite keepassdx.com](https://www.keepassdx.com){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:pg-f-droid: F-Droid](https://www.f-droid.org/packages/com.kunzisoft.keepass.libre) + - [:fontawesome-brands-github: Source](https://github.com/Kunzisoft/KeePassDX) + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Bitwarden + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Bitwarden logo](/assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** é um gerenciador de senhas gratuito e de código aberto. Visa resolver problemas de gerenciamento de senhas para indivíduos, equipes e organizações empresariais. Bitwarden está entre as soluções mais fáceis e seguras para armazenar todos os seus logins e senhas, mantendo-os convenientemente sincronizados entre todos os seus dispositivos. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Gestores locais de senhas + +These options allow you to manage an encrypted password database locally. + +### Vaultwarden + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Linha de comando + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/productivity.md b/i18n/pt/productivity.md new file mode 100644 index 00000000..e611bf1e --- /dev/null +++ b/i18n/pt/productivity.md @@ -0,0 +1,182 @@ +--- +title: "Clientes de streaming de vídeo" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Suítes de Escritório + +### LibreOffice + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo do LibreOffice](/assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** é uma suite de escritório gratuita e de código aberto com amplas funcionalidades. + + [Visite libreoffice.org](https://www.libreoffice.org){ .md-button .md-button--primary } [Política de Privacidade](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-apple: macOS](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/) + - [:pg-flathub: Flatpak](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + - [:pg-openbsd: OpenBSD](https://openports.se/editors/libreoffice) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/misc/libreoffice) + - [:fontawesome-brands-google-play: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-app-store-ios: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-git: Source](https://www.libreoffice.org/about-us/source-code) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! Isto permite-nos fornecer recomendações completamente objectivas. Desenvolvemos um conjunto claro de requisitos para qualquer provedor de VPN que deseje ser recomendado, incluindo criptografia forte, auditorias de segurança independentes, tecnologia moderna, e muito mais. + + ![OnlyOffice logo](/assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** é uma alternativa, é uma suite de escritório gratuita e de código aberto com uma extensa funcionalidade. [Visite apenasoffice.com](https://www.onlyoffice.com){ .md-button .md-button--primary } [Política de Privacidade](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://www.onlyoffice.com/download-desktop.aspx?from=default) + - [:fontawesome-brands-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx?from=default) + - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/wwww/onlyoffice-documentserver/) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/onlyoffice-documents/id944896972) + - [:fontawesome-brands-github: Source](https://github.com/ONLYOFFICE) + +### OnlyOffice + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo Framadate](/assets/img/productivity/framadate.svg){ align=right } + + **Framadate** é um serviço online gratuito e de código aberto para planejar uma consulta ou tomar uma decisão de forma rápida e fácil. Não é necessário registo. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Planejamento + +### PrivateBin + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/real-time-communication.md b/i18n/pt/real-time-communication.md new file mode 100644 index 00000000..a84734c2 --- /dev/null +++ b/i18n/pt/real-time-communication.md @@ -0,0 +1,215 @@ +--- +title: "Clientes de streaming de vídeo" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Mensageiros Instantâneos Criptografados + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Logotipo do sinal](/assets/img/messengers/signal.svg){ align=right } + + **Sinal*** é uma aplicação móvel desenvolvida pela Signal Messenger LLC. O aplicativo fornece mensagens instantâneas, bem como chamadas de voz e vídeo. + + Todas as comunicações são E2EE. As listas de contatos são criptografadas usando seu PIN de login e o servidor não tem acesso a elas. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Element logo](/assets/img/messengers/element.svg){ align=right } + + **Element** é o cliente de referência para o protocolo [Matrix](https://matrix.org/docs/guides/introduction), um [padrão aberto](https://matrix.org/docs/spec) para comunicação segura descentralizada em tempo real. As mensagens e ficheiros partilhados em salas privadas (aquelas que requerem um convite) são, por defeito, E2EE, tal como as chamadas de voz e vídeo de 1 para 1. + + [Visit element.io](https://element.io/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://element.io/get-started) + - [:fontawesome-brands-apple: macOS](https://element.io/get-started) + - [:fontawesome-brands-linux: Linux](https://element.io/get-started) + - [:fontawesome-brands-android: Android](https://f-droid.org/packages/im.vector.app/) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:fontawesome-brands-github: Source](https://github.com/vector-im/element-web) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo Briar](/assets/img/messengers/briar.svg){ align=right } + + **Briar** é um mensageiro instantâneo encriptado que [connects](https://briarproject.org/how-it-works/) para outros clientes que utilizam a Rede Tor. Briar também pode se conectar via Wi-Fi ou Bluetooth quando em proximidade local. O modo de rede local do Briar pode ser útil quando a disponibilidade da Internet é um problema. + + [Visite briarproject.org](https://briarproject.org/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-android: Android](https://f-droid.org/packages/org.briarproject.briar.android) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:fontawesome-brands-git: Source](https://code.briarproject.org/briar/briar) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Tipos de Redes de Comunicação + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. [Visite getession.org](https://getsession.org/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://getsession.org/windows) + - [:fontawesome-brands-apple: macOS](https://getsession.org/mac) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1470168868) + - [:fontawesome-brands-linux: Linux](https://www.getession.org/linux) + - [:fontawesome-brands-android: Android](https://fdroid.getsession.org/) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:pg-f-droid: F-Droid](https://fdroid.getsession.org) + - [:fontawesome-brands-github: Source](https://github.com/oxen-io/session-desktop) + +### Element + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/router.md b/i18n/pt/router.md new file mode 100644 index 00000000..82164973 --- /dev/null +++ b/i18n/pt/router.md @@ -0,0 +1,53 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +--- + +Abaixo estão alguns sistemas operacionais alternativos, que podem ser usados em roteadores, pontos de acesso Wi-Fi, etc. + +## OpenWrt + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo OpenWrt](/assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](/assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt*** é um sistema operacional (em particular, um sistema operacional embarcado) baseado no kernel Linux, usado principalmente em dispositivos embarcados para rotear o tráfego da rede. Os principais componentes são o kernel Linux, util-linux, uClibc, e BusyBox. Todos os componentes foram optimizados em tamanho, para serem suficientemente pequenos para se adaptarem ao armazenamento limitado e à memória disponível nos routers domésticos. + + [Visite openwrt.org](https://openwrt.org){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-git: Fonte](https://git.openwrt.org) + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo pfSense](/assets/img/router/pfsense.svg#only-light){ align=right } + ![pfSense logo](/assets/img/router/pfsense-dark.svg#only-dark){ align=right } + + pfSense é uma distribuição de software de firewall/router de computador de código aberto baseada no FreeBSD. Ele é instalado em um computador para fazer um firewall/router dedicado para uma rede e é notado por sua confiabilidade e oferecendo recursos muitas vezes encontrados apenas em firewalls comerciais caros. + + O pfSense é normalmente implantado como firewall perimetral, roteador, ponto de acesso sem fio, servidor DHCP, servidor DNS e VPN endpoint. + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/search-engines.md b/i18n/pt/search-engines.md new file mode 100644 index 00000000..5d8e01b9 --- /dev/null +++ b/i18n/pt/search-engines.md @@ -0,0 +1,111 @@ +--- +title: "Motores de Busca" +icon: material/search-web +--- + +Use um motor de busca que não construa um perfil publicitário baseado nas suas pesquisas. + +As recomendações aqui são baseadas nos méritos da política de privacidade de cada serviço. Há **sem garantia** de que estas políticas de privacidade sejam honradas. + +Considere usar um [VPN](/vpn) ou [Tor](https://www.torproject.org/) se o seu modelo de ameaça requer esconder o seu endereço IP do fornecedor de pesquisa. + +## Brave Search + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo DuckDuckGo](/assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo*** é um motor de busca popular e é o padrão para o Tor Browser. DuckDuckGo usa uma API comercial Bing e várias [outras fontes](https://help.duckduckgo.com/results/sources) para fornecer seus dados de pesquisa. + + [Visite duckduckgo.com](https://duckduckgo.com){ .md-button .md-button--primary } [:pg-tor:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .md-button } [Política de Privacidade](https://duckduckgo.com/privacy){ .md-button } + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + DuckDuckGo está sediado em 🇺🇸 US. Sua [Política de Privacidade](https://duckduckgo.com/privacy) declara que eles registram sua consulta de pesquisa, mas não o seu IP ou qualquer outra informação de identificação. The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo da página inicial](/assets/img/search-engines/startpage.svg){ align=right } + + **Startpage** é um motor de pesquisa que fornece resultados de pesquisa do Google. É uma forma muito conveniente de obter resultados de pesquisa no Google sem experimentar padrões escuros, tais como capturas difíceis ou acesso recusado porque você usou um [VPN](/vpn) ou [Tor](https://www.torproject.org/download/). + + [Visite startpage.com](https://www.startpage.com){ .md-button .md-button--primary } [Política de Privacidade](https://www.startpage.com/en/privacy-policy){ .md-button } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/tools.md b/i18n/pt/tools.md new file mode 100644 index 00000000..63503b6b --- /dev/null +++ b/i18n/pt/tools.md @@ -0,0 +1,455 @@ +--- +title: "Ferramentas de Privacidade" +icon: material/tools +hide: + - toc +--- + +Se você está procurando uma solução específica para algo, estas são as ferramentas de hardware e software que recomendamos em uma variedade de categorias. Nossas ferramentas de privacidade recomendadas são escolhidas principalmente com base em recursos de segurança, com ênfase adicional em ferramentas descentralizadas e de código aberto. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Logótipo do Navegador Tor](/assets/img/browsers/tor.svg){ .twemoji } [Navegador Tor](https://www.torproject.org/) +- ![Logótipo do Firefox](/assets/img/browsers/firefox.svg){ .twemoji } [Firefox (Desktop)](https://firefox.com/) +- ![Logotipo Bromite](/assets/img/browsers/bromite.svg){ .twemoji } [Bromite (Android)](https://www.bromite.org/) +- ![Logotipo Safari](/assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](https://www.apple.com/safari/) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Saiba mais...](tor.md) + +## Sistemas Operacionais + +
+ +- ![uBlock Origin logo](/assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](https://github.com/gorhill/uBlock) +- ![AdGuard logo](/assets/img/browsers/adguard.svg){ .twemoji } [AdGuard para Safari](https://adguard.com/en/adguard-safari/overview.html) +- ![ToS;DR logo](/assets/img/browsers/terms_of_service_didnt_read.svg){ .twemoji } [Termos do Serviço; Não Lido\*](https://tosdr.org/) + +
+ +[Saiba mais...](desktop-browsers.md) + +### Recursos Adicionais + +
+ +- ![GrapheneOS logo](/assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](/assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](https://grapheneos.org/) +- ![logo CalyxOS](/assets/img/android/calyxos.svg){ .twemoji } [CalyxOS](https://calyxos.org/) +- ![DivestOS logo](/assets/img/android/divestos.svg){ .twemoji } [DivestOS](https://divestos.org/) + +
+ +[Saiba mais...](desktop-browsers.md#additional-resources) + +## Prestadores de serviços + +
+ +- ![Droid-ify logo](/assets/img/android/droid-ify.png){ .twemoji } [Droid-ify (F-Droid Client)](https://github.com/Iamlooker/Droid-ify) +- ![Logo Orbot](/assets/img/android/orbot.svg){ .twemoji } [Orbot (Tor Proxy)](https://orbot.app/) +- ![Shelter logo](/assets/img/android/shelter.svg){ .twemoji } [Shelter (Work Profiles)](https://gitea.angry.im/PeterCxy/Shelter) +- ![Logótipo do auditor](/assets/img/android/auditor.svg#only-light){ .twemoji }![Logotipo GrapheneOS](/assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (dispositivos suportados)](https://attestation.app/) +- ![Logotipo da câmera segura](/assets/img/android/secure_camera.svg#only-light){ .twemoji }![Logotipo da câmera segura](/assets/img/android/secure_camera-dark).svg#only-dark){ .twemoji } [Secure Camera](https://github.com/GrapheneOS/Camera) +- ![Secure PDF Viewer logo](/assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](/assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](https://github.com/GrapheneOS/PdfViewer) +- ![PrivacyBlur logo](/assets/img/android/privacyblur.svg){ .twemoji } [PrivacyBlur](https://privacyblur.app/) + +
+ +[Saiba mais...](mobile-browsers.md) + +### Recursos Adicionais + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Saiba mais...](mobile-browsers.md#adguard) + +## Software + +### Mobile + +
+ +- ![Logótipo OpenWrt](/assets/img/router/openwrt.svg#only-light){ .twemoji }![Logótipo OpenWrt](/assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](https://openwrt.org/) +- ![logótipo pfSense](/assets/img/router/pfsense.svg#only-light){ .twemoji }![logótipo pfSense](/assets/img/router/pfsense-dark.svg#only-dark){ .twemoji } [pfSense](https://www.pfsense.org/) + +
+ +[Saiba mais...](android.md) + +#### Android Apps + +
+ +- ![Nextcloud logo](/assets/img/cloud/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](https://nextcloud.com/) +- ![Proton Drive logo](/assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](https://drive.protonmail.com/) +- ![Cryptee logo](/assets/img/cloud/cryptee.svg#only-light){ .twemoji }![Logotipo de Cryptee](/assets/img/cloud/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](https://crypt.ee/) +- ![Logotipo de Tahoe-LAFS](/assets/img/cloud/tahoe-lafs.svg#only-light){ .twemoji }![Logotipo Tahoe-LAFS](/assets/img/cloud/tahoe-lafs-dark.svg#only-dark){ .twemoji } [Tahoe-LAFS (Avançado)](https://www.tahoe-lafs.org/) + +
+ +[Saiba mais...](android.md#general-apps) + +### Armazenamento em nuvem + +
+ +- ![Logotipo ProtonMail](/assets/img/email/mini/protonmail.svg){ .twemoji } [ProtonMail](https://protonmail.com/) +- ![Logotipo mailbox.org](/assets/img/email/mini/mailboxorg.svg){ .twemoji } [Mailbox.org](https://mailbox.org/) +- ![Logotipo de raiz](/assets/img/img/email/mini/disroot.svg#only-light){ .twemoji }![Logotipo de raiz](/assets/img/email/mini/disroot-dark.svg#only-dark){ .twemoji } [Disroot](https://disroot.org/) +- ![Logotipo Tutanota](/assets/img/email/mini/tutanota.svg){ .twemoji } [Tutanota](https://tutanota.com/) +- ![Logotipo StartMail](/assets/img/email/mini/tutanota.svg#only-light){ .twemoji }![StartMail logo](/assets/img/email/mini/startmail-dark.svg#only-dark){ .twemoji } [StartMail](https://startmail.com/) +- ![CTemplar logo](/assets/img/email/mini/ctemplar.svg#only-light){ .twemoji }![CTemplar logo](/assets/img/email/mini/ctemplar-dark.svg#only-dark){ .twemoji } [CTemplar](https://ctemplar.com/) + +
+ +[Saiba mais...](desktop.md) + +### Router Firmware + +
+ +- ![AnonAddy logo](/assets/img/img/email/mini/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](/assets/img/email/mini/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](https://anonaddy.com/) +- ![SimpleLogin logo](/assets/img/email/mini/simplelogin.svg){ .twemoji } [SimpleLogin](https://simplelogin.io/) + +
+ +[Saiba mais...](router.md) + +## Service Providers + +### Email + +
+ +- ![Logótipo mail-in-a-Box](/assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](https://mailinabox.email/) +- ![logótipo mailcow](/assets/img/email/mailcow.svg){ .twemoji } [mailcow](https://mailcow.email/) + +
+ +[Saiba mais...](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Saiba mais...](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![logo DuckDuckGo](/assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](https://duckduckgo.com/) +- ![logo Startpage](/assets/img/search-engines/startpage.svg){ .twemoji } [Startpage](https://www.startpage.com/) +- ![Mojeek logo](/assets/img/search-engines//mini/mojeek.svg){ .twemoji } [Mojeek](https://www.mojeek.com/) +- ![Searx logo](/assets/img/search-engines/searx.svg){ .twemoji } [Searx](https://searx.me/) + +
+ +[Saiba mais...](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![Logótipo Mullvad](/assets/img/vpn/mini/mullvad.svg){ .twemoji } [Mullvad](https://mullvad.net/) +- ![Logótipo ProtonVPN](/assets/img/vpn/mini/protonvpn.svg){ .twemoji } [ProtonVPN](https://protonvpn.com/) +- ![Logotipo IVPN](/assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](https://www.ivpn.net/) + +
+ +[Saiba mais...](dns.md#self-hosted-solutions) + +### Provedores de VPN + +
+ +- ![logo Tutanota](/assets/img/calendar-contactos/tutanota.svg){ .twemoji } [Tutanota (SaaS)](https://tutanota.com/calendar) +- ![logo Proton Calendar](/assets/img/calendar-contactos/proton-calendar.svg){ .twemoji } [Calendário Proton (SaaS)](https://calendar.protonmail.com/) +- ![Logotipo EteSync](/assets/img/calendar-contacts/etesync.svg){ .twemoji } [EteSync](https://www.etesync.com/) +- ![Logotipo Tutanota](/assets/img/calendar-contacts/nextcloud.svg){ .twemoji } [Nextcloud](https://nextcloud.com/) +- ![Logotipo DecSync CC](/assets/img/calendar-contacts/decsync.svg){ .twemoji } [DecSync](https://github.com/39aldo39/DecSync) + +
+ +[Saiba mais...](email.md) + +#### Visão Geral da Criptografia de E-mail + +
+ +- ![Joplin logo](/assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](https://joplinapp.org/) +- ![Standard Notes logo](/assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](https://standardnotes.org/) + +
+ +[Saiba mais...](email.md#email-aliasing-services) + +#### Visão Geral dos Metadados de Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Saiba mais...](email.md#self-hosting-email) + +### Motores de Busca + +
+ +- ![VeraCrypt logo](/assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](/assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](https://veracrypt.fr/) +- ![Logotipo do criptomator](/assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](https://cryptomator.org/) +- ![Logotipo do Picocrypt](/assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](https://evansu.cc/picocrypt) +- ![Hat.sh logo](/assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](/assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (baseado no navegador)](https://hat.sh/) +- ![Logotipo Kryptor](/assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](https://www.kryptor.co.uk/) +- ![Logotipo Tomb](/assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](https://www.dyne.org/software/tomb) + +
+ +[Saiba mais...](search-engines.md) + +### VPN Providers + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. perigo "As VPNs não proporcionam anonimato". + + Usando uma VPN **não*** manterá seus hábitos de navegação anônimos, nem adicionará segurança adicional ao tráfego não seguro (HTTP). + + Se você está procurando por **anonimato**, você deve usar o Navegador Tor **em vez de** de uma VPN. + + Se você está procurando por **security** adicionado, você deve sempre garantir que você está se conectando a sites usando [HTTPS](https://en.wikipedia.org/wiki/HTTPS). Uma VPN não é um substituto para as boas práticas de segurança. + + [Saiba mais](vpn.md) + +
+ +- ![logo GnuPG](/assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](https://gnupg.org) +- ![GPG4Win logo](/assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](https://gpg4win.org) +- ![GPG Suite logo](/assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](https://gpgtools.org) +- ![OpenKeychain logo](/assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](https://www.openkeychain.org/) + +
+ +[Saiba mais...](vpn.md) + +## Software + +### Clientes de e-mail + +
+ +- ![logótipo OnionShare](/assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](https://onionshare.org/) +- ![logótipo Magic Wormhole](/assets/img/file-sharing-sync/magic_wormhole.png){ .twemoji } [Magic Wormhole](https://magic-wormhole.readthedocs.io/) +- ![Logotipo FreedomBox](/assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](https://freedombox.org/) +- ![Syncthing logo](/assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](https://syncthing.net/) +- ![git-annex logo](/assets/img/file-sharing-sync/gitannex.svg){ .twemoji } [git-annex](https://git-annex.branchable.com/) + +
+ +[Saiba mais...](calendar.md) + +### Ferramentas de encriptação + +
+ +- ![MAT2 logo](/assets/img/metadata-removal/mat2.svg){ .twemoji } [MAT2](https://0xacab.org/jvoisin/mat2) +- ![ExifCleaner logo](/assets/img/metadata-removal/exifcleaner.svg){ .twemoji } [ExifCleaner](https://exifcleaner.com/) +- ![Scrambled Exif logo](/assets/img/metadata-removal/scrambled-exif.svg){ .twemoji } [Scrambled Exif (Android)](https://gitlab.com/juanitobananas/scrambled-exif) +- ![Logótipo Imagepipe](/assets/img/metadata-removal/imagepipe.svg){ .twemoji } [Imagepipe (Android)](https://codeberg.org/Starfish/Imagepipe) +- ![Logotipo Metapho](/assets/img/metadata-removal/metapho.jpg){ .twemoji } [Metapho (iOS)](https://zininworks.com/metapho) +- ![Logotipo ExifTool](/assets/img/metadata-removal/exiftool.png){ .twemoji } [ExifTool (CLI)](https://exiftool.org/) + +
+ +[Saiba mais...](data-redaction.md) + +### Partilha de ficheiros + +
+ +- ![YubiKeys](/assets/img/multi-factor-authentication/yubikey.png){ .twemoji } [YubiKey](https://www.yubico.com/) +- ![Nitrokey](/assets/img/multi-factor-authentication/nitrokey.jpg){ .twemoji } [Nitrokey](https://www.nitrokey.com/) +- ![Aegis logo](/assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](https://getaegis.app/) +- ![Raivo OTP logo](/assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](https://github.com/raivo-otp/ios-application) + +
+ +[Saiba mais...](email-clients.md) + +### Software de encriptação + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. info "Operating System Disk Encryption" + + Para criptografar a unidade do seu sistema operacional, normalmente recomendamos usar qualquer ferramenta de criptografia que o seu sistema operacional forneça, seja **BitLocker** no Windows, **FileVault** no MacOS, ou **LUKS*** no Linux. Estas ferramentas estão disponíveis fora da caixa e normalmente utilizam elementos de encriptação de hardware como um TPM que outros softwares de encriptação de disco completo como o VeraCrypt não utilizarão. O VeraCrypt ainda é adequado para discos de sistemas não operacionais, como acionamentos externos, especialmente acionamentos que podem ser acessados de vários sistemas operacionais. + + [Saiba mais](encryption.md###operating-system-included-full-disk-encryption-fde) + +
+ +- ![logótipo KeePassXC](/assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](https://keepassxc.org/) +- ![logótipo KeePassDX](/assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](https://www.keepassdx.com/) +- ![Bitwarden logo](/assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](https://bitwarden.com/) +- ![Psono logo](/assets/img/password-management/psono.svg){ .twemoji } [Psono](https://psono.com/) +- ![gopass logo](/assets/img/password-management/gopass.svg){ .twemoji } [gopass](https://www.gopass.pw/) +- ![Vaultwarden logo](/assets/img/password-management/vaultwarden.svg#only-light){ .twemoji }![Vaultwarden logo](/assets/img/password-management/vaultwarden-dark.svg#only-dark){ .twemoji } [Vaultwarden (Bitwarden Server)](https://github.com/dani-garcia/vaultwarden) + +
+ +[Saiba mais...](encryption.md) + +#### OpenPGP Clients + +
+ +- ![logótipo LibreOffice](/assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](https://www.libreoffice.org/) +- ![logótipo OnlyOffice](/assets/img/productivity/libreoffice.svg){ .twemoji } [OnlyOffice](https://www.onlyoffice.com/) +- ![Framadate logo](/assets/img/productivity/framadate.svg){ .twemoji } [Framadate (Appointment Planning)](https://framadate.org/) +- ![PrivateBin logo](/assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](https://privatebin.info/) +- ![CryptPad logo](/assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](https://cryptpad.fr/) +- ![Write.as logo](/assets/img/productivity/writeas.svg#only-light){ .twemoji }![Write.as logo](/assets/img/productivity/writeas-dark.svg#only-dark){ .twemoji } [Write.as (Blogging Platform)](https://write.as/) +- ![VSCodium logo](/assets/img/productivity/vscodium.svg){ .twemoji } [VSCodium (Source-Code Editor)](https://vscodium.com/) + +
+ +[Saiba mais...](encryption.md#openpgp) + +### Ferramentas de Autenticação Multi-Factor + +
+ +- ![Logotipo do sinal](/assets/img/messengers/signal.svg){ .twemoji } [Signal](https://signal.org/) +- ![Logotipo do elemento](/assets/img/messengers/element.svg){ .twemoji } [Element](https://element.io/) +- ![Logotipo do Briar](/assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](https://briarproject.org/) +- ![Logotipo da sessão](/assets/img/messengers/session.svg){ .twemoji } [Session](https://getsession.org/) + +
+ +[Saiba mais...](file-sharing.md) + +### Gestores de senhas + +
+ +- ![Leitor Fluente](/assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Leitor Fluente](https://hyliu.me/fluent-reader) +- ![GNOME Feeds](/assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](https://gfeeds.gabmus.org) +- ![Akregator](/assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](https://apps.kde.org/akregator) +- ![Leitor de Notícias Handy](/assets/img/news-aggregators/handy-news-reader.svg){ .twemoji } [Leitor de Notícias Handy](https://github.com/yanus171/Handy-News-Reader) +- ![NetNewsWire](/assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](https://netnewswire.com) +- ![Miniflux](/assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](/assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](https://miniflux.app) +- ![Newsboat](/assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](https://newsboat.org/) + +
+ +[Saiba mais...](frontends.md) + +### Ferramentas de Produtividade + +
+ +- ![logótipo Tor](./assets/img/self-contained-networks/tor.svg){ .twemoji } [Tor](https://www.torproject.org/) +- ![logótipo I2P](./assets/img/self-contained-networks/i2p.svg#only-light){ .twemoji } ![logótipo I2P](./assets/img/self-contained-networks/i2p-dark.svg#only-dark){ .twemoji } [I2P](https://geti2p.net/) +- ![Logotipo Freenet](./assets/img/self-contained-networks/freenet.svg){ .twemoji } [Freenet](https://freenetproject.org/) + +
+ +[Saiba mais...](multi-factor-authentication.md) + +### Comunicação em Tempo Real + +
+ +- ![FreeTube logo](/assets/img/video-streaming/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](https://freetubeapp.io/) +- ![LBRY logo](/assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](https://lbry.com/) +- ![logo NewPipe](/assets/img//video-streaming/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](https://newpipe.net/) +- ![logo NewPipe x SponsorBlock](/assets/img/video-streaming/newpipe.svg){ .twemoji } [NewPipe x SponsorBlock](https://github.com/polymorphicshade/NewPipe) +- ![Invidious logo](/assets/img/video-streaming/invideo-streaming/invidious.svg#only-light){ .twemoji }![Invidious logo](/assets/img/video-streaming/invideo-streaming/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](https://invidious.io/) +- ![Logótipo canalizado](/assets/img/video-streaming/piped.svg){ .twemoji } [Piped (YouTube, Web)](https://piped.kavin.rocks/) + +
+ +[Saiba mais...](news-aggregators.md) + +### Cadernos de notas + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Saiba mais...](notebooks.md) + +### Redes Auto-Contidas + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Saiba mais...](passwords.md) + +### Clientes de streaming de vídeo + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Saiba mais...](productivity.md) + +### Clientes de streaming de vídeo + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Saiba mais...](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Saiba mais...](video-streaming.md) + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/tor.md b/i18n/pt/tor.md new file mode 100644 index 00000000..429ca5bf --- /dev/null +++ b/i18n/pt/tor.md @@ -0,0 +1,133 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Navegador Tor + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! Isto permite-nos fornecer recomendações completamente objectivas. Desenvolvemos um conjunto claro de requisitos para qualquer provedor de VPN que deseje ser recomendado, incluindo criptografia forte, auditorias de segurança independentes, tecnologia moderna, e muito mais. + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +Este navegador fornece acesso às Pontes Tor e \[Rede Tor\](https://en.wikipedia.org/wiki/Tor_(rede)), juntamente com extensões que podem ser configuradas automaticamente para se ajustarem aos seus três níveis de segurança - *Standard*, *Safer* e *Safest*. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Perfis de usuário + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Os dados de cada usuário são criptografados usando sua própria chave de criptografia exclusiva, e os arquivos do sistema operacional são deixados não criptografados. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + [Visite orbot.app](https://orbot.app/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:pg-f-droid: F-Droid](https://guardianproject.info/fdroid) + - [:fontawesome-brands-github: GitHub](https://github.com/guardianproject/orbot) + - [:fontawesome-brands-gitlab: GitLab](https://gitlab.com/guardianproject/orbot) + +## Relays and Bridges + +### Snowflake + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/video-streaming.md b/i18n/pt/video-streaming.md new file mode 100644 index 00000000..fac54af6 --- /dev/null +++ b/i18n/pt/video-streaming.md @@ -0,0 +1,53 @@ +--- +title: "Transmissão de vídeo" +icon: material/video-wireless +--- + +A principal ameaça ao usar uma plataforma de streaming de vídeo é que os seus hábitos de streaming e listas de assinaturas podem ser usados para traçar o seu perfil. Você deve combinar estas ferramentas com um [VPN](/vpn) ou [Tor](https://www.torproject.org/) para tornar mais difícil o perfil do seu uso. + +## Clientes + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Ao usar o Freetube, seu endereço IP ainda é conhecido pelo YouTube, [Invidious](https://instances.invidious.io) e as instâncias SponsorBlock que você usa. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/pt/vpn.md b/i18n/pt/vpn.md new file mode 100644 index 00000000..a5c3626c --- /dev/null +++ b/i18n/pt/vpn.md @@ -0,0 +1,308 @@ +--- +title: "Serviços VPN" +icon: material/vpn +--- + +Encontre um operador VPN sem registo que não esteja a vender ou a ler o seu tráfego web. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. perigo "As VPNs não proporcionam anonimato". + + Usando uma VPN **não*** manterá seus hábitos de navegação anônimos, nem adicionará segurança adicional ao tráfego não seguro (HTTP). + + Se você está procurando por **anonimato**, você deve usar o Navegador Tor **em vez de** de uma VPN. + + Se você está procurando por **security** adicionado, você deve sempre garantir que você está se conectando a sites usando [HTTPS](https://en.wikipedia.org/wiki/HTTPS). Uma VPN não é um substituto para as boas práticas de segurança. + + [Baixar Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Mitos Tor & FAQ](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904){ .md-button } + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. info "Quando é que as VPNs são úteis?" + + Se você está procurando por **privacidade adicional** do seu provedor, em uma rede Wi-Fi pública, ou enquanto estiver torrentando arquivos, uma VPN pode ser a solução para você, desde que você entenda os riscos envolvidos. + + [Mais informações](#vpn-overview){ .md-button } + +## Provedores recomendados + +!!! exemplo "Critérios". + + Nossos provedores recomendados estão fora dos EUA, usam criptografia, aceitam Monero, suportam WireGuard & OpenVPN, e têm uma política de não registro. Leia a nossa [lista completa de critérios](#nossos-critérios) para mais informações. + +### Mullvad + +!!! recommendation annotate + + ![logo Mullvad](/assets/img/vpn/mullvad.svg#only-light){ align=right } + ![Mullvad logo](/assets/img/vpn/mullvad-dark.svg#only-dark){ align=right } + + **Mullvad** é uma VPN rápida e barata com um foco sério na transparência e segurança. Eles estão em operação desde **2009***. + + Mullvad está sediada na Suécia e não tem um teste gratuito. downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "35 Países". + + Mullvad tem [servidores em 35 países](https://mullvad.net/en/servers/) no momento de escrever esta página. Escolher um provedor VPN com um servidor mais próximo de você irá reduzir a latência do tráfego de rede que você envia. Isto é devido a uma rota mais curta (menos lúpulo) para o destino. + + Também achamos que é melhor para a segurança das chaves privadas do provedor de VPN se ele usar [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), ao invés de soluções compartilhadas mais baratas (com outros clientes), como [servidores virtuais privados](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Ocultar o seu tráfego de **apenas** o seu fornecedor de serviços de Internet. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Auditado independentemente". + + Os clientes VPN da Mullvad foram auditados pela Cure53 e Assured AB num relatório de pentest [publicado na cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). Os investigadores de segurança concluíram: + + > Cure53 e Assured AB estão satisfeitos com os resultados da auditoria e o software deixa uma impressão geral positiva. Com a dedicação da equipe interna do complexo Mullvad VPN, os testadores não têm dúvidas de que o projeto está no caminho certo do ponto de vista de segurança. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Clientes de código aberto". + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. cheque "Aceita Dinheiro". + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Suporte WireGuard". + + A Mullvad suporta o protocolo WireGuard®. [WireGuard](https://www.wireguard.com)[^1] é um protocolo mais recente que utiliza o estado da arte [cryptography](https://www.wireguard.com/protocol/). Além disso, o WireGuard pretende ser mais simples e mais performante. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) o uso do WireGuard com o seu serviço. É o protocolo padrão ou único protocolo nos aplicativos Android, iOS, macOS e Linux da Mullvad, enquanto os usuários de Windows têm de [habilitar manualmente](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Suporte IPv6". + + A Mullvad suporta o futuro do networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Sua rede permite aos usuários [acessar serviços hospedados em IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) em oposição a outros provedores que bloqueiam conexões IPv6. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Remote Port Forwarding". + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Clientes móveis". + + A Mullvad publicou clientes [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) e [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn), ambos com suporte a uma interface fácil de usar, em vez de exigir que os usuários configurem manualmente suas conexões do WireGuard. O cliente móvel no Android também está disponível em [F-Droid](https://f-droid.org/packages/net.mullvad.mullvadvpn), o que garante que ele seja compilado com [builds reproduzíveis](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html). They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! info "Funcionalidade Adicional + + Mullvad é muito transparente sobre quais nós eles [possuem ou alugam](https://mullvad.net/en/servers/). Eles usam [ShadowSocks](https://shadowsocks.org/en/index.html) na sua configuração ShadowSocks OpenVPN, tornando-os mais resistentes contra firewalls com [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) tentando bloquear VPNs. + +### ProtonVPN + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![ProtonVPN logo](/assets/img/vpn/protonvpn.svg){ align=right } + + **ProtonVPN*** é um forte concorrente no espaço VPN, e estão em operação desde 2016. ProtonVPN está baseado na Suíça e oferece um nível de preços livre limitado, bem como opções premium. + + Eles oferecem mais 14 iscount para a compra de uma assinatura de 2 anos. Também achamos que é melhor para a segurança das chaves privadas do provedor de VPN se ele usar [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), ao invés de soluções compartilhadas mais baratas (com outros clientes), como [servidores virtuais privados](https://en.wikipedia.org/wiki/Virtual_private_server). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "44 Países". + + ProtonVPN tem [servidores em 44 países](https://protonvpn.com/vpn-servers) no momento de escrever esta página. Escolher um provedor VPN com um servidor mais próximo de você irá reduzir a latência do tráfego de rede que você envia. Isto é devido a uma rota mais curta (menos lúpulo) para o destino. + + Também achamos que é melhor para a segurança das chaves privadas do provedor de VPN se ele usar [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), ao invés de soluções compartilhadas mais baratas (com outros clientes), como [servidores virtuais privados](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Ocultar o seu tráfego de **apenas** o seu fornecedor de serviços de Internet. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Auditado independentemente". + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Clientes de código aberto". + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. cheque "Aceita Dinheiro". + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Suporte WireGuard". + + ProtonVPN suporta principalmente o protocolo WireGuard®. [WireGuard](https://www.wireguard.com)[^1] é um protocolo mais recente que utiliza o estado da arte [cryptography](https://www.wireguard.com/protocol/). Além disso, o WireGuard pretende ser mais simples e mais performante. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. Falta o "Remote Port Forwarding". + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Remote Port Forwarding". + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Clientes móveis". + + ProtonVPN têm seus próprios servidores e datacenters na Suíça, Islândia e Suécia. Eles oferecem bloqueio de domínios malware conhecidos e de bloqueio com o seu serviço DNS. + +### IVPN + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo IVPN](/assets/img/vpn/ivpn.svg){ align=right } + + **IVPN*** é outro provedor VPN premium, e estão em operação desde 2009. A IVPN está sediada em Gibraltar. **Padrão USD $60/ano*** - **Pro USD $100/ano*** + + [Visite IVPN.net](https://www.ivpn.net/){ .md-button .md-button--primary } + + Também achamos que é melhor para a segurança das chaves privadas do provedor de VPN se ele usar [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), ao invés de soluções compartilhadas mais baratas (com outros clientes), como [servidores virtuais privados](https://en.wikipedia.org/wiki/Virtual_private_server). downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "32 Países". + + IVPN tem [servidores em 32 países](https://www.ivpn.net/server-locations) no momento de escrever esta página. Escolher um provedor VPN com um servidor mais próximo de você irá reduzir a latência do tráfego de rede que você envia. Isto é devido a uma rota mais curta (menos lúpulo) para o destino. + + Também achamos que é melhor para a segurança das chaves privadas do provedor de VPN se ele usar [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), ao invés de soluções compartilhadas mais baratas (com outros clientes), como [servidores virtuais privados](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Ocultar o seu tráfego de **apenas** o seu fornecedor de serviços de Internet. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Auditado independentemente". + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Clientes de código aberto". + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. cheque "Aceita Dinheiro". + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. [WireGuard](https://www.wireguard.com)[^1] é um protocolo mais recente que utiliza o estado da arte [cryptography](https://www.wireguard.com/protocol/). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Suporte WireGuard". + + O IVPN suporta o protocolo WireGuard®. [WireGuard](https://www.wireguard.com)[^1] é um protocolo mais recente que utiliza o estado da arte [cryptography](https://www.wireguard.com/protocol/). Além disso, o WireGuard pretende ser mais simples e mais performante. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Remote Port Forwarding". + + O envio remoto [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) é possível com um plano Pro. Port forwarding [pode ser ativado](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) através da área do cliente. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. Falta o "Remote Port Forwarding". + + Além de fornecer arquivos de configuração padrão OpenVPN, o IVPN tem clientes móveis para [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683) e [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), permitindo fácil conexão com seus servidores. O cliente móvel no Android também está disponível em [F-Droid](https://f-droid.org/en/packages/net.ivpn.client), o que garante que ele seja compilado com [builds reproduzíveis](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html). See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Remote Port Forwarding". + + Clientes IVPN suportam dois factores de autenticação (clientes Mullvad e ProtonVPN não suportam). IVPN também fornece a funcionalidade "[AntiTracker](https://www.ivpn.net/antitracker)", que bloqueia redes de publicidade e rastreadores a partir do nível da rede. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. verificar "Clientes móveis". + + É importante notar que a utilização de um provedor VPN não o tornará anônimo, mas lhe dará melhor privacidade em certas situações. Uma VPN não é uma ferramenta para actividades ilegais. Não confies numa política de "sem registo". Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Framadate + +!!! Isto permite-nos fornecer recomendações completamente objectivas. Desenvolvemos um conjunto claro de requisitos para qualquer provedor de VPN que deseje ser recomendado, incluindo criptografia forte, auditorias de segurança independentes, tecnologia moderna, e muito mais. + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +Operar fora dos cinco/nove/quatro países não é necessariamente uma garantia de privacidade, e existem outros factores a considerar. No entanto, acreditamos que evitar esses países é importante se você deseja evitar a vigilância de arrastão do governo em massa, especialmente dos Estados Unidos. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Jurisdição + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**O melhor caso:** + +- Operando fora dos EUA ou de outros países da Five Eyes. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- Operando fora dos EUA ou de outros 14 países da 14 Eyes. +- Operando dentro de um país com fortes leis de proteção ao consumidor. +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Tecnologia + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**O melhor caso:** + +- Suporte para protocolos fortes como o WireGuard & OpenVPN. +- Killswitch construído para os clientes. + +**Best Case:** + +- Suporte WireGuard e OpenVPN. +- Killswitch com opções altamente configuráveis (ativar/desativar em certas redes, no boot, etc.) + +### Privacidade + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**O melhor caso:** + +- Monero ou opção de pagamento em dinheiro. +- Não é necessária nenhuma informação pessoal para se registar: Somente nome de usuário, senha e e-mail, no máximo. +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Aceita Monero, dinheiro e outras formas de pagamento anônimo (cartões presente, etc.) +- Não é necessária nenhuma informação pessoal para se registar: Somente nome de usuário, senha e e-mail, no máximo. +- Comprehensive published security audits from a reputable third-party firm. +- Programas de recompensa de bugs e/ou um processo coordenado de divulgação de vulnerabilidades. + +### Segurança + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**O melhor caso:** + +- Esquemas de Criptografia Fortes: OpenVPN com autenticação SHA-256; RSA-2048 ou melhor aperto de mão; AES-256-GCM ou AES-256-CBC encriptação de dados. + +**Best Case:** + +- A Encriptação mais forte: RSA-4096. +- Perfect Forward Secrecy (PFS). + +### Confiança + +With the VPN providers we recommend we like to see responsible marketing. + +**O melhor caso:** + +- Deve auto-instalar análises (sem Google Analytics, etc.). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Fazer garantias de protecção do anonimato a 100%. Quando alguém afirma que algo é 100%, significa que não há certeza de fracasso. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Impressão digital do navegador](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Relatórios de transparência frequentes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Marketing + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.pt.txt" diff --git a/i18n/ru/404.md b/i18n/ru/404.md new file mode 100644 index 00000000..b10bd9ac --- /dev/null +++ b/i18n/ru/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Страница Не Найдена + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/CODE_OF_CONDUCT.md b/i18n/ru/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/ru/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/ru/about/criteria.md b/i18n/ru/about/criteria.md new file mode 100644 index 00000000..a633946e --- /dev/null +++ b/i18n/ru/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/about/donate.md b/i18n/ru/about/donate.md new file mode 100644 index 00000000..965414b8 --- /dev/null +++ b/i18n/ru/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Поддержать нас +--- + + +Нам нужно много [людей](https://github.com/privacyguides/privacyguides.org/graphs/contributors) и [работы](https://github.com/privacyguides/privacyguides.org/pulse/monthly) чтобы поддерживать Priacy Guides в актуальном состоянии и распространять информацию о безопасности и массовой слежке. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +Если вы хотите помочь нам материально, лучшим способом будет пожертвование через Open Collective, ресурс, управляемый нашим фискальным агентом. Open Collective поддерживает оплату через кредитную или дебетовую карту, PayPal, банковские переводы. + +[Пожертвовать на OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. После пожертвования вы получите чек от Фонда Open Collective. Privacy Guides не предоставляет финансовых консультаций, и вам следует обратиться к своему налоговому консультанту, чтобы узнать, применимо ли это к вам. + +Если вы уже пользуетесь спонсорством на GitHub, вы также можете спонсировать нашу организацию там. + +[Спонсировать нас на GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Спонсоры + +Особая благодарность тем, кто поддерживает нашу миссию! :heart: + +*Внимание: этот раздел загружает виджет непосредственно из Open Collective. В этом разделе нет пожертвований, которые сделаны за пределами Open Collective, и мы не контролируем конкретных спонсоров, указанных в этом разделе.* + + + +## Как мы используем пожертвования + +Privacy Guides - это **некоммерческая** организация. Мы используем пожертвования в различных целях, в том числе для: + +**Регистрации доменов** +: + +У нас есть несколько доменных имен, таких как `privacyguides.org`, регистрация которых обходится нам примерно в 10 долларов в год. + +**Хостинга** +: + +Трафик этого сайта составляет сотни гигабайт данных в месяц, и мы используем различных поставщиков услуг для поддержания этого трафика. + +**Онлайн-сервисов** +: + +Мы хостим [интернет сервисы](https://privacyguides.net) для тестирования и демонстрации разных конфиденциальных продуктов, которые мы предпочитаем и [рекомендуем](../tools.md). Некоторые из них общедоступны для использования сообществом (SearXNG, Tor, и т. д.) а некоторые предоставляются для членов нашей команды (почта, и т. д.). + +**Покупки продукции** +: + +Иногда мы приобретаем продукты и услуги для тестирования [рекомендуемых нами инструментов](../tools.md). + +Мы всё ещё работаем над нашим фискальным хостом (Фонд Open Collective), чтобы получать пожертвования в криптовалюте, сейчас учёт множества мелких операций невозможен, но мы постараемся изменить это в будущем. А пока, если вы хотите сделать большое (> $100) пожертвование в криптовалюте, пожалуйста обратитесь по адресу [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/about/index.md b/i18n/ru/about/index.md new file mode 100644 index 00000000..e86f19ae --- /dev/null +++ b/i18n/ru/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. Однако вы **не можете** использовать бренд PrivacyGuides в своем проекте без нашего специального разрешения. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/about/notices.md b/i18n/ru/about/notices.md new file mode 100644 index 00000000..ce7b4b0f --- /dev/null +++ b/i18n/ru/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Примечания и отказ от ответственности" +hide: + - toc +--- + +## Отказ от ответственности + +Privacy Guides не является юридической организацией. Следовательно, Privacy Guides не предоставляет вам юридическую помощь. Материалы и рекомендации на нашем сайте никоим образом не являются юридическими советами, равно как и участие в работе сайта/общение с PrivacyGuides или её участниками не являются правозащитными отношениями. + +Работа этого сайта, как и любая другая деятельность человека, связана с неопределенностью и компромиссами. Мы надеемся, что этот ресурс поможет вам, однако он может содержать некоторые ошибки и не может охватить все ситуации. Если у вас возникли какие-либо вопросы по той или иной ситуации, мы рекомендуем вам провести своё собственное исследование, обратиться к другим экспертам и принять участие в обсуждении с сообществом PrivacyGuides. Если у вас есть какие-либо юридические вопросы, вам следует проконсультироваться с вашим собственным юристом, прежде чем двигаться дальше. + +PrivacyGuides - это проект с открытым исходным кодом, созданный на основе лицензий, включающих условия, которые, в целях защиты сайта и его участников, ясно дают понять, что проект PrivacyGuides и его сайт предлагаются "как есть", без каких-либо гарантий и отказа от ответственности за ущерб, возникший в результате использования сайта или любых рекомендаций, содержащихся в нем. PrivacyGuides не гарантирует и не делает никаких заявлений о точности, возможных результатах или надежности использования материалов на сайте или иным образом связанных с такими материалами сайтах или на любых сторонних сайтах, отмеченных на данной веб-странице. + +Кроме того, PrivacyGuides не гарантирует, что данный веб-сайт будет постоянно доступен или доступен вообще. + +## Лицензии + +Если не указано иное, все содержимое этого сайта находится в свободном доступе на условиях лицензии [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +Это не относится к коду сторонних разработчиков, встроенному в данный репозиторий, или к коду, в котором так или иначе указана другая лицензия. Ниже приведены яркие примеры, но этот список не является исчерпывающим: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/mathjax.js) распространяется под лицензией [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/LICENSE.mathjax.txt). + +Часть этого описания была взята из [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) на GitHub. Этот ресурс и сама веб-страница выпущены под [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +Это означает, что вы можете использовать контент из этого репозитория в личных целях на условиях, изложенных в тексте Creative Commons Attribution-NoDerivatives 4.0 International Public License. Вы можете делать это любым способом в рамках разумного, но не говорить, что Privacy Guides одобряет ваш проект или ваше использование материалов. Однако вы **не можете** использовать бренд PrivacyGuides в своем проекте без нашего специального разрешения. Торговые марки бренда PrivacyGuides включают в себя название "Privacy Guides" и логотип в виде щита. + +Мы считаем, что логотипы и другие изображения в `assets`, полученные от сторонних лиц, являются либо публичным достоянием, либо находятся в **добросовестном использовании**. В двух словах, правовая доктрина [добросовестного использования](https://ru.wikipedia.org/wiki/Добросовестное_использование) разрешает использование изображений, защищенных авторским правом, для идентификации предмета в целях общественного обсуждения. Тем не менее, эти логотипы и другие изображения могут подпадать под действие законов о товарных знаках в тех или иных юрисдикциях. Перед использованием этого контента, пожалуйста, убедитесь, что он используется для идентификации юридического лица или организации, которой принадлежит товарный знак, и что у вас есть право использовать его в соответствии с законами, которые применяются в обстоятельствах вашего предполагаемого использования. *При копировании материалов с этого сайта вы несете полную ответственность за то, что не нарушаете авторские права.* + +Когда вы вносите свой вклад в этот репозиторий, вы делаете это на основании вышеуказанных лицензий, и вы предоставляете Privacy Guides бессрочную, всемирную, неисключительную, передаваемую, безвозмездную, безотзывную лицензию с правом сублицензирования таких прав через несколько уровней сублицензиатов, на воспроизведение, изменение, отображение, исполнение и распространение вашего вклада как части нашего проекта. + +## Допустимое использование + +Вы не должны использовать данный веб-сайт любым способом, который наносит или может нанести ущерб сайту или нарушить его доступность, или любым способом, являющимся незаконным, мошенническим, вредным, или в связи с любой незаконной, мошеннической или вредной целью/деятельностью. + +Вы не можете осуществлять какие-либо автоматизированные действия по сбору данных на этом сайте или на связанных с ним элементах без письменного согласия, включая: + +* Чрезмерное автоматическое сканирование +* DoS-атаки +* Скрейпинг +* Data mining (просев информации, добыча данных, извлечение данных) +* "Фрейминг" (IFrames) + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/about/privacy-policy.md b/i18n/ru/about/privacy-policy.md new file mode 100644 index 00000000..9b040630 --- /dev/null +++ b/i18n/ru/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Политика конфиденциальности" +--- + +Privacy Guides - это общественный проект, управляемый несколькими активными добровольцами. Актуальный список участников нашей команды [вы можете найти на GitHub](https://github.com/orgs/privacyguides/people). + +## Какие данные мы собираем от посетителей + +Конфиденциальность посетителей нашего сайта очень важна для нас, поэтому мы не отслеживаем конкретных людей. Если вы посетитель нашего сайта: + +- Никакая персональная информация о вас не собирается +- No information such as cookies are stored in the browser +- Никакая информация не передаётся третьим лицам +- Никакая информация не передаётся рекламным компаниям +- Никакая информация не собирается для изучения личных и поведенческих тенденций +- Ваша информация не монетизируется + +You can view the data we collect on our [statistics](statistics.md) page. + +Мы используем self-hosted установку [Plausible Analytics](https://plausible.io) для сбора некоторых анонимных данных об использовании в статистических целях. Цель заключается в отслеживании общих тенденций посещаемости нашего сайта, а не в отслеживании отдельных посетителей. Все данные приведены только в агрегированном виде. Никакие личные данные не собираются. + +Собранные данные включают в себя источники, с которых вы пришли, самые популярные страницы, продолжительность посещения, информацию об устройствах (тип устройства, операционная система, страна и браузер), использованных во время посещения, и так далее. Вы можете узнать больше о том, как Plausible работает и собирает информацию не нарушая вашу приватность [здесь](https://plausible.io/data-policy). + +## Какие данные мы собираем от владельцев аккаунтов + +На некоторых веб-сайтах и сервисах, которые мы предоставляем, для работы многих функций может потребоваться учетная запись. Например, учетная запись может потребоваться для размещения сообщений и ответов на темы на форуме. + +Для регистрации большинства учетных записей мы собираем имя, никнейм, адрес электронной почты и пароль. В случае если веб-сайт требует больше информации, то это будет четко отмечено в отдельном пункте политики конфиденциальности. + +Мы используем данные вашей учетной записи для идентификации вас на сайте и для создания страниц, предназначенных именно для вас, например, страницы вашего профиля. Мы также используем данные вашей учетной записи для публикации вашего публичного профиля на наших сервисах. + +Мы используем вашу электронную почту для: + +- Уведомления вас о сообщениях и другой активности на веб-сайтах и проектах. +- Сброса пароля и обеспечения безопасности вашей учетной записи. +- Связи с вами в особых случаях, связанных с вашей учетной записью. +- Связи с вами по юридическим запросам, например, по вопросам DMCA. + +На некоторых веб-сайтах и проектах вы можете предоставить дополнительную информацию о вашей учетной записи, например, краткую биографию, аватар, ваше местоположение или день рождения. Эта информация доступна каждому, кто может получить доступ к веб-сайту или проекту. Однако эта информация не нужна для использования наших сайтов и может быть удалена вами в любое время. + +Мы храним данные вашей учетной записи до тех пор, пока ваша учетная запись открыта. После закрытия учетной записи мы можем сохранить некоторые данные о вашем аккаунте в виде резервной копии или архива на срок до 90 дней. + +## Как с нами связаться + +Команда Privacy Guides обычно не имеет доступа к персональным данным, за исключением ограниченного доступа, предоставляемого через некоторые панели модерации. Запросы, касающиеся вашей личной информации, следует направлять непосредственно по адресу: + +```text +Jonah Aragon +Services Administrator, Aragon Ventures LLC +jonah@privacyguides.org +``` + +По другим вопросам вы можете обратиться к любому члену нашей команды. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## Об этой политике + +We will post any new versions of this statement [here](privacy-policy.md). Мы можем изменить способ объявления изменений в будущих версиях политики. В то же время мы можем обновить контактные данные в любое время без объявления об изменениях. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/about/privacytools.md b/i18n/ru/about/privacytools.md new file mode 100644 index 00000000..74fe67e5 --- /dev/null +++ b/i18n/ru/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/about/services.md b/i18n/ru/about/services.md new file mode 100644 index 00000000..6997f3b3 --- /dev/null +++ b/i18n/ru/about/services.md @@ -0,0 +1,40 @@ +# Сервисы Privacy Guides + +Мы держим ряд веб-сервисов для тестирования возможностей и продвижения классных децентрализованных, федеративных и/или открытых проектов. Многие из этих сервисов доступны публично и описаны ниже. + +[:material-comment-alert: Сообщить о проблеме](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Адрес: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Доступ: Публичный +- Исходный код: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Адрес: [code.privacyguides.dev](https://code.privacyguides.dev) +- Доступ: Только по приглашению + Доступ может быть предоставлен по запросу любой команде, работающей над разработкой или контентом связанными с *Privacy Guides*. +- Исходный код: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Адрес: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Доступ: Только по приглашению + Доступ может быть предоставлен по запросу членам команды Privacy Guides, модераторам чатов в Matrix, сторонним администраторам сообществ Matrix, операторам Matrix-ботов и другим лицам, нуждающимся в надежном Matrix-сервере. +- Исходный код: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Адрес: [search.privacyguides.net](https://search.privacyguides.net) +- Доступ: Публичный +- Исходный код: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/about/statistics.md b/i18n/ru/about/statistics.md new file mode 100644 index 00000000..8dbab7e9 --- /dev/null +++ b/i18n/ru/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Статистика посещений +--- + +## Статистика сайта + + +
Статистика от Plausible Analytics
+ + + + +## Статистика блога + + +
Статистика от Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/advanced/communication-network-types.md b/i18n/ru/advanced/communication-network-types.md new file mode 100644 index 00000000..cd6b353e --- /dev/null +++ b/i18n/ru/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Рекомендуемые мессенджеры](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/advanced/dns-overview.md b/i18n/ru/advanced/dns-overview.md new file mode 100644 index 00000000..a31164bb --- /dev/null +++ b/i18n/ru/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## Что такое DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Незашифрованный DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS через TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS через HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Почему **не следует** использовать зашифрованный DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP-адрес + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/advanced/tor-overview.md b/i18n/ru/advanced/tor-overview.md new file mode 100644 index 00000000..6b51d05a --- /dev/null +++ b/i18n/ru/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Дополнительные советы + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.ru.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/ru/android.md b/i18n/ru/android.md new file mode 100644 index 00000000..969671ae --- /dev/null +++ b/i18n/ru/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## Деривативы AOSP + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Политика Конфиденциальности" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Документация} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Внести свой вклад } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! note + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! note + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Программное обеспечение + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/assets/img/account-deletion/exposed_passwords.png b/i18n/ru/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/ru/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/ru/assets/img/android/rss-apk-dark.png b/i18n/ru/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/ru/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/ru/assets/img/android/rss-apk-light.png b/i18n/ru/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/ru/assets/img/android/rss-apk-light.png differ diff --git a/i18n/ru/assets/img/android/rss-changes-dark.png b/i18n/ru/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/ru/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/ru/assets/img/android/rss-changes-light.png b/i18n/ru/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/ru/assets/img/android/rss-changes-light.png differ diff --git a/i18n/ru/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/ru/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/ru/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ru/assets/img/how-tor-works/tor-encryption.svg b/i18n/ru/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/ru/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ru/assets/img/how-tor-works/tor-path-dark.svg b/i18n/ru/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/ru/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ru/assets/img/how-tor-works/tor-path.svg b/i18n/ru/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/ru/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ru/assets/img/multi-factor-authentication/fido.png b/i18n/ru/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/ru/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/ru/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/ru/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/ru/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/ru/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/ru/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/ru/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/ru/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/ru/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/ru/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/ru/basics/account-creation.md b/i18n/ru/basics/account-creation.md new file mode 100644 index 00000000..5599ad05 --- /dev/null +++ b/i18n/ru/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/basics/account-deletion.md b/i18n/ru/basics/account-deletion.md new file mode 100644 index 00000000..9b163e23 --- /dev/null +++ b/i18n/ru/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### VPN сервисы + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/basics/common-misconceptions.md b/i18n/ru/basics/common-misconceptions.md new file mode 100644 index 00000000..a4397502 --- /dev/null +++ b/i18n/ru/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.ru.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/ru/basics/common-threats.md b/i18n/ru/basics/common-threats.md new file mode 100644 index 00000000..7a525ce7 --- /dev/null +++ b/i18n/ru/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.ru.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/ru/basics/email-security.md b/i18n/ru/basics/email-security.md new file mode 100644 index 00000000..d7ce0046 --- /dev/null +++ b/i18n/ru/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/basics/multi-factor-authentication.md b/i18n/ru/basics/multi-factor-authentication.md new file mode 100644 index 00000000..5a72547d --- /dev/null +++ b/i18n/ru/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push-уведомления + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## Общие рекомендации + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! note + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Аппаратные ключи безопасности + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (и KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/basics/passwords-overview.md b/i18n/ru/basics/passwords-overview.md new file mode 100644 index 00000000..482da401 --- /dev/null +++ b/i18n/ru/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Анонимные сети + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/basics/threat-modeling.md b/i18n/ru/basics/threat-modeling.md new file mode 100644 index 00000000..f32915b4 --- /dev/null +++ b/i18n/ru/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Моделирование угроз" +icon: 'material/target-account' +--- + +Баланс между безопасностью, конфиденциальностью и удобством использования - одна из первых и самых сложных задач, с которыми вы столкнетесь на пути к конфиденциальности. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +Если вы хотите использовать **наиболее** безопасные инструменты, то вам придется пожертвовать *множеством* удобств. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. Поэтому модели угроз очень важны. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. Что я хочу защитить? +2. От кого я хочу это защитить? +3. Насколько вероятно, что мне понадобится это защищать? +4. Насколько серьезными будут последствия, если я потерплю неудачу? +5. Через какие трудности я готов пройти, чтобы попытаться предотвратить возможные последствия? + +### Что я хочу защитить? + +То, что вы хотите защитить, должно быть ценным и нуждаться в защите. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Ваши устройства также могут являться объектом защиты. + +*Составьте список с данными, которые вы хотите защитить, и ответьте на вопросы: где они хранятся, кто имеет к ним доступ и что мешает другим получить к ним доступ.* + +### От кого я хочу это защитить? + +Чтобы ответить на этот вопрос, важно определить, кто может хотеть вашу информацию. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. В ваш список могут входить отдельные люди, государственные учреждения или корпорации.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### Насколько вероятно, что мне понадобится это защищать? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. Например: ваш мобильный оператор имеет возможность получить доступ ко всем вашим данным, но риск того, что они разместят ваши личные данные в Интернете, чтобы нанести ущерб вашей репутации, невелик. + +Важно понимать различие между тем, что может произойти, и вероятностью того, что это может произойти. Например, существует угроза обрушения вашего здания, но риск того, что это произойдет гораздо выше в Сан-Франциско (где землетрясения происходят часто), чем в Стокгольме (где их нет). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. В других случаях люди могут игнорировать высокие риски, потому что не считают угрозу проблемой. + +*Запишите, какие угрозы вы собираетесь воспринимать всерьез, а какие могут быть слишком редкими или слишком безобидными (или слишком сложными для борьбы), чтобы беспокоиться о них.* + +### Насколько серьезными будут последствия, если я потерплю неудачу? + +Существует множество способов, с помощью которых противники могут получить доступ к вашим данным. Например, противник может прочитать ваши личные сообщения, проходящие через сеть, или удалить или повредить ваши данные. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. А политический противник может захотеть получить доступ к секретному контенту и опубликовать его без вашего ведома. + +Моделирование угроз предполагает понимание того, насколько серьезными могут быть последствия, если противник успешно получит доступ к вашему защищаемому объекту. Чтобы определить последствия, вы должны рассмотреть возможности вашего противника. For example, your mobile phone provider has access to all of your phone records. Хакер, находящийся в открытой Wi-Fi-сети, может получить доступ к вашим незашифрованным сообщениям. Ваше правительство может иметь более мощные возможности. + +*Подумайте, что ваш противник может захотеть сделать с вашими конфиденциальными данными.* + +### Через какие трудности я готов пройти, чтобы попытаться предотвратить возможные последствия? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Оценка рисков позволит вам разработать правильную стратегию лично для вас, которая будет сочетать в себе и удобство, и цену, и конфиденциальность. + +Например: адвокат, представляющий клиента в деле о национальной безопасности, готов приложить больше усилий для защиты сообщений (например, использовать зашифрованную электронную почту), чем мать, которая регулярно отправляет своей дочери смешные видео с котиками. + +*Запишите, какими способами вы можете справиться с вашими уникальными угрозами. Обратите внимание на то, есть ли у вас финансовые, технические или социальные ограничения.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**Что вы хотите защитить? (Или *что у вас есть такого, что стоит защищать?*)** +: + +Ваше имущество может включать ювелирные изделия, электронику, важные документы или фотографии. + +**От кого вы хотите это защитить?** +: + +Среди ваших противников могут быть грабители, соседи или гости. + +**Насколько вероятно, что вам понадобится это защищать?** +: + +Есть ли в вашем районе история краж со взломом? How trustworthy are your roommates or guests? Каковы возможности ваших противников? Какие риски вы должны учитывать? + +**Насколько серьезными будут последствия, если вы потерпите неудачу?** +: + +Есть ли у вас в доме что-то, что вы не можете заменить? Do you have the time or money to replace those things? Есть ли у вас страховка, покрывающая вещи, украденные из вашего дома? + +**Через какие трудности вы готовы пройти, чтобы попытаться предотвратить возможные последствия?** +: + +Готовы ли вы купить сейф для секретных документов? Можете ли вы позволить себе купить высококачественный замок? Есть ли у вас время открыть банковскую ячейку в банке и хранить там свои ценности? + +Только после того, как вы зададите себе эти вопросы, вы сможете оценить, какие меры следует предпринять. Если ваше имущество ценно, но вероятность взлома мала, то, возможно, вы не захотите тратить слишком много денег на хороший замок. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Составление плана безопасности поможет вам понять, какие угрозы характерны только для вас, оценить ваше имущество, ваших противников и их возможности, а также вероятность рисков, с которыми вы можете столкнуться. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Источники + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/basics/vpn-overview.md b/i18n/ru/basics/vpn-overview.md new file mode 100644 index 00000000..8da6876c --- /dev/null +++ b/i18n/ru/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/calendar.md b/i18n/ru/calendar.md new file mode 100644 index 00000000..2480f51a --- /dev/null +++ b/i18n/ru/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Синхронизация календаря" +icon: material/calendar +--- + +Ваши события в календаре - одни из самых конфиденциальных данных. Используйте продукты с поддержкой автоматического E2EE, чтобы предотвратить их чтение провайдером. + +## Tutanota + +!!! recommendation + + ![Логотип Tutanota](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Логотип Tutanota](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** предлагает бесплатный и зашифрованный календарь на поддерживаемых ими платформах. Среди его функций: автоматическое шифрование всех данных, совместный доступ, импорт/экспорт данных, многофакторная аутентификация и [другие функции](https://tutanota.com/calendar-app-comparison/). + + Создание нескольких календарей и расширенный совместный доступ доступны только платным подписчикам. + + [:octicons-home-16: Домашняя страница](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** - это зашифрованный календарь, доступный пользователям Proton через мобильные и веб-клиенты. Среди его функций: автоматическое шифрование всех данных, совместный доступ, импорт/экспорт данных и [другие функции](https://proton.me/support/proton-calendar-guide). Бесплатно доступен один календарь, а платные подписчики могут создавать до 20 календарей. Расширенные функции совместного доступа также доступны только по подписке. + + [:octicons-home-16: Домашняя страница](https://proton.me/ru/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/ru/legal/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Исходный код" } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования + +- Сервис должен синхронизировать и хранить информацию с E2EE, чтобы она не была доступна команде сервиса и третьим лицам. + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- По возможности должна быть интеграция с родными приложениями "календарь" и "контакты" в операционной системе. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/cloud.md b/i18n/ru/cloud.md new file mode 100644 index 00000000..76140452 --- /dev/null +++ b/i18n/ru/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Облачное хранилище" +icon: material/file-cloud +--- + +Многие сервисы облачного хранилища требуют от вас полного доверия, что они не будут просматривать ваши файлы. Альтернативы, перечисленные ниже, устраняют необходимость в доверии, либо предоставляя вам контроль над вашими данными, либо используя E2EE. + +Если эти альтернативы не соответствуют вашим потребностям, мы предлагаем вам обратить внимание на [программы для шифрования](encryption.md). + +??? question "Ищете Nextcloud?" + + Мы по-прежнему [рекомендуем](productivity.md) Nextcloud для самостоятельного хостинга пакета управления файлами, но мы не рекомендуем использование сторонних провайдеров Nextcloud-хранилища, так как встроенное в Nextcloud E2EE не подходит для домашнего использования. + +## Proton Drive + +!!! recommendation + + ![Логотип Proton Drive](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** - это сервис хранения файлов с E2EE от популярного провайдера зашифрованной электронной почты [Proton Mail](https://proton.me/ru/mail). + + [:octicons-home-16: Домашняя страница](https://proton.me/ru/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/ru/legal/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://proton.me/ru/support/drive){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Исходный код" } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Мобильные клиенты Proton Drive были выпущены в декабре 2022 года и пока не имеют открытого исходного кода. Исторически сложилось так, что компания "Proton" откладывает выпуск исходного кода до окончания выпуска первоначального продукта, и выпуск исходного кода [запланирован](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) на конец 2023 года. Клиенты Proton Drive для ПК все еще находятся в разработке. + +## Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования к сервисам + +- Должны использовать обязательное сквозное шифрование. +- Должны иметь бесплатную версию или пробный период для тестирования. +- Должны поддерживать многофакторную аутентификацию TOTP или FIDO2, а также вход с помощью Passkey. +- Должны иметь веб-интерфейс, поддерживающий основные функции управления файлами. +- Должны обеспечивать легкий экспорт всех файлов/документов. +- Должно использоваться стандартное, проверенное шифрование. + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Клиенты должны иметь открытый код. +- Клиенты должны быть полностью проверены независимой третьей стороной. +- Должны предлагать нативные клиенты для Linux, Android, Windows, macOS и iOS. + - Эти клиенты должны интегрироваться с собственными инструментами ОС для сервисов облачных хранилищ, такими как интеграция приложения Files на iOS или функциональность DocumentsProvider на Android. +- Должны поддерживать простой обмен файлами с другими пользователями. +- Должны предлагать, по крайней мере, базовые функции предварительного просмотра и редактирования файлов в веб-интерфейсе. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/data-redaction.md b/i18n/ru/data-redaction.md new file mode 100644 index 00000000..7b74bfb6 --- /dev/null +++ b/i18n/ru/data-redaction.md @@ -0,0 +1,140 @@ +--- +title: "Инструменты для шифрования" +icon: material/tag-remove +--- + +Когда вы делитесь с кем-то файлами, то не забудьте удалить связанные с ними метаданные. Файлы изображений обычно содержат [данные EXIF](https://ru.wikipedia.org/wiki/Exif). Иногда фотографии даже включают ваши [GPS](https://ru.wikipedia.org/wiki/GPS) координаты в метаданные файла. + +## Для компьютеров + +### ExifCleaner + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. Он поддерживает многоядерную обработку нескольких файлов одновременно, а также темную тему. + + [Посетить exifcleaner.com](https://exifcleaner.com){ .md-button .md-button--primary } + + downloads + + - [:fontawesome-brands-windows: Windows](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-apple: macOS](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-linux: Linux](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-github: Исходный код](https://github.com/szTheory/exifcleaner) downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Прошивки для роутера + +### Scrambled Exif + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + Он может удалять данные [EXIF](https://ru.wikipedia.org/wiki/Exif) из многих форматов файлов и переведен на [множество](https://gitlab.com/juanitobananas/scrambled-exif/-/tree/master/app/src/main/res) языков. + + [Перейти на gitlab.com](https://gitlab.com/juanitobananas/scrambled-exif){ .md-button .md-button--primary } downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. recommendation + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Imagepipe + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [Перейти на codeberg.org](https://codeberg.org/Starfish/Imagepipe){ .md-button .md-button--primary } downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! note + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Шифрование через командную строку + +### Metapho + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + Оно переведено на [множество](https://codeberg.org/Starfish/Imagepipe#translations) языков. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/desktop-browsers.md b/i18n/ru/desktop-browsers.md new file mode 100644 index 00000000..5fc02de1 --- /dev/null +++ b/i18n/ru/desktop-browsers.md @@ -0,0 +1,253 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Логотип Bromite](assets/img/browsers/bromite.svg){ align=right } + + **Bromite** - это браузер, основанный на [Chromium](https://en.wikipedia.org/wiki/Chromium_(web_browser)), с основой на конфиденциальность и безопасность, встроенную блокировку рекламы и некоторую рандомизацию цифровых отпечатков. + + [Перейти на bromite.org](https://www.bromite.org){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.bromite.org/privacy){ .md-button } downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Каждый установщик Firefox с веб-сайта Mozilla имеет в себе уникальный идентификатор, который используется для телеметрии. Идентификатор **не** включен в релизы браузера из [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Firefox + +Tor Browser - это единственный способ действительно анонимно просматривать Интернет. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +Эти параметры можно найти на странице настроек *Приватность и защита* ( ≡ → Настройки → Приватность и защита). + +##### Улучшенная защита от отслеживания: + +- Выберите «Строгая» + +Это защищает вас, блокируя трекеры социальных сетей, скрипты отпечатков пальцев (обратите внимание, что это не защищает вас от *всех* отпечатков пальцев), криптомайнеры, межсайтовые файлы cookie для отслеживания и некоторые другие средства отслеживания. Улучшенная защита от отслеживания защищает от многих распространенных угроз, но не блокирует все пути отслеживания, поскольку разработан таким образом, чтобы минимально или вообще не влиять на удобство использования сайта. + +##### Куки и данные сайтов: + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) использует сквозное шифрование. + +- Выберите «Удалять куки и данные сайтов при закрытии Firefox» + +Это защищает вас от постоянных файлов cookie, но не защищает вас от файлов cookie, полученных в течение одного сеанса просмотра. Когда эта функция включена, можно легко очистить куки браузера, просто перезапустив Firefox. Вы можете установить исключения для каждого сайта, если вы хотите оставаться зарегистрированным на определенном сайте, который вы часто посещаете. + +##### Отключение поисковых предложений + +- [ ] Uncheck **Provide search suggestions** + +Функции предложения поиска могут быть недоступны в вашем регионе. + +Поисковые предложения отправляют все, что вы набираете в адресной строке, в поисковую систему по умолчанию, независимо от того, отправляете ли вы фактический поиск. Отключение поисковых предложений позволяет более точно контролировать данные, которые вы отправляете поставщику поисковых систем. + +##### Отключение телеметрии + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### Режим «Только HTTPS»: + +- Выберите: "Включить режим «Только HTTPS» во всех окнах". + +Это предотвращает непреднамеренное подключение к веб-сайту с обычным HTTP-текстом. Протокол HTTP в настоящее время используется крайне редко, поэтому это практически не должно повлиять на ваш ежедневный просмотр веб-страниц. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Расширения + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Bromite + +!!! recommendation + + ![Логотип Safari](assets/img/browsers/safari.svg){ align=right } + + **Safari** - это браузер по умолчанию в iOS. + + Он включает в себя [функции обеспечения конфиденциальности](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0): Intelligent Tracking Protection, отчет о конфиденциальности, изолированные вкладки частного доступа, частный узел iCloud и автоматическое обновление до HTTPS. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Firefox + +Tor Browser - это единственный способ действительно анонимно просматривать Интернет. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Режим «Только HTTPS»: + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Постоянно включенный режим инкогнито + +- [x] Выбрать **Всегда использовать безопасные соединения** + +##### Предотвращение перекрестного отслеживания + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Отчет о конфиденциальности + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Конфиденциальные рекламные отчеты + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- Выберите **Предотвращение межсайтового отслеживания** для включения + +##### Apple Pay + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Дополнительные советы + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### AdGuard для Safari + +!!! recommendation + + ![Логотип Snowflake](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Логотип Snowflake](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** - это расширение для браузера, которое позволяет вам отдавать свою скорость интернета проекту Tor, используя "прокси Snowflake" в вашем браузере. + + Люди, подвергающиеся цензуре, могут использовать прокси-серверы Snowflake для подключения к сети Tor. downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования к сервисам + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.ru.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/ru/desktop.md b/i18n/ru/desktop.md new file mode 100644 index 00000000..ba9950ca --- /dev/null +++ b/i18n/ru/desktop.md @@ -0,0 +1,180 @@ +--- +title: "Облачные хранилища" +icon: fontawesome/brands/linux +--- + +Дистрибутивы Linux часто рекомендуются для защиты конфиденциальности и свободы пользователей. Если вы еще не используете Linux, ниже приведены некоторые дистрибутивы, которые мы рекомендуем попробовать, а также несколько общих советов по улучшению конфиденциальности и безопасности, которые применимы ко многим дистрибутивам Linux. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Традиционные дистрибутивы + +### Fedora Workstation + +!!! recommendation + + ![Логотип Fedora](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** - наш рекомендуемый дистрибутив для начинающих пользователей Linux. Fedora обычно внедряет новые технологии раньше других дистрибутивов, например, [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), и скоро [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). Эти новые технологии часто улучшают безопасность, конфиденциальность и удобство использования в целом. + + [Перейти на getfedora.org](https://getfedora.org/){ .md-button .md-button--primary } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Каждый выпуск Fedora поддерживается в течение одного года, а новая версия выходит каждые 6 месяцев. + +### openSUSE Tumbleweed + +!!! recommendation + + ![Логотип openSUSE Tumbleweed](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** - стабильный дистрибутив с [плавающей системой релизов](https://ru.wikipedia.org/wiki/Rolling_release). + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [Перейти на get.opensuse.org](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Логотип Qubes OS](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** - это операционная система с открытым исходным кодом, разработанная для обеспечения сильной безопасности персональных компьютеров. Qubes основан на Xen, X Window System и Linux, и может запускать большинство Linux-приложений и использовать большинство драйверов для Linux. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/dns.md b/i18n/ru/dns.md new file mode 100644 index 00000000..1760375b --- /dev/null +++ b/i18n/ru/dns.md @@ -0,0 +1,141 @@ +--- +title: "DNS-провайдеры" +icon: material/dns +--- + +!!! faq "Следует ли мне использовать зашифрованный DNS?" + + Зашифрованный DNS со сторонними серверами должен использоваться только для обхода базовой [DNS-блокировки](https://en.wikipedia.org/wiki/DNS_blocking) если вы уверены, что это не повлечет за собой никаких последствий. Зашифрованный DNS не поможет вам скрыть какую-либо активность в интернете. + + [Подробнее о DNS](technology/dns.md){ .md-button } + +## Рекомендованные провайдеры + +| DNS-провайдер | Политика конфиденциальности | Тип | Протоколы | Логирование | ECS | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------ | ----------------------------------------------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Коммерческий | Cleartext
DoH
DoT
DNSCrypt | Частичное[^1] | Нет Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Коммерческий | Cleartext
DoH
DoT | Частичное[^1] | Нет | +| [**ControlID**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Коммерческий | Cleartext
DoH
DoT | Частичное[^1] | Нет | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | Коммерческий | DoH
DoT | Частичное[^1] | Нет Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Коммерческий | Cleartext
DoH
DoT
DNSCrypt | Необязательное[^5] | Нет | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Коммерческий | Some[^6] | Необязательное[^5] | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Поддержка [DNSSEC](technology/dns.md#what-is-dnssec-and-when-is-it-used) +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Зашифрованные DNS-прокси + +### Android + +Последние версии iOS, iPadOS, tvOS и macOS поддерживают как DoT, так и DoH. Оба протокола поддерживаются нативно через [профили конфигурации](https://support.apple.com/ru-ru/guide/security/secf6fb9f053/web) или через [API настроек DNS](https://developer.apple.com/documentation/networkextension/dns_settings). + +### Устройства Apple + +После установки профиля конфигурации или приложения, использующего API настроек DNS, можно выбрать конфигурацию DNS. Если у вас подключен VPN, будут использоваться настройки DNS, заданные вашим VPN-сервисом, а не системные настройки. + +Apple не предоставляет нативный интерфейс для создания профилей зашифрованного DNS. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) - это неофициальный инструмент для создания собственных профилей зашифрованного DNS, однако они не будут иметь подписи. + +#### Подписанные профили + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info "Информация" + + ![Логотип DNSCloak](assets/img/ios/dnscloak.png){ align=right } + + **DNSCloak** - это клиент для iOS с открытым исходным кодом, поддерживающий функции [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), [DNSCrypt](technology/dns.md#dnscrypt) и [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki), такие как кэширование ответов DNS, локальное логирование запросов DNS и пользовательские списки блокировок. Пользователи могут [добавлять собственные сервера DNS](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5). + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![Логотип dnscrypt-proxy](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** - это DNS-прокси с поддержкой [DNSCrypt](technology/dns.md#dnscrypt), [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh) и [Анонимизированного DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + [Посетить github.com](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + **Скачать** + - [:fontawesome-brands-github: Исходный код](https://github.com/DNSCrypt/dnscrypt-proxy) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### Linux + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### RethinkDNS + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### DNSCloak + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.ru.txt" + +[^1]: AdGuard хранит показатели производительности их DNS серверов, содержащие в себе количество выполненных запросов к определенному серверу, количество заблокированных запросов и скорость обработки. Они также ведут и хранят базу данных доменов, запрошенных в течение последних 24 часов. "Нам нужна эта информация, чтобы выявлять и блокировать новые трекеры и угрозы." "Также мы храним информацию о том, сколько раз тот или иной трекер был заблокирован. Нам нужна эта информация, чтобы удалять устаревшие правила из наших фильтров." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare собирает и хранит только DNS-запросы, направленные на 1.1.1.1. Сервис не хранит персональные данные; большая часть неперсональных данных хранится только в течение 25 часов. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/ru/email-clients.md b/i18n/ru/email-clients.md new file mode 100644 index 00000000..df60116f --- /dev/null +++ b/i18n/ru/email-clients.md @@ -0,0 +1,230 @@ +--- +title: "Обмен Файлами" +icon: material/email-open +--- + +Наш список рекомендаций содержит только почтовые клиенты, которые поддерживают [OpenPGP](/encryption/#openpgp) и безопасную аутентификацию (например, [OAuth](https://ru.wikipedia.org/wiki/OAuth)). OAuth позволяет использовать [многофакторную аутентификацию](/multi-factor-authentication) и предотвратить кражу учетных записей. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** - бесплатный кроссплатформенный клиент электронной почты, новостных лент и чатов (XMPP, IRC, Twitter) с открытым исходным кодом, разработанный сообществом Thunderbird, а ранее - Mozilla Foundation. + + [Перейти на thunderbird.net](https://www.thunderbird.net){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.mozilla.org/privacy/thunderbird){ .md-button } downloads + + - [:fontawesome-brands-windows: Windows](https://www.thunderbird.net) + - [:fontawesome-brands-apple: macOS](https://www.thunderbird.net) + - [:fontawesome-brands-linux: Linux](https://www.thunderbird.net) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.Thunderbird) + - [:fontawesome-brands-git: Исходный код](https://hg.mozilla.org/comm-central) + +#### Firefox + +We recommend changing some of these settings to make Thunderbird a little more private. + +Эти параметры можно найти на странице настроек *Приватность и защита* ( ≡ → Настройки → Приватность и защита). + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Отключение телеметрии + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! note + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![Логотип Mailvelope](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** - браузерное расширение, позволяющее обмениваться зашифрованными письмами по стандарту OpenPGP. + + [Перейти на mailvelope.com](https://www.mailvelope.com){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.mailvelope.com/en/privacy-policy){ .md-button } + + **Скачать** + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + - [:fontawesome-brands-github: Исходный код](https://github.com/mailvelope/mailvelope) [Перейти на kontact.kde.org](https://kontact.kde.org){ .md-button .md-button--primary } [Политика конфиденциальности](https://kde.org/privacypolicy-apps){ .md-button } + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** - независимое почтовое приложение, которое поддерживает и POP3, и IMAP (только push). [Перейти на k9mail.app](https://k9mail.app){ .md-button .md-button--primary } [Политика конфиденциальности](https://k9mail.app/privacy){ .md-button } + + downloads + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + - [:fontawesome-brands-github: Исходный код](https://github.com/mailvelope/mailvelope) downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** — минимальное почтовое приложение с открытым исходным ходом, использующее открытые стандарты (IMAP, SMTP, OpenPGP) с малым потреблением памяти и заряда батареи. + + [Перейти на email.faircode.eu](https://email.faircode.eu){ .md-button .md-button--primary } [Политика конфиденциальности](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .md-button } + + downloads + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.fsck.k9/) + - [:fontawesome-brands-github: Исходный код](https://github.com/k9mail) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! note + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** - платный почтовый клиент, разработанный для обеспечения сквозного шифрования с использованием таких функций, как биометрическая блокировка и т.д. [Перейти на canarymail.io](https://canarymail.io){ .md-button .md-button--primary } [Политика конфиденциальности](https://canarymail.io/privacy.html){ .md-button } + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/email.md b/i18n/ru/email.md new file mode 100644 index 00000000..3efb2141 --- /dev/null +++ b/i18n/ru/email.md @@ -0,0 +1,485 @@ +--- +title: "Провайдеры приватной электронной почты" +icon: material/email +--- + +Электронная почта практически необходима для использования любого онлайн-сервиса, однако мы не рекомендуем использовать её для общения с людьми. Вместо того чтобы использовать электронную почту для связи с другими людьми, советуем использовать мессенджеры, которые поддерживают прямую секретность. + +[Рекомендуемые мессенджеры](real-time-communication.md ""){.md-button} + +Для всего остального, мы рекомендуем различных провайдеров электронной почты, которые базируются на устойчивых бизнес-моделях и встроенных функциях безопасности и конфиденциальности. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! note + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/encryption.md b/i18n/ru/encryption.md new file mode 100644 index 00000000..38139b8d --- /dev/null +++ b/i18n/ru/encryption.md @@ -0,0 +1,324 @@ +--- +title: "Инструменты для шифрования" +icon: material/file-lock +--- + +Шифрование данных - единственный способ контролировать доступ к ним. Если вы еще не используете какие-либо инструменты шифрования диска, электронной почты или файлов, то вы можете выбрать один из них тут. + +## Мультиплатформенные приложения + +Перечисленные здесь программы являются многоплатформенными и отлично подходят для создания зашифрованных резервных копий ваших данных. + +### VeraCrypt + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** - бесплатная и открытая программа, используемая для шифрования «на лету». Программа может создавать виртуальный зашифрованный диск в файле, зашифровать логический раздел или даже зашифровать все устройство с предзагрузочной аутентификацией. + + [Посетить veracrypt.fr](https://veracrypt.fr){ .md-button .md-button--primary } downloads + + - [:fontawesome-brands-windows: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-git: Исходный код](https://www.veracrypt.fr/code) + +VeraCrypt - это форк прекратившего свое существование проекта TrueCrypt. По словам разработчиков, были реализованы улучшения безопасности и решены проблемы, найденные в ходе первоначального аудита кода TrueCrypt. + +При шифровании с помощью VeraCrypt пользователь может выбирать различные [хэш-функции](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme) из их списка. Мы настоятельно рекомендуем выбирать [SHA-512](https://en.wikipedia.org/wiki/SHA-512) и блочное шифрование по алгоритму [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Аудит Truecrypt проводился [несколько раз](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits). Veracrypt [проходил](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit) аудит уже отдельно. + +### Cryptomator + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + **Cryptomator** позволяет легко загружать файлы в облако в виде зашифрованной файловой системы. [Посетить cryptomator.org](https://cryptomator.org){ .md-button .md-button--primary } [Privacy Policy](https://cryptomator.org/privacy){ .md-button } downloads + + - [:fontawesome-brands-windows: Windows](https://cryptomator.org/downloads) + - [:fontawesome-brands-apple: macOS](https://cryptomator.org/downloads) + - [:fontawesome-brands-linux: Linux](https://cryptomator.org/downloads) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:fontawesome-brands-android: F-Droid repo](https://cryptomator.org/android) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:fontawesome-brands-github: Исходный код](https://github.com/cryptomator) + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### Picocrypt + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** - небольшая и простая программа для современного шифрования. Picocrypt использует безопасный шифр XChaCha20 и функцию формирования ключа Argon2id для обеспечения высокого уровня безопасности. + + Для функций шифрования он использует стандартные модули Go x/crypto. [Посетить github.com](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + +VeraCrypt is a fork of the discontinued TrueCrypt project. recommendation + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## Функции ОС для полного шифрования диска + +Современные ОС включают в себя [шифрование диска](https://en.wikipedia.org/wiki/Disk_encryption) и используют [безопасный криптопроцессор](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** - решение для полного шифрования логического тома в Microsoft Windows. Основная причина, по которой мы рекомендуем его, заключается в [использовании доверенного платформенного модуля](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://ru.wikipedia.org/wiki/ElcomSoft), криминалистическая компания, написала об этом в [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [Посетить microsoft.com](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .md-button .md-button--primary } + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![Логотип FileVault](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** - это решение для шифрования томов "на лету", встроенное в macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [Перейти на support.apple.com](https://support.apple.com/en-us/HT204837){ .md-button .md-button--primary } + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup (LUKS) + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Шифрование через браузер + +Шифрование через браузер может быть полезным, если вам нужно зашифровать файл, но вы не можете установить программу для шифрования на свое устройство. + +### hat.sh + +!!! recommendation + + ![Логотип hat.sh](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![Логотип hat.sh](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** - это сайт, который безопасно зашифровывает данные через браузер. Сайт может быть полезен, если вам нужно зашифровать файл, но вы не можете установить какое-либо программное обеспечение на свое устройство из-за политики организации. + + [Перейти на hat.sh](https://hat.sh){ .md-button .md-button--primary } + +## Шифрование через командную строку + +Инструменты с интерфейсом командной строки полезны для интеграции [сценариев оболочки](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Логотип Kryptor](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** - это бесплатный инструмент для шифрования и подписи файлов с открытым исходным кодом, использующий современные и безопасные криптографические алгоритмы. Его цель - стать улучшенной версией [age](https://github.com/FiloSottile/age) и [Minisign](https://jedisct1.github.io/minisign/), чтобы обеспечить простую, удобную для пользователя альтернативу GPG. + + [Перейти на kryptor.co.uk](https://www.kryptor.co.uk){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.kryptor.co.uk/features#privacy){ .md-button } downloads + + - [:fontawesome-brands-windows: Windows](https://www.kryptor.co.uk) + - [:fontawesome-brands-apple: macOS](https://www.kryptor.co.uk) + - [:fontawesome-brands-linux: Linux](https://www.kryptor.co.uk) + - [:fontawesome-brands-github: Исходный код](https://github.com/samuel-lucas6/Kryptor) + +### Tomb + +!!! recommendation + + ![Логотип Tomb](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** - это оболочка командной строки для LUKS. Он поддерживает стеганографию с помощью [сторонних инструментов] (https://github.com/dyne/Tomb#how-does-it-work). + + [Перейти на dyne.org](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP имеет множество функций и является [сложным](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) , поскольку существует уже долгое время. Для таких задач, как подписание или шифрование файлов, мы предлагаем использовать вышеуказанные варианты. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. Мы рекомендуем придерживаться стандартных опций, указанных в FAQ пользователя GnuPG [](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! совет "Использовать будущие значения по умолчанию при генерации ключа" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![Логотип GNU Privacy Guard](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** - это GPL-альтернатива криптографическому пакету PGP. GnuPG совместим с [RFC 4880] (https://tools.ietf.org/html/rfc4880), который является текущей спецификацией IETF для OpenPGP. Проект GnuPG работает над [обновленным проектом](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) в попытке улучшить OpenPGP. GnuPG является частью фонда свободного программного обеспечения GNU и получил крупное [финансирование](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) от правительства Германии. + + [Перейти на gnupg.org](https://gnupg.org){ .md-button .md-button--primary } [Политика конфиденциальности](https://gnupg.org/privacy-policy.html){ .md-button } + downloads + + - [:fontawesome-brands-windows: Windows](download.html) + - [:fontawesome-brands-apple: macOS](https://gpgtools.org) + - [:fontawesome-brands-linux: Linux](https://gnupg.org/download/index.html#binary) + - [:fontawesome-brands-google-play: Flatpak](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:fontawesome-brands-git: Исходный код](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [Перейти на gpg4win.org](https://gpg4win.org){ .md-button .md-button--primary } [Privacy Policy](https://gpg4win.org/privacy-policy.html){ .md-button } downloads + + - [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html) + - [:fontawesome-brands-git: Исходный код](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![Логотип OpenKeychain](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** - это Android-реализация GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [Перейти на openkeychain.org](https://www.openkeychain.org){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.openkeychain.org/help/privacy-policy){ .md-button } downloads + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/org.sufficientlysecure.keychain/) + - [:fontawesome-brands-git: Исходный код](https://github.com/open-keychain/open-keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/file-sharing.md b/i18n/ru/file-sharing.md new file mode 100644 index 00000000..ea50c68f --- /dev/null +++ b/i18n/ru/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "Синхронизация и обмен файлами" +icon: material/share-variant +--- + +Узнайте, как конфиденциально обмениваться файлами между устройствами, с друзьями и родственниками или анонимно в Интернете. + +## Обмен файлами + +### Send + +!!! recommendation + + ![Логотип Send](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** - это форк прекратившего свое существование сервиса Firefox Send от Mozilla, который позволяет отправлять файлы другим людям с помощью ссылки. Файлы шифруются на вашем устройстве, чтобы их не мог прочитать сервер, и по желанию могут быть защищены паролем. Разработчик Send держит [публичный экземпляр сайта](https://send.vis.ee/). Вы можете использовать другие публичные экземпляры или развернуть Send самостоятельно. + + [:octicons-home-16: Домашняя страница](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Публичные экземпляры"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Поддержать } + +Send можно использовать через веб-интерфейс или через CLI [ffsend](https://github.com/timvisee/ffsend). Если вы знакомы с командной строкой и часто отправляете файлы, мы рекомендуем использовать CLI-клиент, чтобы избежать небезопасного шифрования на основе JavaScript. Вы можете указать флаг `--host`, чтобы использовать определенный сервер: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![Логотип OnionShare](/assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** - это инструмент с открытым исходным кодом, позволяющий безопасно и анонимно передавать файлы любого размера. Он работает путем запуска веб-сервера, доступного как onion сервис в сети Tor, с неугадываемым URL, который вы можете передать получателям для загрузки или отправки файлов. + + [:octicons-home-16: Домашняя страница](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion сервис" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Исходный код" } + + ??? downloads "Скачать" + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Расшифрованные данные не должны храниться на сервере. +- Исходный код сервиса должен быть открыт. +- Должны быть либо клиенты для Linux, macOS и Windows, либо веб-интерфейс. + +## FreedomBox + +!!! recommendation + + ![Логотип FreedomBox](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** - это операционная система, разработанная для запуска на [одноплатном компьютере](https://ru.wikipedia.org/wiki/%D0%9E%D0%B4%D0%BD%D0%BE%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%8B%D0%B9_%D0%BA%D0%BE%D0%BC%D0%BF%D1%8C%D1%8E%D1%82%D0%B5%D1%80). Цель FreedomBox заключается в том, чтобы максимально облегчить настройку серверных приложений для самостоятельного хостинга. + + [:octicons-home-16: Домашняя страница](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Документация} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Поддержать } + +## Синхронизация файлов + +### Nextcloud (клиент-сервер) + +!!! recommendation + + ![Логотип Nextcloud](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** - это набор бесплатного клиент-серверного программного обеспечения с открытым исходным кодом для создания собственного сервиса хранилища файлов на приватном сервере, который вы контролируете. + + [:octicons-home-16: Домашняя страница](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! recommendation + + Мы не рекомендуем использовать [плагин E2EE](https://apps.nextcloud.com/apps/end_to_end_encryption) для Nextcloud, так как это может привести к потере данных; это очень экспериментальный продукт, который недостаточно качественен для полноценного использования. + +### Syncthing (P2P) + +!!! recommendation + + ![Логотип Syncthing](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** - это утилита для непрерывной пиринговой синхронизации файлов с открытым исходным кодом. Она используется для синхронизации файлов между двумя или более устройствами по локальной сети или через Интернет. Syncthing не использует централизованный сервер; он использует [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) для передачи данных между устройствами. Все данные шифруются с помощью протокола TLS. + + [:octicons-home-16: Домашняя страница](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +#### Минимальные требования к сервисам + +- Не должны требовать использования стороннего удаленного/облачного сервера. +- Должны иметь открытый исходный код. +- Должны быть либо клиенты для Linux, macOS и Windows, либо веб-интерфейс. + +#### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Есть мобильные клиенты для iOS и Android, которые, как минимум, поддерживают предварительный просмотр документов. +- Есть резервное копирование фотографий с iOS и Android, а также опциональная поддержка синхронизации файлов/папок на Android. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/frontends.md b/i18n/ru/frontends.md new file mode 100644 index 00000000..80b695ed --- /dev/null +++ b/i18n/ru/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Менеджеры паролей" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## Клиенты + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! note + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Reddit + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! note + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! note + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! note + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! note + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/index.md b/i18n/ru/index.md new file mode 100644 index 00000000..895f5188 --- /dev/null +++ b/i18n/ru/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.ru.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/kb-archive.md b/i18n/ru/kb-archive.md new file mode 100644 index 00000000..fa8dd888 --- /dev/null +++ b/i18n/ru/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/meta/brand.md b/i18n/ru/meta/brand.md new file mode 100644 index 00000000..fa2593ef --- /dev/null +++ b/i18n/ru/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/meta/git-recommendations.md b/i18n/ru/meta/git-recommendations.md new file mode 100644 index 00000000..3d948add --- /dev/null +++ b/i18n/ru/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/meta/uploading-images.md b/i18n/ru/meta/uploading-images.md new file mode 100644 index 00000000..e6d86017 --- /dev/null +++ b/i18n/ru/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/meta/writing-style.md b/i18n/ru/meta/writing-style.md new file mode 100644 index 00000000..b612615e --- /dev/null +++ b/i18n/ru/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/mobile-browsers.md b/i18n/ru/mobile-browsers.md new file mode 100644 index 00000000..ce09af5e --- /dev/null +++ b/i18n/ru/mobile-browsers.md @@ -0,0 +1,186 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Bromite + +!!! recommendation + + ![Логотип Safari](assets/img/browsers/safari.svg){ align=right } + + **Safari** - это браузер по умолчанию в iOS. + + Он включает в себя [функции обеспечения конфиденциальности](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0): Intelligent Tracking Protection, отчет о конфиденциальности, изолированные вкладки частного доступа, частный узел iCloud и автоматическое обновление до HTTPS. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Firefox + +Tor Browser - это единственный способ действительно анонимно просматривать Интернет. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Режим «Только HTTPS»: + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Синхронизация с iCloud + +- [x] Выбрать **Всегда использовать безопасные соединения** + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### uBlock Origin + +!!! recommendation + + ![Логотип AdGuard](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard для Safari** - это бесплатное расширение с открытым исходным кодом для Safari, которое использует собственный [API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). Мы рекомендуем включить фильтры, помеченные *#recommended* в разделах "Блокировка рекламы" и "Антитрекинг" [блокировщики контента] (https://kb.adguard.com/en/safari/overview#content-blockers). + + Фильтры *#recommended* могут быть включены в разделах «Виджеты социальных сетей» и «Раздражители», однако они могут нарушать некоторые функции на сайтах. + +#### Firefox + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![Логотип Terms of Service; Didn't Read](assets/img/browsers/terms_of_service_didnt_read.svg){ align=right } + + **Terms of Service; Didn't Read** оценивает веб-сайты на основе их политики конфиденциальности и соглашений об условиях обслуживания. + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + Анализы и рейтинги публикуются сообществом рецензентов. downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования к сервисам + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/multi-factor-authentication.md b/i18n/ru/multi-factor-authentication.md new file mode 100644 index 00000000..f20cf937 --- /dev/null +++ b/i18n/ru/multi-factor-authentication.md @@ -0,0 +1,142 @@ +--- +title: "Многофакторная аутентификация" +icon: 'material/two-factor-authentication' +--- + +## Аппаратные ключи безопасности + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + Ключи **YubiKeys** являются одними из самых популярных ключей безопасности. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! note + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! note + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +#### Минимальные требования к сервисам + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Приложение-аутентификатор + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Логотип Aegis](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** - это бесплатное и безопасное приложение с открытым исходным кодом для управления токенами двухфакторной аутентификации для ваших онлайн-сервисов. + + [Перейти на getaegis.app](https://getaegis.app){ .md-button .md-button--primary } [Политика конфиденциальности](https://getaegis.app/aegis/privacy.html){ .md-button } downloads + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.beemdevelopment.aegis) + - [:fontawesome-brands-github: GitHub](https://github.com/beemdevelopment/Aegis) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Логотип Raivo OTP](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** - это легкий и безопасный клиент TOTP & HOTP для iOS. Raivo OTP также может делать резервные копии в iCloud и синхронизировать эти данные. Raivo OTP также доступен для macOS в виде приложения в строке состояния, однако приложение для Mac не работает отдельно от приложения для iOS. + + [Перейти на github.com](https://github.com/raivo-otp/ios-application){ .md-button .md-button--primary } [Политика конфиденциальности](https://github.com/raivo-otp/ios-application/blob/master/PRIVACY.md){ .md-button } + downloads + + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/us/app/raivo-otp/id1498497896) + - [:fontawesome-brands-github: GitHub](https://github.com/raivo-otp/ios-application) downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/news-aggregators.md b/i18n/ru/news-aggregators.md new file mode 100644 index 00000000..c3881c18 --- /dev/null +++ b/i18n/ru/news-aggregators.md @@ -0,0 +1,178 @@ +--- +title: "Мессенджеры" +icon: octicons/rss-24 +--- + +[Новостные агрегаторы](https://en.wikipedia.org/wiki/News_aggregator) - это простой способ следить за любимыми блогами и новостями. + +## Клиенты-агрегаторы + +### Fluent Reader + +!!! recommendation + + ![Логотип Fluent Reader](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** - это защищенный кроссплатформенный агрегатор новостей, обладающий такими полезными функциями конфиденциальности, как удаление куки при закрытии, строгие [политики безопасности контента (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) и поддержка прокси, что означает, что вы можете использовать его через [Tor](self-contained-networks.md#tor). [Перейти на hyliu.me](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } [Политика конфиденциальности](https://adguard.com/en/privacy/safari.html){ .md-button } + + **Скачать** + - [:fontawesome-brands-windows: Safari](https://hyliu.me/fluent-reader) + - [:fontawesome-brands-app-store: App Store](https://apps.apple.com/app/id1520907427) + - [:fontawesome-brands-github: Source](https://github.com/yang991178/fluent-reader.git) + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### GNOME Feeds + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### YouTube + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Reddit + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### Twitter + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/notebooks.md b/i18n/ru/notebooks.md new file mode 100644 index 00000000..a2a05398 --- /dev/null +++ b/i18n/ru/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Заметки" +icon: material/notebook-edit-outline +--- + +Сохраняйте свои заметки и дневники, не передавая их третьим лицам. + +Если вы в настоящее время используете такие приложения, как Evernote, Google Keep или Microsoft OneNote, то мы предлагаем вам выбрать альтернативу с поддержкой E2EE. + +## Облачные сервисы + +### Joplin + +!!! recommendation + + ![Логотип Joplin](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** - это бесплатное, открытое приложение с богатой функциональностью для ведения заметок и списков задач, которое может обрабатывать большое количество заметок в формате Markdown, упорядоченных по тегам и записным книжкам. Приложение предлагает E2EE и может синхронизироваться через Nextcloud, Dropbox и др. Приложение также предлагает легкий перенос данных из Evernote и простых текстовых заметок. + + [:octicons-home-16: Домашняя страница](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin [не поддерживает](https://github.com/laurent22/joplin/issues/289) защиту приложения и отдельных заметок паролем или PIN-кодом. Но ваши данные по-прежнему шифруются вашим секретным ключом при передаче и в месте синхронизации. + +### Standard Notes + +!!! recommendation + + ![Логотип Standard Notes](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** - это простое и приватное приложение для заметок, которое делает ваши заметки легкими и доступными везде, где бы вы ни находились. Приложение имеет E2EE на каждой платформе, а также продвинутую систему работы с темами и пользовательскими редакторами. Программа также прошла [независимый аудит (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Домашняя страница](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Логотип Cryptee](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Логотип Cryptee](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** - это веб-редактор документов и приложение для хранения фотографий с поддержкой E2EE и открытым исходным кодом. Cryptee - это PWA, что означает, что он работает без проблем на всех современных устройствах, не требуя нативных приложений для каждой соответствующей платформы. + + [:octicons-home-16: Домашняя страница](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Исходный код" } + + ??? downloads "Скачать" + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee предлагает 100 МБ хранилища бесплатно, а если вам нужно больше, вы можете воспользоваться платными опциями. Регистрация не требует указания электронной почты или другой персональной информации. + +## Локальные сервисы + +### Org-mode + +!!! recommendation + + ![Логотип Org-mode](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** - это [основной режим](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) для GNU Emacs. Org-mode предназначен для ведения заметок, списков задач, планирования проектов и создания документов с помощью быстрой и эффективной системы работы с обычным текстом. Синхронизация возможна с помощью инструментов [синхронизации файлов](file-sharing.md#синхронизация-файлов). + + [:octicons-home-16: Домашняя страница](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Документация} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Поддержать } + +## Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Клиенты должны иметь открытый код. +- Облачная синхронизация должна использовать E2EE. +- Должна быть поддержка экспорта документов в стандартных форматах. + +### В лучшем случае + +- Функции локального резервного копирования/синхронизации должны поддерживать шифрование. +- Облачные платформы должны поддерживать обмен документами. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/os/android-overview.md b/i18n/ru/os/android-overview.md new file mode 100644 index 00000000..5e279802 --- /dev/null +++ b/i18n/ru/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/os/linux-overview.md b/i18n/ru/os/linux-overview.md new file mode 100644 index 00000000..b5216b30 --- /dev/null +++ b/i18n/ru/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: fontawesome/brands/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Общие рекомендации + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/os/qubes-overview.md b/i18n/ru/os/qubes-overview.md new file mode 100644 index 00000000..c2c5edb2 --- /dev/null +++ b/i18n/ru/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: pg/qubes-os +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Дополнительные советы + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/passwords.md b/i18n/ru/passwords.md new file mode 100644 index 00000000..673abbdf --- /dev/null +++ b/i18n/ru/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Менеджеры паролей" +icon: material/form-textbox-password +--- + +Менеджеры паролей позволяют безопасно хранить и управлять паролями и другими данными с помощью мастер-пароля. + +[Введение в безопасные пароли :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info "Информация" + + Встроенные менеджеры паролей, например в браузерах и операционных системах, иногда не так хороши, как специализированные программы для управления паролями. Преимуществом встроенных менеджеров паролей является хорошая интеграция с программным обеспечением, но зачастую они могут быть очень простыми и не иметь функций конфиденциальности и безопасности, которыми обладают отдельные программы. + + Например, менеджер паролей в Microsoft Edge вообще не поддерживает E2EE. Менеджер паролей Google имеет [опциональную](https://support.google.com/accounts/answer/11350823?hl=ru) поддержку E2EE, а менеджер паролей от Apple [предлагает](https://support.apple.com/ru-ru/HT202303) E2EE по умолчанию. + +## Облачные сервисы + +Эти менеджеры паролей синхронизируют ваши пароли с облаком для легкого доступа со всех ваших устройств и их безопасности в случае потери устройства. + +### Bitwarden + +!!! recommendation + + ![Логотип Bitwarden](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** - это свободный менеджер паролей с открытым исходным кодом. Он направлен на решение проблем управления паролями для отдельных лиц, команд и организаций. Bitwarden - одно из лучших и самых безопасных решений для хранения всех ваших логинов и паролей с удобной синхронизацией данных между всеми вашими устройствами. + + [:octicons-home-16: Домашняя страница](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Исходный код" } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden также имеет функцию [Bitwarden Send](https://bitwarden.com/products/send/), которая позволяет безопасно обмениваться текстом и файлами с использованием [сквозного шифрования](https://bitwarden.com/help/send-encryption). Отправленные через Bitwarden Send данных можно защищать [паролем](https://bitwarden.com/help/send-privacy/#send-passwords). Bitwarden Send также имеет функцию [автоматического удаления данных](https://bitwarden.com/help/send-lifespan). + +Чтобы иметь возможность обмениваться файлами, вам необходима [Премиум подписка](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans). Бесплатный план позволяет обмениваться только текстом. + +Сервер Bitwarden имеет [открытый код](https://github.com/bitwarden/server), поэтому если вы не хотите использовать официальное облако Bitwarden, вы можете легко развернуть свой собственный сервер для синхронизации. + +**Vaultwarden** - это альтернативная реализация сервера синхронизации Bitwarden, написанная на языке Rust и совместимая с официальными клиентами Bitwarden. Она идеально подходит для самостоятельного развертывания, когда запуск официального сервиса, требующего больших мощностей, не является идеальным решением. Если вы хотите самостоятельно развернуть Bitwarden на своем сервере, скорее всего вам стоит использовать Vaultwarden вместо кода официального сервера Bitwarden. + +[:octicons-repo-16: Репозиторий Vaultwarden](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Документация} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Исходный код" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Поддержать } + +### 1Password + +!!! recommendation + + ![Логотип 1Password](assets/img/password-management/1password.svg){ align=right } + + **1Password** - это менеджер паролей с акцентом на безопасность и простоту использования, который позволяет хранить пароли, кредитные карты, лицензии на программное обеспечение и любую другую конфиденциальную информацию в надежном цифровом хранилище. Ваши данные хранятся на серверах 1Password за [ежемесячную плату](https://1password.com/ru/sign-up/). 1Password регулярно проходит [независимые проверки на безопасность](https://support.1password.com/security-assessments/) и обеспечивает прекрасную поддержку клиентов. 1Password имеет закрытый исходный код, но безопасность продукта подробно описана в их [вайт пейпере по безопасности](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Домашняя страница](https://1password.com/ru){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Документация} + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Изначально, **1Password** предоставлял лучший пользовательский опыт для пользователей macOS и iOS; однако теперь он достиг равенства функций на всех платформах. В нем есть множество функций, как ориентированных на семьи и менее технически подкованных людей, так и более продвинутых возможностей. + +Ваше хранилище 1Password защищено одновременно вашим мастер-паролем и случайным 34-символьным ключом безопасности для шифрования ваших данных на их серверах. Этот ключ добавляет вашим данным дополнительную защиту, поскольку ваши данные защищены с высокой энтропией независимо от безопасности вашего мастер-пароля. Многие другие решения для управления паролями полностью полагаются на безопасность мастер-пароля для защиты ваших данных. + +Одно из преимуществ 1Password перед Bitwarden - первоклассная поддержка нативных клиентов. В то время как Bitwarden выносит многие функции, особенно управление учетными записями, в веб-интерфейс хранилища, 1Password предоставляет почти все функции в своих мобильных и настольных клиентах. Клиенты 1Password также имеют более понятный интерфейс, что облегчает их использование. + +### Psono + +!!! recommendation + + ![Логотип Psono](assets/img/password-management/psono.svg){ align=right } + + **Psono** - это свободный менеджер паролей с открытым исходным кодом из Германии, ориентированный на управление паролями для команд. Psono поддерживает безопасный обмен паролями, файлами, ссылками и электронной почтой. Вся секретная информация защищена мастер-паролем. + + [:octicons-home-16: Домашняя страница](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Документация} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Исходный код" } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono предоставляет подробную документацию по своему продукту. Веб-клиент для Psono может быть развернут самостоятельно; в качестве альтернативы вы можете приобрести полную версию Community Edition или Enterprise Edition с дополнительными возможностями. + +### Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +#### Минимальные требования к сервисам + +- Должны использовать сильное, современное/стандартизированное E2EE. +- Должны иметь тщательно документированные методы шифрования и обеспечения безопасности. +- Должен иметь опубликованный аудит от авторитетной, независимой третьей стороны. +- Вся телеметрия, не критичная для работы сервиса, должна быть необязательной. +- Не должны собирать больше ПД, чем необходимо для проведения оплаты. + +#### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Телеметрия должна собираться по желанию (отключена по умолчанию) или не собираться вообще. +- Исходный код должен быть открытым и пригодным для самостоятельной развёртки. + +## Локальные сервисы + +Эти программы позволяют управлять зашифрованной базой паролей локально. + +### KeePassXC + +!!! recommendation + + ![Логотип KeePassXC](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** - это форк KeePassX, нативного кроссплатформенного порта KeePass Password Safe, созданный с целью расширить и улучшить его новыми возможностями и исправлениями ошибок, чтобы предоставить многофункциональный, кроссплатформенный и современный менеджер паролей с открытым исходным кодом. + + [:octicons-home-16: Домашняя страница](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC хранит экспортированные данные в виде [CSV](https://ru.wikipedia.org/wiki/CSV) файлов. При импортировании этого файла в другой менеджер паролей, вы можете потерять часть данных. Мы советуем вам проверять каждую запись вручную. + +### KeePassDX (Android) + +!!! recommendation + + ![Логотип KeePassDX](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** - это легкий менеджер паролей для Android, который позволяет редактировать зашифрованные данные в одном файле в формате KeePass и безопасно заполнять формы. Покупка [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) позволяет разблокировать косметический контент и нестандартные функции протокола, но, что еще важнее, поддерживает развитие проекта. + + [:octicons-home-16: Домашняя страница](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS и macOS) + +!!! recommendation + + ![Логотип Strongbox](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** - это нативный менеджер паролей с открытым исходным кодом для iOS и macOS. Он поддерживает форматы KeePass и Password Safe, поэтому может быть использован совместно с другими менеджерами паролей, например KeePassXC, на устройствах не от Apple. Strongbox использует модель [freemium](https://strongboxsafe.com/pricing/), поэтому предлагает большинство функций бесплатно, но дополнительные [функции](https://strongboxsafe.com/comparison/) для удобства, например биометрическая аутентификация, доступны по подписке или единоразовой покупке. + + [:octicons-home-16: Домашняя страница](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Кроме того, предлагается и полностью оффлайн версия: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). Эта версия урезана, чтобы уменьшить площадь атаки. + +### Для командной строки + +Это простые менеджеры паролей, которые можно использовать внутри скриптов. + +#### gopass + +!!! recommendation + + ![Логотип gopass](assets/img/password-management/gopass.svg){ align=right } + + **gopass** - это менеджер паролей для командной строки, написанный на языке Go. Он работает на всех основных операционных системах для ПК и серверов (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Домашняя страница](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Программа должна быть кроссплатформенной. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/productivity.md b/i18n/ru/productivity.md new file mode 100644 index 00000000..978ff34e --- /dev/null +++ b/i18n/ru/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Офисные пакеты + +### LibreOffice + +!!! recommendation + + ![Логотип Nextcloud](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** - это набор бесплатного клиент-серверного программного обеспечения с открытым исходным кодом для создания собственного сервиса хранилища файлов на приватном сервере, который вы контролируете. + + [:octicons-home-16: Домашняя страница](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! recommendation + + Мы не рекомендуем использовать [плагин E2EE](https://apps.nextcloud.com/apps/end_to_end_encryption) для Nextcloud, так как это может привести к потере данных; это очень экспериментальный продукт, который недостаточно качественен для полноценного использования. [Перейти на onlyoffice.com](https://www.onlyoffice.com){ .md-button .md-button--primary } [Политика конфиденциальности](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .md-button } + +### OnlyOffice + +!!! recommendation + + ![Логотип Framadate](assets/img/productivity/framadate.svg){ align=right } + + **Framadate** - это бесплатный онлайн-сервис с открытым исходным кодом для планирования встреч или легкого и быстрого принятия решений. Регистрация не требуется. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Инструменты планирования + +### PrivateBin + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Программа должна быть кроссплатформенной. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/real-time-communication.md b/i18n/ru/real-time-communication.md new file mode 100644 index 00000000..555abdff --- /dev/null +++ b/i18n/ru/real-time-communication.md @@ -0,0 +1,192 @@ +--- +title: "Мессенджеры" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Зашифрованные мессенджеры + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** - мобильное приложение, разработанное Signal Messenger LLC. Приложение обеспечивает мгновенный обмен сообщениями, а также голосовые и видеозвонки. + + Все коммуникации осуществляются в режиме E2EE. Списки контактов шифруются с помощью вашего PIN-кода входа в систему, и сервер не имеет к ним доступа. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Логотип Element](assets/img/messengers/element.svg){ align=right } + + **Element** является эталонным клиентом для протокола [Matrix](https://matrix.org/docs/guides/introduction), [открытого стандарта](https://matrix.org/docs/spec) для безопасного децентрализованного общения в реальном времени. Сообщения и файлы, которыми обмениваются в личных комнатах (те, которые требуют приглашения), по умолчанию являются E2EE, как и голосовые и видеозвонки 1 на 1. + + [Сайт](https://element.io/){ .md-button .md-button--primary } + [Политика конфиденциальности](https://element.io/privacy){ .md-button } + downloads + + - [:fontawesome-brands-windows: Windows](https://element.io/get-started) + - [:fontawesome-brands-apple: macOS](https://element.io/get-started) + - [:fontawesome-brands-linux: Linux](https://element.io/get-started) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/im.vector.app/) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:fontawesome-brands-github: Исходный код](https://github.com/vector-im/element-web) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. recommendation E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Логотип Briar](assets/img/messengers/briar.svg){ align=right } + + **Briar** - это зашифрованный мессенджер, который [соединяется с ](https://briarproject.org/how-it-works/) другими клиентам с помощью сети Tor. Briar также может передавать сообщения через Wi-Fi или Bluetooth, если получатель находится в непосредственной близости. Режим локальной сети Briar может быть полезен, когда Вы не имеете доступа к Интернету. + + [Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [Политика конфиденциальности](https://briarproject.org/privacy-policy){ .md-button } + downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Типы коммуникационных сетей + +!!! note + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/router.md b/i18n/ru/router.md new file mode 100644 index 00000000..aec4bd01 --- /dev/null +++ b/i18n/ru/router.md @@ -0,0 +1,51 @@ +--- +title: "Прошивки для роутера" +icon: material/router-wireless +--- + +Ниже приведены альтернативные операционные системы, которые могут использоваться на роутерах, точках доступа Wi-Fi и т. п. + +## OpenWrt + +!!! recommendation + + ![Логотип OpenWrt](/assets/img/router/openwrt.svg#only-light){ align=right } + ![Логотип OpenWrt](/assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** - это операционная система, основанная на ядре Linux, используемая в основном на встраиваемых устройствах для маршрутизации сетевого трафика. Основными компонентами являются ядро Linux, util-linux, uClibc и BusyBox. Все компоненты были оптимизированы по размеру, чтобы быть достаточно маленькими для установки в ограниченной памяти, доступной в домашних роутерах. + + [:octicons-home-16: Домашняя страница](https://openwrt.org/ru){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/ru/docs/start){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Поддержать } + +Вы можете обратиться к [таблице устройств](https://openwrt.org/toh/start) OpenWrt, чтобы проверить, поддерживается ли ваше устройство. + +## OPNsense + +!!! recommendation + + ![Логотип OPNsense](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** - это система для маршрутизации и файервола с открытым исходным кодом на базе FreeBSD, которая включает в себя множество дополнительных функций, таких как формирование трафика, балансировка нагрузки и поддержку VPN, а также множество других функций, доступных в виде плагинов. OPNsense часто используется для файерволов, роутеров, беспроводных точек доступа, серверов DHCP, DNS серверов и конечных точек VPN. + + [:octicons-home-16: Домашняя страница](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Поддержать } + +OPNsense был изначально разработан как форк [pfSense](https://en.wikipedia.org/wiki/PfSense), и оба проекта известны как бесплатные и надежные дистрибутивы файерволов, которые предлагают функции, часто встречающиеся только в дорогих коммерческих файерволах. Разработчики OPNsense [назвали](https://docs.opnsense.org/history/thefork.html) ряд проблем с безопасностью и качеством кода pfSense, из-за которых в 2015 году и был разработан форк, а также опасения по поводу приобретения pfSense компанией Netgate и направления, в котором движется разработка pfSense. + +## Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Исходный код проекта должен быть открыт. +- Проект должен регулярно обновляться. +- Проект должен поддерживать широкий спектр устройств. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/search-engines.md b/i18n/ru/search-engines.md new file mode 100644 index 00000000..d91197a1 --- /dev/null +++ b/i18n/ru/search-engines.md @@ -0,0 +1,105 @@ +--- +title: "Поисковые системы" +icon: material/search-web +--- + +Используйте поисковую систему, которая не строит рекламный профиль на основе ваших запросов. + +Приведенные здесь рекомендации основаны на политиках конфиденциальности этих сервисов. Не существует **никакой гарантии** того, что эти политики конфиденциальности будут соблюдены. + +Советуем использовать [VPN](/vpn) или [Tor](https://www.torproject.org/), если ваша модель угроз требует скрытия вашего IP-адреса от поискового провайдера. + +## Brave Search + +!!! recommendation + + ![Логотип DuckDuckGo](/assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** - популярная поисковая система, которая также используется по умолчанию в браузере Tor. DuckDuckGo использует коммерческий API Bing и [другие источники](https://help.duckduckgo.com/results/sources) для предоставления своих поисковых данных. + + [Перейти на duckduckgo.com](https://duckduckgo.com){ .md-button .md-button--primary } [:pg-tor:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .md-button } [Политика конфиденциальности](https://duckduckgo.com/privacy){ .md-button } + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. note IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + DuckDuckGo базируется в 🇺🇸 США. В их [Политике конфиденциальности](https://duckduckgo.com/privacy) говорится, что они хранят ваш поисковый запрос, но не ваш IP или любую другую идентифицирующую вас информацию. The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. note Они не хранят ваш IP-адрес, поисковые запросы или другую идентифицирующую вас информацию. + +## SearXNG + +!!! recommendation + + ![Логотип Startpage](/assets/img/search-engines/startpage.svg){ align=right } + + **Startpage** - это поисковая система, которая предоставляет результаты поиска из Google. Это очень удобный способ получить поисковые результаты Google, не сталкиваясь с такими темными паттернами, как сложные капчи или отказ в доступе из-за того, что вы используете [VPN](/vpn) или [Tor](https://www.torproject.org/download/). + + [Перейти на startpage.com](https://www.startpage.com){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.startpage.com/en/privacy-policy){ .md-button } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. note + +When you are using a SearXNG instance, be sure to go read their privacy policy. recommendation Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! note + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования к сервисам + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/tools.md b/i18n/ru/tools.md new file mode 100644 index 00000000..67d18958 --- /dev/null +++ b/i18n/ru/tools.md @@ -0,0 +1,454 @@ +--- +title: "Инструменты обеспечения приватности" +icon: material/tools +hide: + - toc +--- + +Если вы ищете какое-либо решение, то в этом списке все аппаратные и программные средства, которые мы рекомендуем. Рекомендуемые инструменты для обеспечения приватности/конфиденциальности выбираются в первую очередь на основе функций безопасности с дополнительным акцентом на децентрализованные инструменты с открытым исходным кодом. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Логотип Tor Browser](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](browsers.md#tor-browser) +- ![Логотип Firefox](assets/img/browsers/firefox.svg){ .twemoji } [Firefox (ПК)](browsers.md#firefox) +- ![Логотип Brave](assets/img/browsers/brave.svg){ .twemoji } [Brave (ПК)](browsers.md#brave) +- ![Логотип Brave](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](browsers.md#brave-android) +- ![Логотип Safari](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](browsers.md#safari) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Подробнее :hero-arrow-circle-right-fill:](tor.md) + +## Операционные Системы + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](desktop-browsers.md) + +### Дополнительные советы + +
+ +- ![Логотип GrapheneOS](assets/img/android/grapheneos.svg#only-light){ .twemoji }![Логотип GrapheneOS](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![Логотип DivestOS](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](desktop-browsers.md#additional-resources) + +## Сервисы + +
+ +- ![Логотип Neo Store](assets/img/android/neo-store.png){ .twemoji } [Neo Store (Клиент F-Droid)](android.md#neo-store) +- ![Логотип Orbot](assets/img/android/orbot.svg){ .twemoji } [Orbot (Tor прокси)](android.md#orbot) +- ![Логотип Shelter](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Рабочие профили)](android.md#shelter) +- ![Логотип Auditor](assets/img/android/auditor.svg#only-light){ .twemoji }![Логотип Auditor](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (На поддерживаемых устройствах)](android.md#auditor) +- ![Логотип Secure Camera](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Логотип Secure Camera](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Логотип Secure PDF Viewer](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![Логотип Secure PDF Viewer](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) +- ![Логотип PrivacyBlur](assets/img/android/privacyblur.svg){ .twemoji } [PrivacyBlur](android.md#privacyblur) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](mobile-browsers.md) + +### Дополнительные советы + +
+ +- ![Логотип Fedora](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](linux-desktop.md#fedora-workstation) +- ![Логотип openSUSE Tumbleweed](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](linux-desktop.md#opensuse-tumbleweed) +- ![Логотип Arch](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](linux-desktop.md#arch-linux) +- ![Логотип Fedora Silverblue](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue и Kinoite](linux-desktop.md#fedora-silverblue) +- ![Логотип nixOS](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](linux-desktop.md#nixos) +- ![Логотип Whonix](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](linux-desktop.md#whonix) +- ![Логотип Tails](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](linux-desktop.md#tails) +- ![Логотип Qubes OS](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Дистрибутив ВМ Xen)](qubes.md) (1) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](mobile-browsers.md#adguard) + +## Программное обеспечение + +### Прошивки для роутера + +
+ +- ![Логотип OpenWrt](assets/img/router/openwrt.svg#only-light){ .twemoji }![Логотип OpenWrt](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![Логотип pfSense](assets/img/router/pfsense.svg#only-light){ .twemoji }![Логотип pfSense](assets/img/router/pfsense-dark.svg#only-dark){ .twemoji } [pfSense](router.md#pfsense) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](android.md) + +#### Android Apps + +
+ +- ![Логотип Cryptee](assets/img/cloud/cryptee.svg#only-light){ .twemoji }![Логотип Cryptee](assets/img/cloud/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](cloud.md#cryptee) +- ![Логотип Nextcloud](assets/img/cloud/nextcloud.svg){ .twemoji } [Nextcloud (Самостоятельный хостинг)](cloud.md#nextcloud) +- ![Логотип Proton Drive](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](android.md#general-apps) + +### Облачные хранилища + +
+ +- ![Логотип RethinkDNS](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![Логотип RethinkDNS](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![Логотип DNSCloak](assets/img/ios/dnscloak.png){ .twemoji } [DNSCloak](dns.md#dnscloak) +- ![Логотип dnscrypt-proxy](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](desktop.md) + +### Прошивки для роутера + +
+ +- ![Логотип AdGuard Home](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Логотип Pi-hole](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](router.md) + +## Service Providers + +### Электронная почта + +
+ +- ![Логотип Proton Mail](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#protonmail) +- ![Логотип Mailbox.org](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![Логотип StartMail](assets/img/email/startmail.svg#only-light){ .twemoji }![Логотип StartMail](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Логотип Tutanota](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Подробнее :hero-arrow-circle-right-fill:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![Логотип AnonAddy](assets/img/email/anonaddy.svg#only-light){ .twemoji }![Логотип AnonAddy](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![Логотип SimpleLogin](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![Логотип mailcow](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#самостоятельный-хостинг-почты) +- ![Логотип Mail-in-a-Box](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#самостоятельный-хостинг-почты) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](dns.md#self-hosted-solutions) + +### VPN сервисы + +
+ +- ![Логотип Brave Search](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![Логотип DuckDuckGo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![Логотип SearXNG](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Логотип Startpage](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Логотип Startpage](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](email.md) + +#### Email Aliasing Services + +
+ +- ![Логотип Proton VPN](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#protonvpn) +- ![Логотип IVPN](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Логотип Mullvad](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![Логотип Tutanota](assets/img/calendar-contacts/tutanota.svg){ .twemoji } [Tutanota](calendar-contacts.md#tutanota) +- ![Логотип EteSync](assets/img/calendar-contacts/etesync.svg){ .twemoji } [EteSync](calendar-contacts.md#etesync) +- ![Логотип Proton Calendar](assets/img/calendar-contacts/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar-contacts.md#proton-calendar) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](email.md#self-hosting-email) + +### Поисковые системы + +
+ +- ![Логотип EteSync Notes](assets/img/notebooks/etesync-notes.png){ .twemoji } [EteSync Notes](notebooks.md#etesync-notes) +- ![Логотип Joplin](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Логотип Standard Notes](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Логотип Org-mode](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](search-engines.md) + +### VPN Providers + +??? danger "VPN не обеспечивает анонимность" + + Использование VPN **не обеспечивает** анонимность ваших привычек при просмотре веб-страниц, а также **не прибавляет** безопасности при использовании незащищенного (HTTP) трафика. + + Если вам нужна **анонимность**, вам следует использовать браузер Tor **вместо** VPN. + + Если вам нужна дополнительная **безопасность**, убедитесь, что вы подключаетесь к веб-сайтам, используя [HTTPS](https://en.wikipedia.org/wiki/HTTPS). VPN не является заменой полезных привычек для обеспечения безопасности. + + [Узнать больше :material-arrow-right:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](vpn.md) + +## Software + +### Почтовые клиенты + +
+ +- ![Логотип Cryptomator](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator) +- ![Логотип Picocrypt](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt) +- ![Логотип VeraCrypt](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![Логотип VeraCrypt](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt) +- ![Логотип Hat.sh](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Логотип Hat.sh](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (В браузере)](encryption.md#hatsh) +- ![Логотип Kryptor](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Логотип Tomb](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](calendar.md) + +### Инструменты для шифрования + +
+ +- ![Логотип GnuPG](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![Логотип GPG4Win](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![Логотип GPG Suite](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![Логотип OpenKeychain](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](data-redaction.md) + +### Обмен Файлами + +
+ +- ![Логотип Magic Wormhole](assets/img/file-sharing-sync/magic_wormhole.png){ .twemoji } [Magic Wormhole](file-sharing.md#magic-wormhole) +- ![Логотип Bitwarden](assets/img/file-sharing-sync/bitwarden.svg){ .twemoji } [Bitwarden](file-sharing.md#bitwarden-send) +- ![Логотип OnionShare](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![Логотип FreedomBox](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Логотип Syncthing](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](email-clients.md) + +### Инструменты для шифрования + +??? info "Operating System Disk Encryption" + + Для шифрования диска операционной системы мы обычно рекомендуем использовать тот инструмент шифрования, который предоставляет ваша операционная система, будь то **BitLocker** в Windows, **FileVault** в macOS или **LUKS** в Linux. Эти инструменты доступны "из коробки" и обычно используют аппаратные элементы шифрования, такие как TPM, чего не делают другие программы для шифрования диска, такие как VeraCrypt. Однако VeraCrypt по-прежнему подходит для дисков, не относящихся к операционной системе (внешние диски), и к таким дискам, доступ к которым может осуществляться из нескольких операционных систем. + + [Узнать больше :material-arrow-right:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Логотип ExifCleaner](assets/img/metadata-removal/exifcleaner.svg){ .twemoji } [ExifCleaner](metadata-removal-tools.md#exifcleaner) +- ![Логотип MAT2](assets/img/metadata-removal/mat2.svg){ .twemoji } [MAT2](metadata-removal-tools.md#mat2) +- ![Логотип ExifEraser](assets/img/metadata-removal/exiferaser.svg){ .twemoji } [ExifEraser (Android)](metadata-removal-tools.md#exiferaser-android) +- ![Логотип Metapho](assets/img/metadata-removal/metapho.jpg){ .twemoji } [Metapho (iOS)](metadata-removal-tools.md#metapho) +- ![Логотип ExifTool](assets/img/metadata-removal/exiftool.png){ .twemoji } [ExifTool (CLI)](metadata-removal-tools.md#exiftool) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](encryption.md#openpgp) + +### Инструменты для многофакторной аутентификации + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](file-sharing.md) + +### Менеджеры паролей + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](frontends.md) + +### Офисные приложения + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](multi-factor-authentication.md) + +### Мессенджеры + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](news-aggregators.md) + +### Заметки + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](notebooks.md) + +### Анонимные сети + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](productivity.md) + +### Мессенджеры + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](video-streaming.md) + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/tor.md b/i18n/ru/tor.md new file mode 100644 index 00000000..fdbb105d --- /dev/null +++ b/i18n/ru/tor.md @@ -0,0 +1,130 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Браузер Tor + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! recommendation + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. downloads + + - [:fontawesome-brands-windows: Windows](https://www.mozilla.org/firefox/windows) + - [:fontawesome-brands-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:fontawesome-brands-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.firefox) + - [:fontawesome-brands-git: Source](https://hg.mozilla.org/mozilla-central) + +Этот браузер дает вам доступ к мостам Tor и \[сети Tor\](https://en.wikipedia.org/wiki/Tor_(network)), а также может быть настроен с помощью трех уровней безопасности - *Обычного*, *Высокого* и *Высшего*. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Terms of Service; Didn't Read + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/video-streaming.md b/i18n/ru/video-streaming.md new file mode 100644 index 00000000..85a5d513 --- /dev/null +++ b/i18n/ru/video-streaming.md @@ -0,0 +1,50 @@ +--- +title: "Видеохостинги" +icon: material/video-wireless +--- + +Основная угроза при использовании платформ потокового видео заключается в том, что ваши интересы и списки подписчиков могут быть использованы чтобы отслеживать вас. Вам следует сочетать эти инструменты с [VPN](/vpn) или [Tor](https://www.torproject.org/), чтобы усложнить отслеживание вашего использования. + +## Клиенты + +!!! recommendation + + При использовании Freetube ваш IP-адрес по-прежнему известен YouTube, [Invidious](https://instances.invidious.io) и экземплярам SponsorBlock, которые вы используете. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! note + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/ru/vpn.md b/i18n/ru/vpn.md new file mode 100644 index 00000000..65da3db3 --- /dev/null +++ b/i18n/ru/vpn.md @@ -0,0 +1,316 @@ +--- +title: "VPN сервисы" +icon: material/vpn +--- + +Найдите VPN-оператора, который не занимается продажей или чтением вашего веб-трафика. + +??? danger "VPN не обеспечивает анонимность" + + Использование VPN **не обеспечивает** анонимность ваших привычек при просмотре веб-страниц, а также **не прибавляет** безопасности при использовании незащищенного (HTTP) трафика. + + Если вам нужна **анонимность**, вам следует использовать браузер Tor **вместо** VPN. + + Если вам нужна дополнительная **безопасность**, убедитесь, что вы подключаетесь к веб-сайтам, используя [HTTPS](https://en.wikipedia.org/wiki/HTTPS). VPN не является заменой полезных привычек для обеспечения безопасности. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? info "Когда полезны VPN сервисы?" + + Если вам нужна дополнительная **приватность** от вашего провайдера, в публичных сетях Wi-Fi или во время скачивания торрентов, VPN может быть правильным решением для вас, если вы понимаете связанные с этим риски. + + [Подробнее](#vpn-overview){ .md-button } + +## Рекомендованные провайдеры + +!!! example "Критерии" + + Рекомендуемые нами провайдеры находятся за пределами США, используют шифрование, принимают Monero, поддерживают WireGuard и OpenVPN и не сохраняют логи вашего трафика. Для дополнительной информации ознакомьтесь с нашим [полным списком критериев](#our-criteria). + +### Mullvad + +!!! recommendation annotate + + ![Логотип Mullvad](/assets/img/vpn/mullvad.svg#only-light){ align=right } + ![Логотип Mullvad](/assets/img/vpn/mullvad-dark.svg#only-dark){ align=right } + + **Mullvad** - это быстрый и недорогой VPN с серьезным акцентом на прозрачность и безопасность. Они работают с **2009 года**. + + Mullvad базируется в Швеции и не имеет бесплатной пробной версии. downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? check "35 Стран" + + На момент написания этой страницы Mullvad имеет [серверы в 35 странах](https://mullvad.net/en/servers/). Выбор VPN-провайдера с ближайшим к вам сервером позволит снизить задержку передаваемого вами сетевого трафика. Это происходит из-за более короткого маршрута (меньше промежуточных серверов) до пункта назначения. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? check "Независимо проверены" + + VPN-клиенты Mullvad были проверены компаниями Cure53 и Assured AB в отчете по пентесту [опубликовано на сайте cure53.de] (https://cure53.de/pentest-report_mullvad_v2.pdf). Исследователи безопасности заключили: + + > Cure53 и Assured AB довольны результатами аудита, и программное обеспечение оставляет общее положительное впечатление. Учитывая преданность безопасности в команде Mullvad VPN, проверяющие не сомневаются, что проект находится на правильном пути с точки зрения безопасности. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? check "Клиенты с открытым исходным кодом" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? check "Принимает наличные" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? check "Поддержка WireGuard" + + Mullvad поддерживает протокол WireGuard®. [WireGuard](https://www.wireguard.com)[^1] - это более новый протокол, использующий самую современную [криптографию](https://www.wireguard.com/protocol/). Кроме того, WireGuard стремится быть более простым и производительным. + + Mullvad [рекомендует](https://mullvad.net/en/help/why-wireguard/) использовать WireGuard в их продукте. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. Выбор VPN-провайдера с ближайшим к вам сервером позволит снизить задержку передаваемого вами сетевого трафика. + + Это происходит из-за более короткого маршрута (меньше промежуточных серверов) до пункта назначения. downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? check "Независимо проверены" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Выбор VPN-провайдера с ближайшим к вам сервером позволит снизить задержку передаваемого вами сетевого трафика. Это происходит из-за более короткого маршрута (меньше промежуточных серверов) до пункта назначения. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? check "Независимо проверены" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? check "Клиенты с открытым исходным кодом" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? check "Принимает наличные" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? check "Поддержка WireGuard" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com)[^1] - это более новый протокол, использующий самую современную [криптографию](https://www.wireguard.com/protocol/). Кроме того, WireGuard стремится быть более простым и производительным. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. Выбор VPN-провайдера с ближайшим к вам сервером позволит снизить задержку передаваемого вами сетевого трафика. Это происходит из-за более короткого маршрута (меньше промежуточных серверов) до пункта назначения. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? check "Независимо проверены" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Выбор VPN-провайдера с ближайшим к вам сервером позволит снизить задержку передаваемого вами сетевого трафика. Это происходит из-за более короткого маршрута (меньше промежуточных серверов) до пункта назначения. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? check "Независимо проверены" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? check "Клиенты с открытым исходным кодом" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? check "Принимает наличные" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. [WireGuard](https://www.wireguard.com)[^1] - это более новый протокол, использующий самую современную [криптографию](https://www.wireguard.com/protocol/). + +??? check "Поддержка WireGuard" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com)[^1] - это более новый протокол, использующий самую современную [криптографию](https://www.wireguard.com/protocol/). Кроме того, WireGuard стремится быть более простым и производительным. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? check "Поддержка WireGuard" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! recommendation + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.ru.txt" diff --git a/i18n/sv/404.md b/i18n/sv/404.md new file mode 100644 index 00000000..9b7b3198 --- /dev/null +++ b/i18n/sv/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/CODE_OF_CONDUCT.md b/i18n/sv/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/sv/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/sv/about/criteria.md b/i18n/sv/about/criteria.md new file mode 100644 index 00000000..ec789f80 --- /dev/null +++ b/i18n/sv/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/about/donate.md b/i18n/sv/about/donate.md new file mode 100644 index 00000000..155097ab --- /dev/null +++ b/i18n/sv/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/about/index.md b/i18n/sv/about/index.md new file mode 100644 index 00000000..b91ba857 --- /dev/null +++ b/i18n/sv/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/about/notices.md b/i18n/sv/about/notices.md new file mode 100644 index 00000000..035d43a1 --- /dev/null +++ b/i18n/sv/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Notices and Disclaimers" +hide: + - toc +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licenses + +Unless otherwise noted, all content on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to this repository you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/about/privacy-policy.md b/i18n/sv/about/privacy-policy.md new file mode 100644 index 00000000..629e87f6 --- /dev/null +++ b/i18n/sv/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/about/privacytools.md b/i18n/sv/about/privacytools.md new file mode 100644 index 00000000..c308bf63 --- /dev/null +++ b/i18n/sv/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/about/services.md b/i18n/sv/about/services.md new file mode 100644 index 00000000..373bdf6a --- /dev/null +++ b/i18n/sv/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/about/statistics.md b/i18n/sv/about/statistics.md new file mode 100644 index 00000000..6ec66006 --- /dev/null +++ b/i18n/sv/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/advanced/communication-network-types.md b/i18n/sv/advanced/communication-network-types.md new file mode 100644 index 00000000..5dbefe14 --- /dev/null +++ b/i18n/sv/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/advanced/dns-overview.md b/i18n/sv/advanced/dns-overview.md new file mode 100644 index 00000000..5c63c550 --- /dev/null +++ b/i18n/sv/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/advanced/tor-overview.md b/i18n/sv/advanced/tor-overview.md new file mode 100644 index 00000000..d28cfc70 --- /dev/null +++ b/i18n/sv/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.sv.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/sv/android.md b/i18n/sv/android.md new file mode 100644 index 00000000..47be1987 --- /dev/null +++ b/i18n/sv/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/assets/img/account-deletion/exposed_passwords.png b/i18n/sv/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/sv/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/sv/assets/img/android/rss-apk-dark.png b/i18n/sv/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/sv/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/sv/assets/img/android/rss-apk-light.png b/i18n/sv/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/sv/assets/img/android/rss-apk-light.png differ diff --git a/i18n/sv/assets/img/android/rss-changes-dark.png b/i18n/sv/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/sv/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/sv/assets/img/android/rss-changes-light.png b/i18n/sv/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/sv/assets/img/android/rss-changes-light.png differ diff --git a/i18n/sv/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/sv/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/sv/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/sv/assets/img/how-tor-works/tor-encryption.svg b/i18n/sv/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/sv/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/sv/assets/img/how-tor-works/tor-path-dark.svg b/i18n/sv/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/sv/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/sv/assets/img/how-tor-works/tor-path.svg b/i18n/sv/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/sv/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/sv/assets/img/multi-factor-authentication/fido.png b/i18n/sv/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/sv/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/sv/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/sv/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/sv/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/sv/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/sv/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/sv/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/sv/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/sv/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/sv/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/sv/basics/account-creation.md b/i18n/sv/basics/account-creation.md new file mode 100644 index 00000000..90344981 --- /dev/null +++ b/i18n/sv/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/basics/account-deletion.md b/i18n/sv/basics/account-deletion.md new file mode 100644 index 00000000..04e64ab6 --- /dev/null +++ b/i18n/sv/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/basics/common-misconceptions.md b/i18n/sv/basics/common-misconceptions.md new file mode 100644 index 00000000..d9e4bd15 --- /dev/null +++ b/i18n/sv/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.sv.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/sv/basics/common-threats.md b/i18n/sv/basics/common-threats.md new file mode 100644 index 00000000..0e6a456b --- /dev/null +++ b/i18n/sv/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.sv.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/sv/basics/email-security.md b/i18n/sv/basics/email-security.md new file mode 100644 index 00000000..74707842 --- /dev/null +++ b/i18n/sv/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/basics/multi-factor-authentication.md b/i18n/sv/basics/multi-factor-authentication.md new file mode 100644 index 00000000..ac6602c2 --- /dev/null +++ b/i18n/sv/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/basics/passwords-overview.md b/i18n/sv/basics/passwords-overview.md new file mode 100644 index 00000000..9f0d3b05 --- /dev/null +++ b/i18n/sv/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/basics/threat-modeling.md b/i18n/sv/basics/threat-modeling.md new file mode 100644 index 00000000..c0786041 --- /dev/null +++ b/i18n/sv/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/basics/vpn-overview.md b/i18n/sv/basics/vpn-overview.md new file mode 100644 index 00000000..abcc36da --- /dev/null +++ b/i18n/sv/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/calendar.md b/i18n/sv/calendar.md new file mode 100644 index 00000000..2b6b77f1 --- /dev/null +++ b/i18n/sv/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/cloud.md b/i18n/sv/cloud.md new file mode 100644 index 00000000..8fc5e00f --- /dev/null +++ b/i18n/sv/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/data-redaction.md b/i18n/sv/data-redaction.md new file mode 100644 index 00000000..54972d37 --- /dev/null +++ b/i18n/sv/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/desktop-browsers.md b/i18n/sv/desktop-browsers.md new file mode 100644 index 00000000..56f3b0cc --- /dev/null +++ b/i18n/sv/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.sv.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/sv/desktop.md b/i18n/sv/desktop.md new file mode 100644 index 00000000..7361cc69 --- /dev/null +++ b/i18n/sv/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/dns.md b/i18n/sv/dns.md new file mode 100644 index 00000000..ae3b912c --- /dev/null +++ b/i18n/sv/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.sv.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/sv/email-clients.md b/i18n/sv/email-clients.md new file mode 100644 index 00000000..c6469a70 --- /dev/null +++ b/i18n/sv/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/email.md b/i18n/sv/email.md new file mode 100644 index 00000000..1977815d --- /dev/null +++ b/i18n/sv/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/encryption.md b/i18n/sv/encryption.md new file mode 100644 index 00000000..5019a63c --- /dev/null +++ b/i18n/sv/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Programvara för kryptering" +icon: material/file-lock +--- + +Kryptering av data är det enda sättet att kontrollera vem som har tillgång till dem. Om du för närvarande inte använder krypteringsprogram för din hårddisk, e-post eller filer bör du välja ett alternativ här. + +## Multiplattform + +De alternativ som anges här är flera plattformar och bra för att skapa krypterade säkerhetskopior av dina data. + +### Cryptomator (moln) + +!!! recommendation + + ![Cryptomators logotyp](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** är en krypteringslösning som är utformad för privat lagring av filer till alla molnleverantörer. Det låter dig skapa valv som lagras på en virtuell enhet, vars innehåll krypteras och synkroniseras med din molnlagringsleverantör. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Källkod" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator använder AES-256-kryptering för att kryptera både filer och filnamn. Cryptomator kan inte kryptera metadata som åtkomst, ändring och skapande tidsstämplar, eller antalet och storleken på filer och mappar. + +Vissa kryptografiska bibliotek från Cryptomator har granskats [av Cure53](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44). De granskade biblioteken omfattar följande: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) och [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). Granskningen omfattade inte [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), som är ett bibliotek som används av Cryptomator för iOS. + +I Cryptomators dokumentation beskrivs närmare det avsedda [säkerhetsmålet](https://docs.cryptomator.org/en/latest/security/security-target/), [säkerhetsarkitektur](https://docs.cryptomator.org/en/latest/security/architecture/)och [bästa praxis](https://docs.cryptomator.org/en/latest/security/best-practices/) för användning. + +### Picocrypt (Fil) + +!!! recommendation + + ![Picocrypt-logotyp](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** är ett litet och enkelt krypteringsverktyg som tillhandahåller modern kryptering. Picocrypt använder den säkra XChaCha20-chiffern och Argon2id-nyckelderivatfunktionen för att ge en hög säkerhetsnivå. Det använder Go standard x/crypto moduler för sina krypteringsfunktioner. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** är ett källkod-tillgängligt freeware-verktyg som används för on-the-fly kryptering. Det kan skapa en virtuell krypterad disk i en fil, kryptera en partition eller kryptera hela lagringsenheten med autentisering före start. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/file-sharing.md b/i18n/sv/file-sharing.md new file mode 100644 index 00000000..a61427d1 --- /dev/null +++ b/i18n/sv/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/frontends.md b/i18n/sv/frontends.md new file mode 100644 index 00000000..3cab5e22 --- /dev/null +++ b/i18n/sv/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/index.md b/i18n/sv/index.md new file mode 100644 index 00000000..7683d68e --- /dev/null +++ b/i18n/sv/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.sv.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/kb-archive.md b/i18n/sv/kb-archive.md new file mode 100644 index 00000000..7faf93b6 --- /dev/null +++ b/i18n/sv/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/meta/brand.md b/i18n/sv/meta/brand.md new file mode 100644 index 00000000..84007ff8 --- /dev/null +++ b/i18n/sv/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/meta/git-recommendations.md b/i18n/sv/meta/git-recommendations.md new file mode 100644 index 00000000..95693241 --- /dev/null +++ b/i18n/sv/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/meta/uploading-images.md b/i18n/sv/meta/uploading-images.md new file mode 100644 index 00000000..5c266c67 --- /dev/null +++ b/i18n/sv/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/meta/writing-style.md b/i18n/sv/meta/writing-style.md new file mode 100644 index 00000000..44968302 --- /dev/null +++ b/i18n/sv/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/mobile-browsers.md b/i18n/sv/mobile-browsers.md new file mode 100644 index 00000000..99cf8823 --- /dev/null +++ b/i18n/sv/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/multi-factor-authentication.md b/i18n/sv/multi-factor-authentication.md new file mode 100644 index 00000000..7fda25b9 --- /dev/null +++ b/i18n/sv/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/news-aggregators.md b/i18n/sv/news-aggregators.md new file mode 100644 index 00000000..24ced6fe --- /dev/null +++ b/i18n/sv/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/notebooks.md b/i18n/sv/notebooks.md new file mode 100644 index 00000000..a212228e --- /dev/null +++ b/i18n/sv/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/os/android-overview.md b/i18n/sv/os/android-overview.md new file mode 100644 index 00000000..8bc4aea7 --- /dev/null +++ b/i18n/sv/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/os/linux-overview.md b/i18n/sv/os/linux-overview.md new file mode 100644 index 00000000..b14b84a2 --- /dev/null +++ b/i18n/sv/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/os/qubes-overview.md b/i18n/sv/os/qubes-overview.md new file mode 100644 index 00000000..61ac3eb0 --- /dev/null +++ b/i18n/sv/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/passwords.md b/i18n/sv/passwords.md new file mode 100644 index 00000000..b9265b2a --- /dev/null +++ b/i18n/sv/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/productivity.md b/i18n/sv/productivity.md new file mode 100644 index 00000000..bd250f49 --- /dev/null +++ b/i18n/sv/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/real-time-communication.md b/i18n/sv/real-time-communication.md new file mode 100644 index 00000000..c48832a0 --- /dev/null +++ b/i18n/sv/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/router.md b/i18n/sv/router.md new file mode 100644 index 00000000..51b99466 --- /dev/null +++ b/i18n/sv/router.md @@ -0,0 +1,51 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +--- + +Nedan följer några alternativa operativsystem som kan användas på routrar, Wi-Fi-accesspunkter osv. + +## OpenWrt + +!!! recommendation + + ![OpenWrt-logotyp](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** är ett Linuxbaserat operativsystem som främst används på inbyggda enheter för att dirigera nätverkstrafik. Den innehåller util-linux, uClibc och BusyBox. Alla komponenter har optimerats för hem routrar. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +Du kan se OpenWrts [tabell över maskinvara](https://openwrt.org/toh/start) för att kontrollera om din enhet stöds. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** är en FreeBSD-baserad brandvägg och routningsplattform med öppen källkod som innehåller många avancerade funktioner, t.ex. trafikformning, belastningsbalansering och VPN-funktioner, med många fler funktioner som finns tillgängliga i form av tilläggsmoduler. OPNsense används vanligen som brandvägg, router, trådlös åtkomstpunkt, DHCP-server, DNS-server och VPN-slutpunkt. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate){ .card-link title=Contribute } + +OPNsense utvecklades ursprungligen som en gaffel av [pfSense](https://en.wikipedia.org/wiki/PfSense), och båda projekten är kända för att vara fria och pålitliga brandväggsdistributioner som erbjuder funktioner som ofta endast finns i dyra kommersiella brandväggar. Utvecklarna av OPNsense [, som lanserades 2015, citerade](https://docs.opnsense.org/history/thefork.html) ett antal säkerhets- och kodkvalitetsproblem med pfSense som de ansåg nödvändiggjorde en delning av projektet, samt oro över Netgates majoritetsförvärv av pfSense och pfSense-projektets framtida inriktning. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Måste vara öppen källkod. +- Måste få regelbundna uppdateringar. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/search-engines.md b/i18n/sv/search-engines.md new file mode 100644 index 00000000..51cab885 --- /dev/null +++ b/i18n/sv/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/tools.md b/i18n/sv/tools.md new file mode 100644 index 00000000..88d941ee --- /dev/null +++ b/i18n/sv/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Programvara för kryptering + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/tor.md b/i18n/sv/tor.md new file mode 100644 index 00000000..99f83cf3 --- /dev/null +++ b/i18n/sv/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/video-streaming.md b/i18n/sv/video-streaming.md new file mode 100644 index 00000000..8ac8a92d --- /dev/null +++ b/i18n/sv/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/sv/vpn.md b/i18n/sv/vpn.md new file mode 100644 index 00000000..a9573cf7 --- /dev/null +++ b/i18n/sv/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN Services" +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.sv.txt" diff --git a/i18n/tr/404.md b/i18n/tr/404.md new file mode 100644 index 00000000..d1961f6c --- /dev/null +++ b/i18n/tr/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Sayfa Bulunamadı + +Aradığınız sayfayı bulamadık! Belki de bunlardan birini arıyordunuz? + +- [Tehdit Modellemesine Giriş](basics/threat-modeling.md) +- [Önerilen DNS Sağlayıcıları](dns.md) +- [En İyi Masaüstü Web Tarayıcıları](desktop-browsers.md) +- [En İyi VPN Sağlayıcıları](vpn.md) +- [Privacy Guides Forumu](https://discuss.privacyguides.net) +- [Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/CODE_OF_CONDUCT.md b/i18n/tr/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/tr/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/tr/about/criteria.md b/i18n/tr/about/criteria.md new file mode 100644 index 00000000..35794d71 --- /dev/null +++ b/i18n/tr/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: Genel Kriterler +--- + +!!! örnek "Devam Eden Çalışma" + + Aşağıdaki sayfa üzerinde çalışılmaktadır ve şu anda tavsiyelerimize ilişkin kriterlerin tamamını yansıtmamaktadır. Bu konuyla ilgili geçmiş tartışma: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Aşağıda Privacy Guides'a yapılan tüm başvurular için geçerli olması gereken bazı hususlar yer almaktadır. Her kategorinin dahil edilmesi için ek gereklilikler olacaktır. + +## Finansal Açıklama + +Belirli ürünleri tavsiye ederek para kazanmıyoruz, bağlı kuruluş bağlantıları kullanmıyoruz ve proje bağışçılarına özel bir değerlendirme sağlamıyoruz. + +## Genel Talimatlar + +Yeni önerileri değerlendirirken bu öncelikleri uygularız: + +- **Güvenli**: Araçlar, uygun olan her yerde en iyi güvenlik uygulamalarını takip etmelidir. +- **Kaynak Kullanılabilirliği**: Açık kaynak projeleri genellikle eşdeğer tescilli alternatiflere göre tercih edilir. +- **Çapraz Platform**: Satıcı kilitlenmesini önlemek için genellikle önerilerin çapraz platform olmasını tercih ederiz. +- **Aktif Gelişim**: Tavsiye ettiğimiz araçlar aktif olarak geliştirilmeli, çoğu durumda sürdürülmeyen projeler kaldırılacaktır. +- **Kullanılabilirlik**: Araçlar çoğu bilgisayar kullanıcısı için erişilebilir olmalı, aşırı teknik bir altyapı gerekmemelidir. +- **Belgelenmiş**: Araçlar, kullanım için açık ve kapsamlı belgelere sahip olmalıdır. + +## Geliştiricinin Kendi Gönderimleri + +Projelerini veya yazılımlarını değerlendirmeye göndermek isteyen geliştiriciler için bu gerekliliklere sahibiz. + +- Bağlılığınızı, yani sunulan projedeki pozisyonunuzu açıklamalısınız. + +- Mesajlaşma uygulaması, şifre yöneticisi, şifreli bulut depolama vb. gibi hassas bilgilerin işlenmesini içeren bir projeyse, bir güvenlik teknik incelemesine sahip olmalıdır. + - Üçüncü taraf denetim durumu. Bir tane varsa veya planladıysanız bilmek istiyoruz. Mümkünse lütfen denetimi kimin yapacağını belirtin. + +- Projenin mahremiyet konusunda masaya ne getirdiğini açıklamalıdır. + - Yeni bir sorunu çözüyor mu? + - Neden alternatifleri yerine bunu kullansınlar ki? + +- Projelerinde tam tehdit modelinin ne olduğunu belirtmelidir. + - Potansiyel kullanıcılar için projenin neleri sağlayabileceği ve neleri sağlayamayacağı açık olmalıdır. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/about/donate.md b/i18n/tr/about/donate.md new file mode 100644 index 00000000..80298330 --- /dev/null +++ b/i18n/tr/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Bizi Destekleyin +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/about/index.md b/i18n/tr/about/index.md new file mode 100644 index 00000000..79c9d46a --- /dev/null +++ b/i18n/tr/about/index.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Guides Hakkında" +--- + +**Privacy Guides** veri güvenliğinizi ve gizliliğinizi korumaya yönelik bilgiler sağlayan sosyal amaçlı bir web sitesidir. Tamamen gönüllü [ekip üyeleri](https://discuss.privacyguides.net/g/team) ve katkıda bulunanlar tarafından işletilen, kâr amacı gütmeyen bir kolektifiz. + +[:material-hand-coin-outline: Projeyi destekleyin](donate.md ""){.md-button.md-button--primary} + +## Ekibimiz + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Ana Sayfa](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: E-posta](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: E-posta](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Ana Sayfa](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Ana Sayfa](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Ekibimizin haricinde [birçok kişi](https://github.com/privacyguides/privacyguides.org/graphs/contributors) projeye katkıda bulunmuştur. Projeye siz de katkı sağlayabilirsiniz, çünkü bu açık kaynaklı bir proje! + +Ekip üyelerimiz web sitesinde yapılan tüm değişiklikleri gözden geçirir; web sitesini yayınlama ve finans gibi idari görevleri yerine getirir, ancak bu siteye yapılan herhangi bir katkıdan kişisel olarak kar elde etmezler. Finansal bilgilerimiz Open Collective Foundation 501(c)(3) tarafından [opencollective.com/privacyguides](https://opencollective.com/privacyguides)adresinde şeffaf bir şekilde barındırılmaktadır. Privacy Guides'a yapılan bağışlar genellikle Amerika Birleşik Devletleri'nde vergiden düşülebilir. + +## Site Lisansı + +*Aşağıda, [lisansın ](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE)okunabilir bir özeti(asıl lisansın yerine geçmez) yer almaktadır:* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Aksi belirtilmedikçe, bu web sitesindeki orijinal içerik [Creative Commons Attribution-NoDerivatives 4.0 Uluslararası Kamu Lisansı](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE) altında kullanıma sunulmuştur. Bu, `Privacy Guides (www.privacyguides.org)` adresine uygun şekilde atıfta bulunduğunuz ve lisansa bir bağlantı verdiğiniz sürece, materyali ticari olarak bile herhangi bir amaçla herhangi bir ortamda veya formatta kopyalamakta ve yeniden dağıtmakta özgür olduğunuz anlamına gelir. Bunu herhangi bir makul bir şekilde yapabilirsiniz, ancak Gizlilik Kılavuzları (Privacy Guides) sizi veya kullanımınızı onayladığı hiçbir şekilde değil. Bu web sitesinin içeriğini yeniden düzenler, dönüştürür veya oluşturursanız, değiştirilen materyali dağıtamazsınız. + +Bu lisans; insanların, çalışmalarımızı uygun şekilde kredi vermeden paylaşmalarını ve çalışmalarımızı insanları yanlış yönlendirmek için kullanılabilecek şekilde değiştirmelerini önlemek için mevcuttur. Bu lisansın koşullarını üzerinde çalıştığınız proje için çok kısıtlayıcı buluyorsanız, lütfen `jonah@privacyguides.org`adresinden bize ulaşın. Gizlilik alanındaki iyi niyetli projeler için alternatif lisanslama seçenekleri sunmaktan mutluluk duyuyoruz! + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/about/notices.md b/i18n/tr/about/notices.md new file mode 100644 index 00000000..e98aedcf --- /dev/null +++ b/i18n/tr/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Duyurular ve Sorumluluk Redleri" +hide: + - toc +--- + +## Yasal Sorumluluk Reddi + +Privacy Guides bir hukuk firması değildir. Bu bakımdan, Privacy Guides sitesi ve katkıda bulunanları yasal tavsiye vermemektedir. Web sitemizdeki ve rehberlerdeki içerik ve tavsiyeler yasal tavsiye teşkil etmemekte olduğu gibi siteye katkıda bulunmak veya Privacy Guides ile ya da diğer katkıda bulunanlarla sitemiz hakkında iletişime geçmek avukat-müvekkil ilişkisi sağlamamaktadır. + +Bu siteyi yönetmek, diğer herhangi bir insan gayreti gibi, belirsizlikler ve ödünler içermektedir. Bu web sitenin yardım etmesini umarız, ancak hatalar içerebilir ve her duruma çözüm olmayabilir. Durumunuz hakkında bir sorunuz varsa, kendi araştırmanızı yapmanızı, başka uzmanlara ulaşmanızı ve Privacy Guides topluluğu ile tartışmanızı teşvik ediyoruz. Eğer herhangi bir yasal sorunuz varsa, ilerlemeden önce kendi yasal danışmanınıza başvurmalısınız. + +Gizlilik Kılavuzları (Privacy Guides), web sitesinin ve katkıda bulunanların korunması için Gizlilik Kılavuzları Projesi (Privacy Guides Project) ve web sitesinin garanti olmadan sunulduğunu açıkça ortaya koyan şartları içeren lisanslara katkıda bulunan açık kaynaklı bir projedir. Web sitesini kullanmaktan veya dahil edilen herhangi bir öneriyi kullanmaktan kaynaklanan zararlar için sorumluluk kabul etmez. Gizlilik Kılavuzları (Privacy Guides), web sitesinde veya bu sitede bağlantılı herhangi bir üçüncü taraf sitede bu tür materyallerle ilgili olarak materyallerin kullanımının doğruluğunu, olası sonuçları veya güvenilirliği ile ilgili herhangi bir beyanda bulunmaz. + +Gizlilik kılavuzları (Privacy Guides) ek olarak, bu web sitesinin sürekli olarak kullanılabilir veya hiç kullanılabilir olacağını garanti etmez. + +## Lisanslar + +Aksi belirtilmedikçe, bu web sitesindeki tüm içerik, Creative Commons Attribution-Noderivatives 4.0 International Public License şartları altında sunulmaktadır. + +Bu, yerini alan bir lisansın aksi belirtildiği bu depoya veya koda yerleştirilmiş üçüncü taraf kodu içermez. Aşağıdakiler dikkate değer örneklerdir, ancak bu liste her şey dahil olmayabilir: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js)Mathjax, [Apache Lisans 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt) altında lisanslanmıştır. + +Bu bildirimin kendisi [opensource.guide'den](https://github.com/github/opensource.guide/blob/master/notices.md) Github'da kabul edildi. Bu kaynak ve bu sayfanın kendisi [CC-BY-4.0 altında yayınlanır](https://github.com/github/opensource.guide/blob/master/LICENSE). + +Bu, Creative Commons Attribution-Noderivatives 4.0 International Public License metninde belirtilen şartlara göre, bu depodaki insan tarafından okunabilir içeriği kendi projeniz için kullanabileceğiniz anlamına gelir. Bunu herhangi bir makul bir şekilde yapabilirsiniz, ancak Gizlilik Kılavuzları (Privacy Guides) sizi veya kullanımınızı onayladığı hiçbir şekilde değil. Gizlilik Kılavuzları (Privacy Guides) markasını bu projeden açık bir onay almadan kendi projenizde **kullanamazsınız**. Gizlilik Kılavuzları'nın (Privacy Guides) marka ticari markaları arasında "Gizlilik Kılavuzları (Privacy Guides)" kelime işaretleri ve zırh (shield) logosu yer alıyor. + +Üçüncü taraf sağlayıcılardan elde edilen `varlıklardaki` logoların ve diğer görüntülerin ya kamu malı ya da **adil kullanımda** olduğuna inanıyoruz. Özetle, yasal [adil kullanım doktrini](https://www.copyright.gov/fair-use/more-info.html), konuyu kamuoyu yorumu amacıyla tanımlamak için telif hakkıyla korunan görüntülerin kullanılmasına izin verir. Bununla birlikte, bu logolar ve diğer görüntüler yine de bir veya daha fazla yargı alanında ticari marka yasalarına tabi olabilir. Bu içeriği kullanmadan önce, lütfen ticari markanın sahibi olan varlığı veya kuruluşu tanımlamak için kullanıldığından ve bunu amaçladığınız kullanım koşullarında geçerli olan yasalar uyarınca kullanma hakkına sahip olduğunuzdan emin olun. *Bu web sitesinden içerik kopyalarken, başka birinin ticari markasını veya telif hakkını ihlal etmediğinizden yalnızca siz sorumlusunuz.* + +Bu depoya katkıda bulunduğunuzda, yukarıdaki lisanslar altında bunu yapıyorsunuz ve Gizlilik Kılavuzları'na (Privacy Guides) birden fazla yüce katman aracılığıyla bu tür hakları altüst etme hakkı ile sürekli, dünya çapında, münhasır olmayan, aktarılabilir, telifsiz, geri dönülemez bir lisans vermekle beraber projemizin bir parçası olarak katkınızı çoğaltmak, değiştirmek, görüntülemek, gerçekleştirmek ve dağıtıyorsunuz. + +## Kabul Edilebilir Kullanım + +Bu web sitesini, web sitesine zarar verecek veya bunlara zarar verebilecek veya Gizlilik Kılavuzları'nın (Privacy Guides) mevcudiyetinin veya erişilebilirliğine veya yasadışı, yasadışı, hileli, zararlı veya herhangi bir yasadışı, yasadışı, bağlantılı olarak, hileli, zararlı amaç, zararlı faaliyet veya herhangi bir şekilde kullanılabilirliğine neden olabilecek hiçbir şekilde kullanamazsınız. + +Aşağıdakiler de dahil olmak üzere, bu web sitesinde veya bu web sitesine göre herhangi bir sistematik veya otomatik veri toplama faaliyeti gerçekleştirmemelisiniz: + +* Agresif Otomatik Taramalar +* Hizmet Reddi Saldırıları (DOS, DDOS) +* Kazıma (Scraping) +* Veri Madenciliği (Data Mining) +* Çerçeveleme (Framing, IFrames) + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/about/privacy-policy.md b/i18n/tr/about/privacy-policy.md new file mode 100644 index 00000000..c7dcd243 --- /dev/null +++ b/i18n/tr/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/about/privacytools.md b/i18n/tr/about/privacytools.md new file mode 100644 index 00000000..5220dd4d --- /dev/null +++ b/i18n/tr/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/about/services.md b/i18n/tr/about/services.md new file mode 100644 index 00000000..a47e82c5 --- /dev/null +++ b/i18n/tr/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Hizmetleri + +Özellikleri test etmek ve tek bir merkeze bağlı olmayan, federe ve/veya açık kaynaklı projeleri tanıtmak için bir dizi web hizmeti yürütüyoruz. Bu hizmetlerin birçoğu kamuya açıktır ve aşağıda ayrıntılı olarak açıklanmıştır. + +[:material-comment-alert: Bir sorunu bildirin](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Kullanılabilirlik: Halka açık +- Kaynak: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Kullanılabilirlik: Yalnızca Davetliler + *Privacy Guides* ile ilgili geliştirme veya içerik üzerinde çalışan herhangi bir ekibe talep üzerine erişim verilebilir. +- Kaynak: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Kullanılabilirlik: Yalnızca Davetliler + Erişim, talep üzerine Gizlilik Kılavuzları ekip üyelerine, Matrix moderatörlerine, üçüncü taraf Matrix topluluk yöneticilerine, Matrix bot operatörlerine ve güvenilir bir Matrix varlığına ihtiyaç duyan diğer kişilere verilebilir. +- Kaynak: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Kullanılabilirlik: Halka açık +- Kaynak: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/about/statistics.md b/i18n/tr/about/statistics.md new file mode 100644 index 00000000..e527df39 --- /dev/null +++ b/i18n/tr/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Trafik İstatistikleri +--- + +## Web Sitesi İstatistikleri + + +
İstatistikler Plausible Analytics tarafından desteklenmektedir
+ + + + +## Blog İstatistikleri + + +
İstatistikler Plausible Analytics tarafından desteklenmektedir
+ + + + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/advanced/communication-network-types.md b/i18n/tr/advanced/communication-network-types.md new file mode 100644 index 00000000..6e0b8cc1 --- /dev/null +++ b/i18n/tr/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/advanced/dns-overview.md b/i18n/tr/advanced/dns-overview.md new file mode 100644 index 00000000..fc9577fc --- /dev/null +++ b/i18n/tr/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/advanced/tor-overview.md b/i18n/tr/advanced/tor-overview.md new file mode 100644 index 00000000..10ca4765 --- /dev/null +++ b/i18n/tr/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.tr.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/tr/android.md b/i18n/tr/android.md new file mode 100644 index 00000000..326f7db7 --- /dev/null +++ b/i18n/tr/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! öneri + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! öneri + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! öneri + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! öneri + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! öneri + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! öneri + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! öneri + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! öneri + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/assets/img/account-deletion/exposed_passwords.png b/i18n/tr/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/tr/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/tr/assets/img/android/rss-apk-dark.png b/i18n/tr/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/tr/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/tr/assets/img/android/rss-apk-light.png b/i18n/tr/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/tr/assets/img/android/rss-apk-light.png differ diff --git a/i18n/tr/assets/img/android/rss-changes-dark.png b/i18n/tr/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/tr/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/tr/assets/img/android/rss-changes-light.png b/i18n/tr/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/tr/assets/img/android/rss-changes-light.png differ diff --git a/i18n/tr/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/tr/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/tr/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/tr/assets/img/how-tor-works/tor-encryption.svg b/i18n/tr/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/tr/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/tr/assets/img/how-tor-works/tor-path-dark.svg b/i18n/tr/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/tr/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/tr/assets/img/how-tor-works/tor-path.svg b/i18n/tr/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/tr/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/tr/assets/img/multi-factor-authentication/fido.png b/i18n/tr/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/tr/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/tr/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/tr/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/tr/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/tr/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/tr/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/tr/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/tr/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/tr/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/tr/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/tr/basics/account-creation.md b/i18n/tr/basics/account-creation.md new file mode 100644 index 00000000..e4b38b3c --- /dev/null +++ b/i18n/tr/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/basics/account-deletion.md b/i18n/tr/basics/account-deletion.md new file mode 100644 index 00000000..8e997e6c --- /dev/null +++ b/i18n/tr/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/basics/common-misconceptions.md b/i18n/tr/basics/common-misconceptions.md new file mode 100644 index 00000000..7329f5f3 --- /dev/null +++ b/i18n/tr/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.tr.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/tr/basics/common-threats.md b/i18n/tr/basics/common-threats.md new file mode 100644 index 00000000..37bd133a --- /dev/null +++ b/i18n/tr/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.tr.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/tr/basics/email-security.md b/i18n/tr/basics/email-security.md new file mode 100644 index 00000000..e55d27a1 --- /dev/null +++ b/i18n/tr/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/basics/multi-factor-authentication.md b/i18n/tr/basics/multi-factor-authentication.md new file mode 100644 index 00000000..ac147f75 --- /dev/null +++ b/i18n/tr/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## Genel Öneriler + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/basics/passwords-overview.md b/i18n/tr/basics/passwords-overview.md new file mode 100644 index 00000000..8c4e276e --- /dev/null +++ b/i18n/tr/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/basics/threat-modeling.md b/i18n/tr/basics/threat-modeling.md new file mode 100644 index 00000000..f570ca53 --- /dev/null +++ b/i18n/tr/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Tehdit Modellemesi" +icon: 'material/target-account' +--- + +Gizlilik yolculuğunuzda yüzleşeceğiniz ilk ve en zorlu görev; güvenliği, gizliliği ve kullanılabilirliği dengeleyebilmektir. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. Bu yüzden tehdit modelleri önemlidir. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +Bir “varlık” değer verdiğiniz ve korumak istediğiniz bir şeydir. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Listeniz bireyleri, bir devlet kurumunu veya şirketleri içerebilir.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +Ne olabileceği ile olma olasılığı arasında ayrım yapmak önemlidir. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. Açık bir Wi - Fi ağındaki bir bilgisayar korsanı şifrelenmemiş iletişimlerinize erişebilir. Hükümetinizin daha güçlü yetenekleri olabilir. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Kaynaklar + +- [EFF Surveillance Self Defense: Güvenlik Planınız](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/basics/vpn-overview.md b/i18n/tr/basics/vpn-overview.md new file mode 100644 index 00000000..32756e08 --- /dev/null +++ b/i18n/tr/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/calendar.md b/i18n/tr/calendar.md new file mode 100644 index 00000000..e33d25f4 --- /dev/null +++ b/i18n/tr/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! öneri + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! öneri + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/cloud.md b/i18n/tr/cloud.md new file mode 100644 index 00000000..fbe90316 --- /dev/null +++ b/i18n/tr/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! öneri + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/data-redaction.md b/i18n/tr/data-redaction.md new file mode 100644 index 00000000..0a608129 --- /dev/null +++ b/i18n/tr/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! öneri + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! öneri + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! öneri + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! öneri + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! öneri + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/desktop-browsers.md b/i18n/tr/desktop-browsers.md new file mode 100644 index 00000000..3fcf827a --- /dev/null +++ b/i18n/tr/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Masaüstü Tarayıcıları" +icon: material/laptop +--- + +Bunlar, standart/anonim olmayan gezinti için şu anda önerilen masaüstü web tarayıcılarımız ve yapılandırmalarımızdır. İnternette anonim olarak gezinmeniz gerekiyorsa, bunun yerine [Tor](tor.md) kullanmalısınız. Genel olarak, tarayıcı uzantılarınızı en az miktarda tutmanızı öneririz; tarayıcınızda ayrıcalıklı erişime sahiptirler, geliştiriciye güvenmenizi gerektirirler, sizi [](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint)öne çıkarabilir ve [](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site izolasyonunu zayıflatabilirler. + +## Firefox + +!!! öneri + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! öneri + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! öneri + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.tr.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/tr/desktop.md b/i18n/tr/desktop.md new file mode 100644 index 00000000..d4e0cdba --- /dev/null +++ b/i18n/tr/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! öneri + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! öneri + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! öneri + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! öneri + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! öneri + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! öneri + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! öneri + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! öneri + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/dns.md b/i18n/tr/dns.md new file mode 100644 index 00000000..8785ff6e --- /dev/null +++ b/i18n/tr/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Önerilen Sağlayıcılar + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! öneri + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! öneri + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! öneri + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! öneri + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.tr.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/tr/email-clients.md b/i18n/tr/email-clients.md new file mode 100644 index 00000000..5a9cfb97 --- /dev/null +++ b/i18n/tr/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! öneri + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! öneri + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! öneri + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! öneri + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! öneri + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! öneri + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! öneri + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! öneri + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! öneri + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/email.md b/i18n/tr/email.md new file mode 100644 index 00000000..8134df1c --- /dev/null +++ b/i18n/tr/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! öneri + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! öneri + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! öneri + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! öneri + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! öneri + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! öneri + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! öneri + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! öneri + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/encryption.md b/i18n/tr/encryption.md new file mode 100644 index 00000000..d803b8c7 --- /dev/null +++ b/i18n/tr/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Encryption Software" +icon: material/file-lock +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! öneri + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! öneri + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! öneri + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! öneri + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! öneri + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! öneri + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! öneri + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! öneri + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! öneri + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! öneri + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! öneri + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! öneri + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! öneri + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/file-sharing.md b/i18n/tr/file-sharing.md new file mode 100644 index 00000000..be9a510f --- /dev/null +++ b/i18n/tr/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! öneri + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! öneri + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! öneri + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! öneri + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! öneri + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/frontends.md b/i18n/tr/frontends.md new file mode 100644 index 00000000..4f903c97 --- /dev/null +++ b/i18n/tr/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! öneri + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! öneri + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! öneri + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! öneri + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! öneri + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! öneri + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! öneri açıklaması + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! öneri + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! öneri + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/index.md b/i18n/tr/index.md new file mode 100644 index 00000000..47de6971 --- /dev/null +++ b/i18n/tr/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.tr.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/kb-archive.md b/i18n/tr/kb-archive.md new file mode 100644 index 00000000..a18dad70 --- /dev/null +++ b/i18n/tr/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/meta/brand.md b/i18n/tr/meta/brand.md new file mode 100644 index 00000000..d09cd6ae --- /dev/null +++ b/i18n/tr/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/meta/git-recommendations.md b/i18n/tr/meta/git-recommendations.md new file mode 100644 index 00000000..20c090ca --- /dev/null +++ b/i18n/tr/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/meta/uploading-images.md b/i18n/tr/meta/uploading-images.md new file mode 100644 index 00000000..1acd5d71 --- /dev/null +++ b/i18n/tr/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/meta/writing-style.md b/i18n/tr/meta/writing-style.md new file mode 100644 index 00000000..e2665d6e --- /dev/null +++ b/i18n/tr/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/mobile-browsers.md b/i18n/tr/mobile-browsers.md new file mode 100644 index 00000000..cec5e4ca --- /dev/null +++ b/i18n/tr/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. İnternette anonim olarak gezinmeniz gerekiyorsa, bunun yerine [Tor](tor.md) kullanmalısınız. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! öneri + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! öneri + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! öneri + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/multi-factor-authentication.md b/i18n/tr/multi-factor-authentication.md new file mode 100644 index 00000000..f5799410 --- /dev/null +++ b/i18n/tr/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! öneri + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! öneri + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! öneri + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! öneri + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/news-aggregators.md b/i18n/tr/news-aggregators.md new file mode 100644 index 00000000..783e2784 --- /dev/null +++ b/i18n/tr/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! öneri + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! öneri + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! öneri + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! öneri + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! öneri + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! öneri + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! öneri + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/notebooks.md b/i18n/tr/notebooks.md new file mode 100644 index 00000000..7ddf4242 --- /dev/null +++ b/i18n/tr/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! öneri + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! öneri + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! öneri + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! öneri + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/os/android-overview.md b/i18n/tr/os/android-overview.md new file mode 100644 index 00000000..3a211f36 --- /dev/null +++ b/i18n/tr/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/os/linux-overview.md b/i18n/tr/os/linux-overview.md new file mode 100644 index 00000000..fc875136 --- /dev/null +++ b/i18n/tr/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Genel Öneriler + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/os/qubes-overview.md b/i18n/tr/os/qubes-overview.md new file mode 100644 index 00000000..b22034da --- /dev/null +++ b/i18n/tr/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/passwords.md b/i18n/tr/passwords.md new file mode 100644 index 00000000..cb59ed71 --- /dev/null +++ b/i18n/tr/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! öneri + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! öneri + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! öneri + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! öneri + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! öneri + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! öneri + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! öneri + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/productivity.md b/i18n/tr/productivity.md new file mode 100644 index 00000000..093457d8 --- /dev/null +++ b/i18n/tr/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! öneri + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! öneri + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! öneri + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! öneri + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! öneri + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/real-time-communication.md b/i18n/tr/real-time-communication.md new file mode 100644 index 00000000..76cfe448 --- /dev/null +++ b/i18n/tr/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! öneri + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! öneri + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! öneri + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! öneri + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! öneri + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/router.md b/i18n/tr/router.md new file mode 100644 index 00000000..33d3a8c4 --- /dev/null +++ b/i18n/tr/router.md @@ -0,0 +1,49 @@ +--- +title: "Yönlendirici Yazılımı" +icon: material/router-wireless +--- + +Aşağıda; yönlendiricilerde, Wi-Fi erişim noktalarında vb. kullanılabilecek birkaç alternatif işletim sistemi bulunmaktadır. + +## OpenWrt + +!!! öneri + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** Linux kernelini temel alan, gömülü cihazlarda ağ trafiğini yönlendirmek için kullanılan bir işletim sistemidir. (Gömülü bir işletim sistemi de denebilir.). Ana bileşenler Linux kerneli, util - linux, uClibc ve BusyBox'tur. Tüm bileşenler, ev yönlendiricilerinde bulunan sınırlı depolama ve belleğe sığacak kadar küçük olacak şekilde optimize edilmiştir. + + [:octicons-home-16: Anasayfa](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +Cihazınızın desteklenip desteklenmediğini kontrol etmek için OpenWrt'nin [donanım tablosuna](https://openwrt.org/toh/start) başvurabilirsiniz. + +## pfSense + +!!! öneri + + ![pfSense logo](assets/img/router/pfsense.svg#only-light){ align=right } + ![pfSense logo](assets/img/router/pfsense-dark.svg#only-dark){ align=right } + + pfSense; FreeBSD tabanlı, açık kaynak kodlu bir güvenlik duvarı/yönlendirici programıdır. Bir ağ için özel bir güvenlik duvarı/yönlendirici yapmak üzere bir bilgisayara kurulmuştur ve güvenilirliği, genellikle, sadece pahalı ticari güvenlik duvarlarında bulunan özellikler sunmasıyla bilinir. + + pfSense genellikle çevre güvenlik duvarı, yönlendirici, kablosuz erişim noktası, DHCP sunucusu, DNS sunucusu ve VPN noktası olarak dağıtılır. + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/search-engines.md b/i18n/tr/search-engines.md new file mode 100644 index 00000000..130781f4 --- /dev/null +++ b/i18n/tr/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! öneri + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! öneri + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! öneri + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! öneri + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/tools.md b/i18n/tr/tools.md new file mode 100644 index 00000000..559b67e0 --- /dev/null +++ b/i18n/tr/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Yönlendirici Yazılımı + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? "VPN'ler anonimlik sağlamaz" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/tor.md b/i18n/tr/tor.md new file mode 100644 index 00000000..978a354e --- /dev/null +++ b/i18n/tr/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Tarayıcı + +!!! öneri + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! öneri + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! öneri + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/video-streaming.md b/i18n/tr/video-streaming.md new file mode 100644 index 00000000..cf70217b --- /dev/null +++ b/i18n/tr/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! öneri + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/tr/vpn.md b/i18n/tr/vpn.md new file mode 100644 index 00000000..f03f5236 --- /dev/null +++ b/i18n/tr/vpn.md @@ -0,0 +1,305 @@ +--- +title: "VPN Hizmetleri" +icon: material/vpn +--- + +Web trafiğinizi satmaya veya okumaya çalışmayan, kayıt tutmayan bir VPN operatörü bulun. + +??? "VPN'ler anonimlik sağlamaz" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Tor'u İndir](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](basics/tor-overview.md){ .md-button } + +??? "VPN'ler ne zaman kullanışlı?" sorusu + + İSS'nizden, halka açık bir Wi-Fi ağından veya torrent dosyaları indirirken ek **gizlilik** arıyorsanız, ilgili riskleri anladığınız sürece VPN sizin için bir çözüm olabilir. + + [Daha Fazla Bilgi](basics/vpn-overview.md){ .md-button } + +## Önerilen Sağlayıcılar + +!!! özetle "Kriterler" + + Önerdiğimiz sağlayıcılar şifreleme kullanır, Monero kabul eder, WireGuard & OpenVPN'i destekler ve kayıt tutmama politikasına sahiptir. Daha fazla bilgi için [tam kriter listemizi](#kriterlerimiz) okuyun. + +### Proton VPN + +!!! öneri açıklaması + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + **Proton VPN**, VPN alanında güçlü bir rakiptir ve 2016'dan beri faaliyet göstermektedir. İsviçre merkezli Proton AG, sınırlı bir ücretsiz versiyonun yanı sıra daha özellikli bir premium seçenek de sunuyor. + + **Ücretsiz** - **Plus Plan USD $71,88/yıl** (1) + + [:octicons-home-16: Ana sayfa](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Gizlilik Politikası" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Dokümantasyon} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Kaynak Kodu" } downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? "63 Ülke" açıklamasını kontrol edin + + Proton VPN'in [63 ülkede sunucuları] vardır (https://protonvpn.com/vpn-servers) (1). Size en yakın sunucuya sahip bir VPN sağlayıcısı seçmek, gönderdiğiniz ağ trafiğinin gecikme süresini azaltacaktır. Bunun nedeni hedefe giden rotanın daha kısa olmasıdır (daha az atlama). + + Ayrıca VPN sağlayıcısının özel anahtarlarının güvenliği için [sanal özel sunucular](https://en.wikipedia.org/wiki/Virtual_private_server) gibi daha ucuz paylaşımlı çözümler (diğer müşterilerle) yerine [özel sunucular](https://en.wikipedia.org/wiki/Dedicated_hosting_service) kullanmasının daha iyi olduğunu düşünüyoruz. + +1. 2 yıllık abonelikle (119,76 $) %10 daha indirimli. + +??? "Bağımsız Denetimden Geçmiş" seçeneğini işaretleyin + + Ocak 2020 itibarıyla Proton VPN, SEC Consult tarafından bağımsız bir denetimden geçmiştir. SEC Consult, Proton VPN'in Windows, Android ve iOS uygulamalarında bazı orta ve düşük riskli güvenlik açıklarını buldu ve bunların tümü raporlar yayınlanmadan önce Proton VPN tarafından "uygun şekilde düzeltildi". Tespit edilen sorunların hiçbiri bir saldırganın cihazınıza veya trafiğinize uzaktan erişim sağlamasına neden olmaz. Her platform için ayrı raporları [protonvpn.com](https://protonvpn.com/blog/open-source/) adresinden görüntüleyebilirsiniz. Nisan 2022'de Proton VPN [başka bir denetim](https://protonvpn.com/blog/no-logs-audit/) geçirdi ve rapor [Securitum tarafından hazırlandı](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? "Açık Kaynak İstemcileri" kontrol edin + + Proton VPN, masaüstü ve mobil istemcileri için kaynak kodunu [GitHub organizasyonu] (https://github.com/ProtonVPN) adresinde sağlar. + +??? success "Accepts Cash" + + Proton VPN, kredi/banka kartları ve PayPal'ı kabul etmenin yanı sıra, Bitcoin ve **nakit/yerel para birimini** anonim ödeme biçimleri olarak kabul eder. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! öneri + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. Size en yakın sunucuya sahip bir VPN sağlayıcısı seçmek, gönderdiğiniz ağ trafiğinin gecikme süresini azaltacaktır. + + Bunun nedeni hedefe giden rotanın daha kısa olmasıdır (daha az atlama). Ayrıca VPN sağlayıcısının özel anahtarlarının güvenliği için [sanal özel sunucular](https://en.wikipedia.org/wiki/Virtual_private_server) gibi daha ucuz paylaşımlı çözümler (diğer müşterilerle) yerine [özel sunucular](https://en.wikipedia.org/wiki/Dedicated_hosting_service) kullanmasının daha iyi olduğunu düşünüyoruz. + +??? "Bağımsız Denetimden Geçmiş" seçeneğini işaretleyin + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Size en yakın sunucuya sahip bir VPN sağlayıcısı seçmek, gönderdiğiniz ağ trafiğinin gecikme süresini azaltacaktır. Bunun nedeni hedefe giden rotanın daha kısa olmasıdır (daha az atlama). + + Ayrıca VPN sağlayıcısının özel anahtarlarının güvenliği için [sanal özel sunucular](https://en.wikipedia.org/wiki/Virtual_private_server) gibi daha ucuz paylaşımlı çözümler (diğer müşterilerle) yerine [özel sunucular](https://en.wikipedia.org/wiki/Dedicated_hosting_service) kullanmasının daha iyi olduğunu düşünüyoruz. + +1. 2 yıllık abonelikle (119,76 $) %10 daha indirimli. + +??? "Bağımsız Denetimden Geçmiş" seçeneğini işaretleyin + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? "Açık Kaynak İstemcileri" kontrol edin + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! öneri + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. Size en yakın sunucuya sahip bir VPN sağlayıcısı seçmek, gönderdiğiniz ağ trafiğinin gecikme süresini azaltacaktır. Bunun nedeni hedefe giden rotanın daha kısa olmasıdır (daha az atlama). + + Ayrıca VPN sağlayıcısının özel anahtarlarının güvenliği için [sanal özel sunucular](https://en.wikipedia.org/wiki/Virtual_private_server) gibi daha ucuz paylaşımlı çözümler (diğer müşterilerle) yerine [özel sunucular](https://en.wikipedia.org/wiki/Dedicated_hosting_service) kullanmasının daha iyi olduğunu düşünüyoruz. downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? "Bağımsız Denetimden Geçmiş" seçeneğini işaretleyin + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Size en yakın sunucuya sahip bir VPN sağlayıcısı seçmek, gönderdiğiniz ağ trafiğinin gecikme süresini azaltacaktır. Bunun nedeni hedefe giden rotanın daha kısa olmasıdır (daha az atlama). + + Ayrıca VPN sağlayıcısının özel anahtarlarının güvenliği için [sanal özel sunucular](https://en.wikipedia.org/wiki/Virtual_private_server) gibi daha ucuz paylaşımlı çözümler (diğer müşterilerle) yerine [özel sunucular](https://en.wikipedia.org/wiki/Dedicated_hosting_service) kullanmasının daha iyi olduğunu düşünüyoruz. + +1. 2 yıllık abonelikle (119,76 $) %10 daha indirimli. + +??? "Bağımsız Denetimden Geçmiş" seçeneğini işaretleyin + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? "Açık Kaynak İstemcileri" kontrol edin + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.tr.txt" diff --git a/i18n/uk/404.md b/i18n/uk/404.md new file mode 100644 index 00000000..11114a71 --- /dev/null +++ b/i18n/uk/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/CODE_OF_CONDUCT.md b/i18n/uk/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/uk/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/uk/about/criteria.md b/i18n/uk/about/criteria.md new file mode 100644 index 00000000..e9f4fd4b --- /dev/null +++ b/i18n/uk/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/about/donate.md b/i18n/uk/about/donate.md new file mode 100644 index 00000000..d75bb00f --- /dev/null +++ b/i18n/uk/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Підтримайте нас +--- + + +Щоб підтримувати актуальність Privacy Guides та поширювати світу про конфіденційність і глобальне стеження, потрібно багато [людей](https://github.com/privacyguides/privacyguides.org/graphs/contributors) та [праці](https://github.com/privacyguides/privacyguides.org/pulse/monthly). If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +Якщо ви хочете надати нам фінансову підтримку, найзручніший для нас спосіб - це зробити внесок через Open Collective, вебсайт, під керівництвом нашого фіскального хостингу. Open Collective приймає платежі за допомогою кредитної/дебетової картки, PayPal, та банківських переказів. + +[Пожертвувати на OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. Після пожертвування ви отримаєте квитанцію від Open Collective Foundation. Privacy Guides не надають фінансових консультацій, і ви повинні звернутися до свого податкового консультанта, щоб з'ясувати чи це є сприйнятливим для вас. + +Якщо ви вже користуєтеся спонсорством GitHub, ви також можете підтримати нашу організацію там. + +[Підтримайте нас на GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Спонсори + +Особлива подяка всім, хто підтримує нашу місію! :heart: + +*Зверніть увагу: Цей розділ завантажує віджет з Open Collective. У ньому не показуються пожертвування, зроблені за межами Open Collective, і ми не контролюємо конкретних спонсорів, зазначених у цьому розділі.* + + + +## Як ми використовуємо пожертви + +Privacy Guides - це **некомерційна** організація. Ми використовуємо пожертви для різних цілей, зокрема: + +**Реєстрація домену** +: + +У нас є кілька доменних імен, таких як `privacyguides.org`, які коштують нам приблизно 10 доларів на рік, щоб підтримувати їх реєстрацію. + +**Вебхостинг** +: + +Трафік на цей вебсайт використовує сотні гігабайтів даних на місяць, ми використовуємо різних постачальників послуг, щоб не відставати від цього трафіку. + +**Онлайн-сервіси** +: + +Ми розміщуємо [Інтернет-сервіси](https://privacyguides.net) для тестування та демонстрації різних продуктів конфіденційності, які нам подобаються, та які ми [рекомендуємо](../tools.md). Деякі з них є загальнодоступними для використання нашою спільнотою (SearXNG, Tor тощо), а деякі надаються членам нашої команди (електронна пошта та інше). + +**Придбання продукції** +: + +Час від часу ми купуємо продукти та послуги з метою тестування наших [рекомендованих інструментів](../tools.md). + +Ми все ще працюємо з нашим фіскальним хостом (Open Collective Foundation), щоб отримувати пожертви криптовалюти, на цей час облік неможливий для багатьох дрібніших транзакцій, але це має змінитися в майбутньому. Однак, якщо ви хочете зробити значну пожертву в криптовалюті (> $100), будь ласка, зв'яжіться з [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/about/index.md b/i18n/uk/about/index.md new file mode 100644 index 00000000..dbebd91c --- /dev/null +++ b/i18n/uk/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. Ви **не маєте права** використовувати брендинг Privacy Guides у своєму власному проєкті без прямого схвалення цього проєкту. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/about/notices.md b/i18n/uk/about/notices.md new file mode 100644 index 00000000..680be1f6 --- /dev/null +++ b/i18n/uk/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Повідомлення та застереження" +hide: + - toc +--- + +## Відмова від відповідальності + +Privacy Guides не є юридичною фірмою. Таким чином, вебсайт Privacy Guides та його учасники не надають юридичних консультацій. Матеріали та рекомендації на нашому вебсайті та посібниках не є юридичною консультацією, а також внесок у вебсайт чи спілкування з Privacy Guides або іншими учасниками нашого вебсайту не створюють відносин адвокат-клієнт. + +Керування цим вебсайтом, як і будь-якими людськими зусиллями, передбачає невизначеність та компроміси. Ми сподіваємося, що цей вебсайт допоможе, але він може містити помилки та не може вирішити кожну ситуацію. Якщо в вас виникли запитання щодо вашої ситуації, радимо провести власне дослідження, знайти інших експертів та взяти участь в обговореннях зі спільнотою Privacy Guides. Якщо у вас є які-небудь юридичні питання, вам слід проконсультуватися зі своїм власним юристом, перш ніж рухатись далі. + +Privacy Guides-це проект з відкритим вихідним кодом, створений за ліцензіями, які включають умови, які для захисту вебсайту та його учасників чітко вказують, що проект Privacy Guides і вебсайт пропонуються "як є", без гарантій і з відмовою від відповідальності за шкоду, що виникла в результаті використання вебсайту або будь-яких рекомендацій, що містяться в ньому. Privacy Guides не гарантують і не роблять ніяких заяв щодо точності, ймовірних результатів або надійності використання матеріалів на вебсайті або іншим чином пов'язаних з такими матеріалами на вебсайті або на будь-яких сторонніх сайтах, пов'язаних з цим сайтом. + +Крім того, Privacy Guides не гарантують, що цей вебсайт буде постійно або взагалі доступний. + +## Ліцензії + +Якщо не зазначено інше, весь вміст цього вебсайту надається у вільний доступ згідно з умовами [Creative Commons CC0 1.0 Universal](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +Це не включає сторонній код, вбудований в цей репозиторій, або код, де ліцензія, що замінює ліцензію, відмічена іншим чином. Нижче наведені відомі приклади, але цей список може бути неповним: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/mathjax.js) має ліцензію [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/LICENSE.mathjax.txt). + +Частини самого цього повідомлення були взяті з [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) на GitHub. Цей ресурс і сама ця сторінка випущені під [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +Це означає, що ви можете використовувати читабельний вміст в цьому репозиторії для вашого власного проєкту відповідно до умов, викладених в універсальному тексті CC0 1.0. Ви **не маєте права** використовувати брендинг Privacy Guides у своєму власному проєкті без прямого схвалення цього проєкту. Торгові марки бернду Privacy Guides включають в себе логотип та "Privacy Guides". Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +Ми вважаємо, що логотипи та інші зображення в `assets`, отримані від сторонніх постачальників, є або суспільним надбанням, або **добросовісним використанням**. У двох словах, правова [доктрина добросовісного використання](https://www.copyright.gov/fair-use/more-info.html) дозволяє використання зображень, захищених авторським правом, для ідентифікації предмета з метою публічного обговорення. Однак ці логотипи та інші зображення все ще можуть підпадати під дію законів про товарні знаки в одній або декількох юрисдикціях. Перед використанням цього контенту, будь ласка, переконайтеся, що він використовується для ідентифікації юридичної особи або організації, якій належить товарний знак, і що у вас є право використовувати його відповідно до законів, які застосовуються в обставинах вашого передбачуваного використання. *Копіюючи вміст з цього вебсайту, ви несете повну відповідальність за те, щоб не порушувати чужу торгову марку або авторські права.* + +Коли ви вносите свій внесок у цей репозиторій, ви робите це відповідно до вищевказаних ліцензій. + +## Допустиме використання + +Ви не можете використовувати цей вебсайт будь-яким чином, який викликає або може викликати пошкодження вебсайту або погіршення доступності Privacy Guides, або будь-яким способом, який є незаконним, шахрайським, шкідливим або пов'язаним з будь-якою незаконною, шахрайською або шкідливою метою або діяльністю. + +Ви не повинні проводити будь-які систематичні або автоматизовані заходи зі збору даних на цьому вебсайті або у зв'язку з ним без письмової згоди Aragon Ventures LLC, включаючи: + +* Надмірне автоматизоване сканування +* Атаки типу "відмова в обслуговуванні" +* Скрейпінг +* Інтелектуальний аналіз даних +* "Фреймінг" (IFrames) + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/about/privacy-policy.md b/i18n/uk/about/privacy-policy.md new file mode 100644 index 00000000..47210337 --- /dev/null +++ b/i18n/uk/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides - це проєкт спільноти, який керується низкою активних волонтерів. Загальнодоступний список членів команди [можна знайти на GitHub](https://github.com/orgs/privacyguides/people). + +## Дані, які ми збираємо від відвідувачів + +Конфіденційність відвідувачів нашого веб-сайту важлива для нас, тому ми не відстежуємо жодних окремих людей. Як відвідувач нашого вебсайту: + +- Ніяка особиста інформація не збирається +- No information such as cookies are stored in the browser +- Жодна інформація не передається, не відправляється та не продається третім особам +- Жодна інформація не передається рекламним компаніям +- Жодна інформація не видобувається та не збирається для особистих та поведінкових тенденцій +- Жодна інформація не монетизується + +You can view the data we collect on our [statistics](statistics.md) page. + +Ми здійснюємо самостійне встановлення [Plausible Analytics](https://plausible.io), щоб зібрати деякі анонімні дані про використання для статистичних цілей. Мета полягає в тому, щоб відстежувати загальні тенденції у відвідуванні нашого веб-сайту, а не відстежувати окремих відвідувачів. Всі дані представлені тільки в сукупному вигляді. Ніякі персональні дані не збираються. + +Зібрані дані включають джерела посилань, верхні сторінки, тривалість відвідування, інформацію з пристроїв (тип пристрою, операційна система, країна і браузер), які використовуються під час відвідування тощо. Ви можете дізнатися більше про те, як Plausible працює та збирає інформацію з повагою до конфіденційності [тут](https://plausible.io/data-policy). + +## Дані, які ми збираємо від власників облікових записів + +На деяких вебсайтах і послугах, які ми надаємо, для багатьох функцій може знадобитися обліковий запис. Наприклад, обліковий запис може бути необхідним для публікації та відповіді на теми на платформі форуму. + +Щоб зареєструвати більшість облікових записів, ми збиратимемо ім'я користувача, електронну адресу та пароль. У випадку, якщо вебсайт вимагає більше інформації, ніж тільки ці дані, це буде чітко позначено та зазначено в окремій заяві про конфіденційність на сайті. + +Ми використовуємо дані вашого облікового запису для ідентифікації вас на вебсайті та для створення специфічних для вас сторінок, таких як сторінка вашого профілю. Ми також будемо використовувати дані вашого облікового запису для публікації вашого загальнодоступного профілю в наших сервісах. + +Ми використовуємо вашу електронну пошту для: + +- Сповіщати про публікації та інші дії на вебсайтах або сервісах. +- Скинути пароль та допомогти захистити ваш обліковий запис. +- Зв'язатися з вами в особливих обставинах, пов'язаних з вашим обліковим записом. +- Зв'язатися з вами з приводу юридичних запитів, таких як запити на видалення DMCA. + +На деяких вебсайтах і сервісах ви можете надати додаткову інформацію для свого облікового запису, таку як коротка біографія, аватар, ваше місце розташування або ваш день народження. Ми надаємо цю інформацію всім, хто може отримати доступ до відповідного веб-сайту або служби. Ця інформація не є обов'язковою для використання будь-яких наших сервісів і може бути стерта в будь-який час. + +Ми будемо зберігати дані вашого облікового запису до тих пір, поки ваш обліковий запис залишається відкритим. Після закриття облікового запису ми можемо зберегти деякі або всі дані вашого облікового запису у вигляді резервних копій або архівів на строк до 90 днів. + +## Зворотний зв'язок + +Команда Privacy Guides, як правило, не має доступу до персональних даних, окрім обмеженого доступу, наданого через деякі панелі модерації. Запити щодо вашої особистої інформації слід надсилати безпосередньо за адресою: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +З усіх інших питань ви можете зв'язатися з будь-яким членом нашої команди. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## Про цю політику + +We will post any new versions of this statement [here](privacy-policy.md). Ми можемо змінити спосіб оголошення змін у наступних версіях цього документа. В той же час ми можемо оновити нашу контактну інформацію в будь-який час, не оголошуючи про зміни. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/about/privacytools.md b/i18n/uk/about/privacytools.md new file mode 100644 index 00000000..5eaf16ce --- /dev/null +++ b/i18n/uk/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/about/services.md b/i18n/uk/about/services.md new file mode 100644 index 00000000..a55e218c --- /dev/null +++ b/i18n/uk/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/about/statistics.md b/i18n/uk/about/statistics.md new file mode 100644 index 00000000..9a52062b --- /dev/null +++ b/i18n/uk/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/advanced/communication-network-types.md b/i18n/uk/advanced/communication-network-types.md new file mode 100644 index 00000000..74eaabf0 --- /dev/null +++ b/i18n/uk/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/advanced/dns-overview.md b/i18n/uk/advanced/dns-overview.md new file mode 100644 index 00000000..100dba51 --- /dev/null +++ b/i18n/uk/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/advanced/tor-overview.md b/i18n/uk/advanced/tor-overview.md new file mode 100644 index 00000000..d22a8fd1 --- /dev/null +++ b/i18n/uk/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.uk.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/uk/android.md b/i18n/uk/android.md new file mode 100644 index 00000000..586f8004 --- /dev/null +++ b/i18n/uk/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! рекомендації + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! рекомендації + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! рекомендації + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! рекомендації + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! рекомендації + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! рекомендації + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! рекомендації + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! рекомендації + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/assets/img/account-deletion/exposed_passwords.png b/i18n/uk/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/uk/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/uk/assets/img/android/rss-apk-dark.png b/i18n/uk/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/uk/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/uk/assets/img/android/rss-apk-light.png b/i18n/uk/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/uk/assets/img/android/rss-apk-light.png differ diff --git a/i18n/uk/assets/img/android/rss-changes-dark.png b/i18n/uk/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/uk/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/uk/assets/img/android/rss-changes-light.png b/i18n/uk/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/uk/assets/img/android/rss-changes-light.png differ diff --git a/i18n/uk/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/uk/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/uk/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/uk/assets/img/how-tor-works/tor-encryption.svg b/i18n/uk/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/uk/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/uk/assets/img/how-tor-works/tor-path-dark.svg b/i18n/uk/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/uk/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/uk/assets/img/how-tor-works/tor-path.svg b/i18n/uk/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/uk/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/uk/assets/img/multi-factor-authentication/fido.png b/i18n/uk/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/uk/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/uk/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/uk/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/uk/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/uk/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/uk/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/uk/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/uk/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/uk/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/uk/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/uk/basics/account-creation.md b/i18n/uk/basics/account-creation.md new file mode 100644 index 00000000..e6bab984 --- /dev/null +++ b/i18n/uk/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/basics/account-deletion.md b/i18n/uk/basics/account-deletion.md new file mode 100644 index 00000000..3146f527 --- /dev/null +++ b/i18n/uk/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/basics/common-misconceptions.md b/i18n/uk/basics/common-misconceptions.md new file mode 100644 index 00000000..1c3ed8b1 --- /dev/null +++ b/i18n/uk/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.uk.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/uk/basics/common-threats.md b/i18n/uk/basics/common-threats.md new file mode 100644 index 00000000..d19afea1 --- /dev/null +++ b/i18n/uk/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.uk.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/uk/basics/email-security.md b/i18n/uk/basics/email-security.md new file mode 100644 index 00000000..4a310710 --- /dev/null +++ b/i18n/uk/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/basics/multi-factor-authentication.md b/i18n/uk/basics/multi-factor-authentication.md new file mode 100644 index 00000000..7b26f905 --- /dev/null +++ b/i18n/uk/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/basics/passwords-overview.md b/i18n/uk/basics/passwords-overview.md new file mode 100644 index 00000000..f5aab0a8 --- /dev/null +++ b/i18n/uk/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/basics/threat-modeling.md b/i18n/uk/basics/threat-modeling.md new file mode 100644 index 00000000..fe6b111c --- /dev/null +++ b/i18n/uk/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/basics/vpn-overview.md b/i18n/uk/basics/vpn-overview.md new file mode 100644 index 00000000..e5eaaa4f --- /dev/null +++ b/i18n/uk/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/calendar.md b/i18n/uk/calendar.md new file mode 100644 index 00000000..bd8d21db --- /dev/null +++ b/i18n/uk/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! рекомендації + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! рекомендації + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/cloud.md b/i18n/uk/cloud.md new file mode 100644 index 00000000..e3ce4f6e --- /dev/null +++ b/i18n/uk/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! рекомендації + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/data-redaction.md b/i18n/uk/data-redaction.md new file mode 100644 index 00000000..a3389e8a --- /dev/null +++ b/i18n/uk/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! рекомендації + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! рекомендації + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! рекомендації + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! рекомендації + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! рекомендації + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/desktop-browsers.md b/i18n/uk/desktop-browsers.md new file mode 100644 index 00000000..4f82f4fe --- /dev/null +++ b/i18n/uk/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! рекомендації + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! рекомендації + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! рекомендації + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.uk.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/uk/desktop.md b/i18n/uk/desktop.md new file mode 100644 index 00000000..81920f8d --- /dev/null +++ b/i18n/uk/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! рекомендації + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! рекомендації + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! рекомендації + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! рекомендації + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! рекомендації + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! рекомендації + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! рекомендації + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! рекомендації + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes** це операційна система з відкритим кодом, розроблена для забезпечення надійної безпеки настільних комп'ютерів. Qubes базується на Xen, X Window System та Linux і може запускати більшість програм Linux та використовувати більшість драйверів Linux. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/dns.md b/i18n/uk/dns.md new file mode 100644 index 00000000..94c28ff9 --- /dev/null +++ b/i18n/uk/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! рекомендації + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! рекомендації + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! рекомендації + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! рекомендації + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.uk.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/uk/email-clients.md b/i18n/uk/email-clients.md new file mode 100644 index 00000000..12738a7f --- /dev/null +++ b/i18n/uk/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! рекомендації + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! рекомендації + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! рекомендації + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! рекомендації + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! рекомендації + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! рекомендації + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! рекомендації + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! рекомендації + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! рекомендації + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/email.md b/i18n/uk/email.md new file mode 100644 index 00000000..7856aeaa --- /dev/null +++ b/i18n/uk/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! рекомендації + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! рекомендації + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! рекомендації + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! рекомендації + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! рекомендації + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! рекомендації + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! рекомендації + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! рекомендації + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/encryption.md b/i18n/uk/encryption.md new file mode 100644 index 00000000..67c207d7 --- /dev/null +++ b/i18n/uk/encryption.md @@ -0,0 +1,357 @@ +--- +title: "Encryption Software" +icon: material/file-lock +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! рекомендації + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! рекомендації + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! рекомендації + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! рекомендації + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! рекомендації + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! рекомендації + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! рекомендації + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! рекомендації + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! рекомендації + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! рекомендації + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! рекомендації + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! рекомендації + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! рекомендації + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/file-sharing.md b/i18n/uk/file-sharing.md new file mode 100644 index 00000000..d4198195 --- /dev/null +++ b/i18n/uk/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! рекомендації + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! рекомендації + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! рекомендації + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! рекомендації + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! рекомендації + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/frontends.md b/i18n/uk/frontends.md new file mode 100644 index 00000000..bb77cdeb --- /dev/null +++ b/i18n/uk/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! рекомендації + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! рекомендації + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! рекомендації + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! рекомендації + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! рекомендації + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! рекомендації + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! рекомендації + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! рекомендації + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/index.md b/i18n/uk/index.md new file mode 100644 index 00000000..9bf141a8 --- /dev/null +++ b/i18n/uk/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.uk.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/kb-archive.md b/i18n/uk/kb-archive.md new file mode 100644 index 00000000..3be0dd60 --- /dev/null +++ b/i18n/uk/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/meta/brand.md b/i18n/uk/meta/brand.md new file mode 100644 index 00000000..0003425a --- /dev/null +++ b/i18n/uk/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/meta/git-recommendations.md b/i18n/uk/meta/git-recommendations.md new file mode 100644 index 00000000..087f5703 --- /dev/null +++ b/i18n/uk/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/meta/uploading-images.md b/i18n/uk/meta/uploading-images.md new file mode 100644 index 00000000..c631c37a --- /dev/null +++ b/i18n/uk/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/meta/writing-style.md b/i18n/uk/meta/writing-style.md new file mode 100644 index 00000000..6db275a0 --- /dev/null +++ b/i18n/uk/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/mobile-browsers.md b/i18n/uk/mobile-browsers.md new file mode 100644 index 00000000..219a07f7 --- /dev/null +++ b/i18n/uk/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! рекомендації + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! рекомендації + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! рекомендації + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/multi-factor-authentication.md b/i18n/uk/multi-factor-authentication.md new file mode 100644 index 00000000..a47c3f78 --- /dev/null +++ b/i18n/uk/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! рекомендації + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! рекомендації + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! рекомендації + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! рекомендації + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/news-aggregators.md b/i18n/uk/news-aggregators.md new file mode 100644 index 00000000..61e1d8a9 --- /dev/null +++ b/i18n/uk/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! рекомендації + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! рекомендації + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! рекомендації + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! рекомендації + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! рекомендації + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! рекомендації + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! рекомендації + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/notebooks.md b/i18n/uk/notebooks.md new file mode 100644 index 00000000..e68c391b --- /dev/null +++ b/i18n/uk/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! рекомендації + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! рекомендації + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! рекомендації + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! рекомендації + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/os/android-overview.md b/i18n/uk/os/android-overview.md new file mode 100644 index 00000000..3c0e307a --- /dev/null +++ b/i18n/uk/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Огляд Android +icon: simple/android +--- + +Android - це безпечна операційна система, яка має надійну [пісочницю для додатків](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), та систему управління [дозволами](https://developer.android.com/guide/topics/permissions/overview). + +## Вибір прошивки Android + +Коли ви купуєте телефон Android, операційна система пристрою за замовчуванням часто постачається з інвазивною інтеграцією з додатками та службами, які не є частиною [Android Open Source Project](https://source.android.com/). Прикладом цього є служби Google Play, які мають безповоротні привілеї для доступу до ваших файлів, зберігання контактів, журналів дзвінків, SMS-повідомлень, місцезнаходження, камери, мікрофона, ідентифікаторів обладнання тощо. Ці програми та сервіси збільшують вразливість вашого пристрою до атак і є джерелом різних проблем з конфіденційністю в Android. + +Ця проблема може бути вирішена за допомогою користувацької прошивки Android, яка не постачається з такою інвазивною інтеграцією. На жаль, багато користувацьких прошивок Android часто порушують модель безпеки Android, не підтримуючи критичні функції безпеки, такі як AVB, захист від відкату, оновлення мікропрограми тощо. Деякі дистрибутиви також постачають збірки [`налагодження`](https://source.android.com/setup/build/building#choose-a-target), які надають доступ root через [ADB](https://developer.android.com/studio/command-line/adb) та потребують [більш дозвільних](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) політик SELinux для функцій налагодження, в результаті чого це призводить до збільшення поверхні атаки та ослаблення моделі безпеки. + +В ідеалі, вибираючи користувальницький дистрибутив Android, ви повинні переконатися, що він підтримує модель безпеки Android. Принаймні, дистрибутив повинен мати виробничі збірки, підтримку AVB, захист від відкату, своєчасне оновлення прошивки та операційної системи, а також SELinux в [примусовому режимі (enforcing mode)](https://source.android.com/security/selinux/concepts#enforcement_levels). Всі наші рекомендовані прошивки Android відповідають цим критеріям. + +[Наші рекомендації для системи Android :material-arrow-right:](../android.md ""){.md-button} + +## Уникайте рутування + +[Рутування](https://en.wikipedia.org/wiki/Rooting_(Android)) Android пристроїв може значно знизити безпеку, оскільки це послаблює повну [модель безпеки Android](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). Це може знизити конфіденційність у разі використання експлойта, якому сприяє зниження безпеки. Поширені методи отримання root-прав передбачають втручання в розділ boot, що унеможливлює успішне виконання Verified Boot. Додатки, які потребують root-права, також змінюють системний розділ, що означає, що Verified Boot повинен залишатись вимкненим. Наявність root-доступу безпосередньо в інтерфейсі користувача також збільшує [поверхню атаки](https://en.wikipedia.org/wiki/Attack_surface) вашого пристрою і може сприяти [підвищенню привілеїв](https://en.wikipedia.org/wiki/Privilege_escalation), вразливостей та обходу політики SELinux. + +Блокувальники реклами, які змінюють [файл hosts](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) та фаєрволи (AFWall+), які потребують постійного доступу root є небезпечними та не повинні використовуватися. Вони також не є правильним способом вирішення своїх цілей. Для блокування реклами замість цих рішень ми пропонуємо зашифровані [DNS](../dns.md) або [VPN](../vpn.md) з функцією блокування. RethinkDNS, TrackerControl та AdAway в режимі без root-прав займуть слот VPN (використовуючи локальний цикл VPN), що не дозволить вам використовувати сервіси які підвищують конфіденційність, такі як Orbot або справжній VPN-сервер. + +AFWall+ використовує підхід на основі [пакетної фільтрації](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter), та його можна обійти в деяких ситуаціях. + +Ми не вважаємо, що жертви безпеки, які приносить рутування телефону, варті сумнівних переваг конфіденційності цих програм. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot)> є важливою частиною моделі безпеки Android. Він забезпечує захист від атак [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack), стійкість до шкідливого програмного забезпечення, та гарантує що оновлення безпеки не можуть бути знижені за допомогою [захисту від відкату](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 і вище перейшли від повного шифрування диска до більш гнучкішого [шифрування на основі файлів](https://source.android.com/security/encryption/file-based). Ваші дані шифруються за допомогою унікальних ключів шифрування, а файли операційної системи залишаються незашифрованими. + +Verified Boot забезпечує цілісність файлів операційної системи, тим самим запобігаючи зловмиснику з фізичним доступом втручатися або встановлювати шкідливе програмне забезпечення на пристрій. У малоймовірному випадку, коли шкідливе програмне забезпечення може експлуатувати інші частини системи та отримувати вищий привілейований доступ, Verified Boot запобігатиме та повертатиме зміни до системного розділу після перезавантаження пристрою. + +На жаль, OEM-виробники зобов'язані підтримувати Verified Boot лише на своїй заводській прошивці Android. Лише кілька OEM-виробників, таких як Google, підтримують користувацьку реєстрацію ключів AVB на своїх пристроях. Крім цього, деякі похідні AOSP, такі як LineageOS або /e/ OS, не підтримують Verified Boot навіть на обладнанні з підтримкою Verified Boot для сторонніх операційних систем. Ми рекомендуємо вам перевірити наявність підтримки **перед** придбанням нового пристрою. Похідні AOSP, які не підтримують Verified Boot **не рекомендуються**. + +Оновлення мікропрограми є критично важливими для підтримки безпеки, і без них ваш пристрій не може бути захищеним. OEM-виробники мають угоди про підтримку зі своїми партнерами щодо надання компонентів із закритим вихідним кодом протягом обмеженого періоду. Вони детально описані в щомісячному [бюлетені безпеки Android](https://source.android.com/security/bulletin). + +## Оновлення мікропрограми + +Оскільки такі компоненти телефону, як процесор та радіотехнології, покладаються на компоненти із закритим вихідним кодом, оновлення повинні надаватися відповідними виробниками. Тому важливо, щоб ви придбали пристрій в рамках активного циклу підтримки. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) та [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) підтримують свої пристрої протягом 4 років, тоді як дешевші продукти часто мають коротші цикли підтримки. + +Пристрої EOL, які більше не підтримуються виробником SoC, не можуть отримувати оновлення мікропрограми від OEM-виробників або сторонніх дистриб'юторів Android. Це означає, що проблеми безпеки на цих пристроях залишаться не усуненими. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +Важливо не використовувати версії Android з [вичерпаним терміном служби](https://endoflife.date/android). Новіші версії Android не тільки отримують оновлення безпеки для операційної системи, але й важливі оновлення, що покращують конфіденційність. + +[Дозволи на Android](https://developer.android.com/guide/topics/permissions/overview) надають вам контроль над доступом програм. Google регулярно вносить [покращення](https://developer.android.com/about/versions/11/privacy/permissions) у систему дозволів в кожній наступній версії. Всі встановлені вами програми суворо [ізольовані](https://source.android.com/security/app-sandbox), тому немає потреби встановлювати будь-які антивірусні додатки. + +## Версії Android + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Дозволи Android + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Профілі користувачів + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## Профілі користувачів + +Для цього потрібен **контролер пристрою** такий як [Shelter](#recommended-apps), якщо ви не використовуєте CalyxOS, яка вже містить в собі контролер. + +Робочий профіль залежить від функціонування контролера пристрою. Кожен профіль зашифрований за допомогою власного ключа шифрування і не може отримати доступ до даних будь-яких інших профілів. Навіть власник пристрою не може переглядати дані профілів, не знаючи їхніх паролів. Multiple user profiles are a more secure method of isolation. + +## Робочий профіль + +[Робочі профілі](https://support.google.com/work/android/answer/6191949) - це ще один спосіб ізоляції програм, який може бути зручнішим, ніж окремі профілі користувачів. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +Робочий профіль залежить від функціонування контролера пристрою. Такі функції як *Файловий шатл* та *блокування пошуку контактів* або будь-які інші функції ізоляції повинні бути реалізовані контролером. Коли вони не використовуються, ми рекомендуємо вимкнути їх. + +Цей метод, як правило, є менш безпечним, ніж додатковий профіль користувача; однак, він дозволяє вам зручно запускати додатки як в робочому, так і в особистому профілях одночасно. + +## VPN Killswitch + +Якщо у вас є обліковий запис Google, радимо зареєструватися в [Програмі Додаткового Захисту](https://landing.google.com/advancedprotection/). Ця функція може запобігти витоку, якщо VPN відключений. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Глобальні перемикачі + +Сучасні пристрої Android мають глобальні перемикачі для вимкнення служб Bluetooth і визначення місцезнаходження. В Android 12 з'явилися перемикачі для камери та мікрофона. Коли вони не використовуються, ми рекомендуємо вимкнути їх. Програми не можуть використовувати вимкнені функції (навіть якщо їм надано індивідуальний дозвіл), поки їх не буде ввімкнено знову. + +## Google + +Якщо ви користуєтесь пристроєм зі службами Google, заводською операційною системою або операційною системою, яка безпечно використовує служби Google Play, такі як GrapheneOS, ви можете внести ряд додаткових змін, щоб покращити конфіденційність. Ми як і раніше рекомендуємо повністю уникати сервісів Google або обмежити сервіси Google Play профілем користувача/робочим профілем, об'єднавши контролер пристрою, такий як *Shelter* з ізольованим Google Play від GrapheneOS. + +### Програма додаткового захисту + +Якщо у вас є обліковий запис Google, радимо зареєструватися в [Програмі Додаткового Захисту](https://landing.google.com/advancedprotection/). Це дозволить вам отримати **деякі** виправлення безпеки від Google, не порушуючи при цьому моделі безпеки Android використовуючи небезпечну похідну Android і збільшуючи поверхню атаки. + +Програма додаткового захисту забезпечує посилений моніторинг загроз та вмикає: + +- Суворішу двофакторну автентифікацію; напр. **повинен** використовуватись [FIDO](/security/multi-factor-authentication/#fido-fast-identity-online), та забороняється використання [SMS](/security/multi-factor-authentication/#sms-or-email-mfa), [TOTP](/security/multi-factor-authentication.md#time-based-one-time-password-totp), та [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Доступ до даних облікового запису можуть отримувати лише Google і перевірені сторонні програми +- Сканування вхідних електронних листів в акаунтах Gmail на предмет [спроб фішингу](https://en.wikipedia.org/wiki/Phishing#Email_phishing) +- Суворіше [сканування веб-переглядача](https://www.google.com/chrome/privacy/whitepaper.html#malware) з Google Chrome +- Більш суворий процес відновлення облікових записів з втраченими обліковими даними + + Якщо ви використовуєте не ізольовані сервіси Google Play (поширені в заводських операційних системах), Програма Додаткового Захисту також надає декілька [додаткових переваг](https://support.google.com/accounts/answer/9764949?hl=en), таких як: + +- Не дозволяється встановлення додатків за межами магазину Google Play, магазину додатків постачальника ОС або через [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Обов'язкове автоматичне сканування пристрою за допомогою [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Попередження про неперевірені додатки + +### Оновлення системи Google Play + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +На прошивках Android з привілейованими сервісами Google Play (як на заводських ОС), налаштування може здійснюватися в одному з кількох місць. Перевірте We would still recommend upgrading to a supported device as soon as possible. + +### Рекламний ідентифікатор + +Всі пристрої з встановленими сервісами Google Play автоматично генерують [рекламний ідентифікатор](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en), який використовується для таргетованої реклами. Вимкніть цю функцію, щоб обмежити збір даних про вас. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +На прошивках Android з привілейованими сервісами Google Play (як на заводських ОС), налаштування може здійснюватися в одному з кількох місць. Перевірте + +- :gear: **Налаштування** → **Google** → **Реклама** +- :gear: **Налаштування** → **Конфіденційність** → **Реклама** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet та Play API цілісність + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) та [Play API цілісність](https://developer.android.com/google/play/integrity) зазвичай використовуються для [банківських додатків](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS проходить перевірку `basicIntegrity`, але не перевірку сертифікації `ctsProfileMatch`. Пристрої з Android 8 або пізнішою версією мають підтримку апаратної атестації, яку неможливо обійти без витоку ключів або серйозних вразливостей. + +Що стосується Google Wallet, ми не рекомендуємо це використовувати через їхню [політику конфіденційності](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en) яка стверджує, що ви повинні відмовитися, якщо ви не хочете, щоб ваш кредитний рейтинг та особиста інформація надавалися партнерським маркетинговим службам. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/os/linux-overview.md b/i18n/uk/os/linux-overview.md new file mode 100644 index 00000000..2123801f --- /dev/null +++ b/i18n/uk/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/os/qubes-overview.md b/i18n/uk/os/qubes-overview.md new file mode 100644 index 00000000..12a9a198 --- /dev/null +++ b/i18n/uk/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: pg/qubes-os +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/passwords.md b/i18n/uk/passwords.md new file mode 100644 index 00000000..289a29f3 --- /dev/null +++ b/i18n/uk/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! рекомендації + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! рекомендації + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! рекомендації + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! рекомендації + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! рекомендації + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! рекомендації + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! рекомендації + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/productivity.md b/i18n/uk/productivity.md new file mode 100644 index 00000000..e7b39f27 --- /dev/null +++ b/i18n/uk/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! рекомендації + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! рекомендації + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! рекомендації + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! рекомендації + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! рекомендації + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/real-time-communication.md b/i18n/uk/real-time-communication.md new file mode 100644 index 00000000..f780d05f --- /dev/null +++ b/i18n/uk/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! рекомендації + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! рекомендації + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! рекомендації + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! рекомендації + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! рекомендації + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/router.md b/i18n/uk/router.md new file mode 100644 index 00000000..5864b52f --- /dev/null +++ b/i18n/uk/router.md @@ -0,0 +1,48 @@ +--- +title: "Прошивка роутера" +icon: material/router-wireless +--- + +Нижче наведено кілька альтернативних операційних систем, які можна використовувати на маршрутизаторах, точках доступу Wi-Fi тощо. + +## OpenWrt + +!!! рекомендації + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** - це операційна система (зокрема, вбудована операційна система), заснована на ядрі Linux, яка в основному використовується на вбудованих пристроях для маршрутизації мережевого трафіку. Основними компонентами є ядро Linux, util-linux, uClibc, та BusyBox. Всі компоненти були оптимізовані за розміром, щоб бути досить маленькими для розміщення в обмеженому сховищі і пам'яті, доступних в домашніх маршрутизаторах. + + [Homepage](https://openwrt.org){ .md-button .md-button--primary } + + ??? + +Щоб перевірити, чи підтримується ваш пристрій, перегляньте [таблицю апаратного забезпечення](https://openwrt.org/toh/start) OpenWrt. + +## OPNsense + +!!! рекомендації + + ![pfSense logo](assets/img/router/pfsense.svg#only-light){ align=right } + ![pfSense logo](assets/img/router/pfsense-dark.svg#only-dark){ align=right } + + pfSense - це дистрибутив програмного забезпечення для брандмауера / маршрутизатора з відкритим вихідним кодом, заснований на FreeBSD. Він встановлюється на комп'ютер для створення виділеного брандмауера/маршрутизатора для мережі та відомий своєю надійністю і пропонує функції, які часто зустрічаються тільки в дорогих комерційних брандмауерах. + + pfSense зазвичай розгортається як брандмауер по периметру, маршрутизатор, бездротова точка доступу, DHCP-сервер, DNS-сервер і кінцева точка VPN. + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/search-engines.md b/i18n/uk/search-engines.md new file mode 100644 index 00000000..94a2c615 --- /dev/null +++ b/i18n/uk/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! рекомендації + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! рекомендації + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! рекомендації + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! рекомендації + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/tools.md b/i18n/uk/tools.md new file mode 100644 index 00000000..d0bc0746 --- /dev/null +++ b/i18n/uk/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Прошивка роутера + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/tor.md b/i18n/uk/tor.md new file mode 100644 index 00000000..cd0d7c36 --- /dev/null +++ b/i18n/uk/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! рекомендації + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! рекомендації + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! рекомендації + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/video-streaming.md b/i18n/uk/video-streaming.md new file mode 100644 index 00000000..542f9af3 --- /dev/null +++ b/i18n/uk/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! рекомендації + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/uk/vpn.md b/i18n/uk/vpn.md new file mode 100644 index 00000000..3e35887f --- /dev/null +++ b/i18n/uk/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN Services" +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! рекомендації + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! рекомендації + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.uk.txt" diff --git a/i18n/vi/404.md b/i18n/vi/404.md new file mode 100644 index 00000000..50ddd38e --- /dev/null +++ b/i18n/vi/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/CODE_OF_CONDUCT.md b/i18n/vi/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/vi/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/vi/about/criteria.md b/i18n/vi/about/criteria.md new file mode 100644 index 00000000..a15c41a1 --- /dev/null +++ b/i18n/vi/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/about/donate.md b/i18n/vi/about/donate.md new file mode 100644 index 00000000..108a1b8f --- /dev/null +++ b/i18n/vi/about/donate.md @@ -0,0 +1,52 @@ +--- +title: Phương Thức Quyên Góp +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +Phải cần rất nhiều [người](https://github.com/privacyguides/privacyguides.org/graphs/contributors) và [làm việc](https://github.com/privacyguides/privacyguides.org/pulse/monthly) để cập nhật Privacy Guides và quảng bá rộng rãi về quyền riêng tư và giám sát hàng loạt. Nếu bạn thích những gì chúng tôi làm, cách tốt nhất để giúp đỡ là tham gia bằng cách [chỉnh sửa trang web](https://github.com/privacyguides/privacyguides.org) hoặc [đóng góp bản dịch](https://crowdin.com/project/privacyguides). + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Chúng tôi vẫn đang làm việc với tổ chức tài chính của mình (Open Collective Foundation) để nhận các khoản đóng góp từ tiền điện tử, hiện tại, kế toán không khả thi đối với nhiều giao dịch nhỏ hơn, nhưng điều này sẽ thay đổi trong tương lai. Trong thời gian chờ đợi, nếu bạn muốn quyên góp tiền điện tử (> $100) cỡ lớn, vui lòng liên hệ với [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +**Đăng Ký Tên Miền** +: + +Chúng tôi có một vài tên miền như `privacyguides.org` mà chúng tôi tốn khoảng $10 mỗi năm để duy trì đăng ký của họ. + +**Web Hosting** +: + +Lưu lượng truy cập vào trang web này sử dụng hàng trăm gigabyte dữ liệu mỗi tháng, chúng tôi sử dụng nhiều nhà cung cấp dịch vụ khác nhau để theo kịp lượng truy cập này. + +**Dịch Vụ Trực Tuyến** +: + +Chúng tôi tổ chức [dịch vụ internet](https://privacyguides.net) để thử nghiệm và giới thiệu các sản phẩm bảo mật khác nhau mà chúng tôi thích và [đề xuất](../tools.md). Một số trong số đó được cung cấp công khai để cộng đồng của chúng tôi sử dụng (SearXNG, Tor, v.v.) và một số được cung cấp cho các thành viên trong nhóm của chúng tôi (email, v.v.). + +**Mua Sản Phẩm** +: + +Thỉnh thoảng chúng tôi mua sản phẩm và dịch vụ cho mục đích thử nghiệm [công cụ được đề xuất của chúng tôi](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/about/index.md b/i18n/vi/about/index.md new file mode 100644 index 00000000..2544954c --- /dev/null +++ b/i18n/vi/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. Bạn **không được** sử dụng thương hiệu Privacy Guides trong dự án của riêng bạn mà không có sự chấp thuận rõ ràng từ dự án này. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/about/notices.md b/i18n/vi/about/notices.md new file mode 100644 index 00000000..08cc8ebb --- /dev/null +++ b/i18n/vi/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Thông báo và Tuyên bố từ chối" +hide: + - toc +--- + +## Từ Chối Trách Nhiệm Pháp Lý + +Privacy Guides không phải là một công ty luật. Do đó, trang web Privacy Guides và những người đóng góp không cung cấp tư vấn pháp lý. Tài liệu và khuyến nghị trong trang web và hướng dẫn của chúng tôi không cấu thành tư vấn pháp lý cũng như không đóng góp vào trang web hoặc giao tiếp với Privacy Guides hoặc những người đóng góp khác về trang web của chúng tôi tạo ra mối quan hệ luật sư-khách hàng. + +Điều hành trang web này, giống như bất kỳ nỗ lực nào của con người, liên quan đến sự không chắc chắn và sự đánh đổi. Chúng tôi hy vọng trang web này hữu ích, nhưng nó có thể bao gồm các sai lầm và không thể giải quyết mọi tình huống. Nếu bạn có bất kỳ câu hỏi nào về tình huống của mình, chúng tôi khuyến khích bạn tự nghiên cứu, tìm kiếm các chuyên gia khác và tham gia thảo luận với cộng đồng Privacy Guides. Nếu quý vị có bất kỳ câu hỏi pháp lý nào, quý vị nên tham khảo ý kiến của luật sư riêng của mình trước khi tiếp tục. + +Privacy Guides là một dự án nguồn mở được đóng góp theo giấy phép bao gồm các điều khoản, để bảo vệ trang web và những người đóng góp của trang web, nêu rõ rằng dự án và trang web của Privacy Guides được cung cấp "nguyên trạng", không có bảo hành và từ chối trách nhiệm pháp lý đối với các thiệt hại do sử dụng trang web hoặc bất kỳ khuyến nghị nào có trong đó. Privacy Guides không bảo đảm hoặc đưa ra bất kỳ tuyên bố nào liên quan đến tính chính xác, kết quả có thể hoặc độ tin cậy của việc sử dụng các tài liệu trên trang web hoặc liên quan đến các tài liệu đó trên trang web hoặc trên bất kỳ trang web của bên thứ ba nào được liên kết trên trang web này. + +Ngoài ra, Privacy Guides không đảm bảo rằng trang web này sẽ liên tục khả dụng hoặc có sẵn. + +## Giấy phép + +Trừ khi có ghi chú khác, tất cả nội dung trên trang web này được cung cấp miễn phí theo các điều khoản của [Creative Commons CC0 1.0 Universal](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +Điều này không bao gồm mã của bên thứ ba được nhúng trong kho lưu trữ này hoặc mã mà giấy phép thay thế được ghi chú khác. Sau đây là những ví dụ đáng chú ý, nhưng danh sách này có thể không bao gồm tất cả: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/mathjax.js) được cấp phép theo [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/LICENSE.mathjax.txt). + +Phần của thông báo này chính nó đã được thông qua từ [mã nguồn mở](https://github.com/github/opensource.guide/blob/master/notices.md) trên GitHub. Tài nguyên đó và chính trang này được phát hành dưới [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +Điều này có nghĩa là bạn có thể sử dụng nội dung có thể đọc được của con người trong kho lưu trữ này cho dự án của riêng bạn, theo các điều khoản được nêu trong văn bản CC0 1.0 Universal. Bạn **không được** sử dụng thương hiệu Privacy Guides trong dự án của riêng bạn mà không có sự chấp thuận rõ ràng từ dự án này. Nhãn hiệu thương hiệu của Privacy Guides bao gồm nhãn hiệu chữ "Privacy Guides" và logo shield. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +Chúng tôi tin rằng các logo và hình ảnh khác trong `tài sản` thu được từ các nhà cung cấp bên thứ ba thuộc phạm vi công cộng hoặc **sử dụng hợp pháp**. Tóm lại, học thuyết sử dụng hợp pháp [](https://en.wikipedia.org/wiki/Fair_use) cho phép sử dụng hình ảnh có bản quyền để xác định chủ đề cho mục đích bình luận công khai. Tuy nhiên, các logo và hình ảnh khác này vẫn có thể tuân theo luật thương hiệu ở một hoặc nhiều khu vực pháp lý. Trước khi sử dụng nội dung này, vui lòng đảm bảo rằng nội dung được sử dụng để xác định thực thể hoặc tổ chức sở hữu thương hiệu và bạn có quyền sử dụng nội dung đó theo luật áp dụng trong trường hợp bạn dự định sử dụng. *Khi sao chép nội dung từ trang web này, bạn hoàn toàn chịu trách nhiệm đảm bảo rằng bạn không vi phạm thương hiệu hoặc bản quyền của người khác.* + +Khi bạn đóng góp vào kho lưu trữ này, bạn đang làm như vậy theo các giấy phép trên. + +## Chấp Thuận Sử Dụng + +Bạn không được sử dụng trang web này theo bất kỳ cách nào gây ra hoặc có thể gây thiệt hại cho trang web hoặc làm giảm tính sẵn có hoặc khả năng truy cập của Privacy Guides, hoặc theo bất kỳ cách nào bất hợp pháp, bất hợp pháp, gian lận, có hại hoặc liên quan đến bất kỳ mục đích hoặc hoạt động bất hợp pháp, bất hợp pháp, gian lận hoặc có hại nào. + +Bạn không được tiến hành bất kỳ hoạt động thu thập dữ liệu có hệ thống hoặc tự động nào trên hoặc liên quan đến trang web này mà không có sự đồng ý rõ ràng bằng văn bản từ Aragon Ventures LLC, bao gồm: + +* Quét tự động quá mức +* Tấn công từ chối dịch vụ +* Quét dữ liệu +* Khai thác dữ liệu +* 'Khung' (IFrames) + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/about/privacy-policy.md b/i18n/vi/about/privacy-policy.md new file mode 100644 index 00000000..cb6652d4 --- /dev/null +++ b/i18n/vi/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Chính Sách Bảo Mật" +--- + +Privacy Guides là một dự án cộng đồng do một số cộng tác viên tình nguyện tích cực điều hành. Danh sách công khai của các thành viên trong nhóm [có thể tìm thấy trên GitHub](https://github.com/orgs/privacyguides/people). + +## Dữ Liệu Chúng Tôi Thu Thập Từ Khách + +Quyền riêng tư của khách truy cập trang web là rất quan trọng đối với chúng tôi, vì vậy chúng tôi không theo dõi bất kỳ cá nhân nào. Là một khách truy cập vào trang web: + +- Không có thông tin cá nhân được thu thập +- No information such as cookies are stored in the browser +- Không có thông tin nào được chia sẻ, gửi cho hoặc bán cho các bên thứ ba +- Không có thông tin nào được chia sẻ với các công ty quảng cáo +- Không có thông tin nào được khai thác và thu thập cho các cá nhân và hành vi xu hướng +- Không có thông tin nào được kiếm tiền + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Trên một số trang web và dịch vụ chúng tôi cung cấp, nhiều tính năng có thể yêu cầu tài khoản. Ví dụ, một tài khoản có thể được yêu cầu để đăng và trả lời các chủ đề trên nền tảng diễn đàn. + +## Dữ Liệu Chúng Tôi Thu Thập Từ Chủ Tài Khoản + +Để đăng ký hầu hết các tài khoản, chúng tôi sẽ thu thập tên, tên người dùng, email và mật khẩu. Trong trường hợp một trang web yêu cầu nhiều thông tin hơn chỉ là dữ liệu đó, thông tin đó sẽ được đánh dấu và ghi chú rõ ràng trong một tuyên bố về quyền riêng tư riêng cho mỗi trang web. + +Chúng tôi sử dụng dữ liệu tài khoản của bạn để nhận dạng bạn trên trang web và để tạo các trang dành riêng cho bạn, chẳng hạn như trang hồ sơ của bạn. Chúng tôi cũng sẽ sử dụng dữ liệu tài khoản của bạn để xuất bản hồ sơ công khai cho bạn trên các dịch vụ của chúng tôi. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Thông báo cho bạn về các bài đăng và hoạt động khác trên các trang web hoặc dịch vụ. +- Đặt lại mật khẩu của bạn và giúp bảo mật tài khoản của bạn. +- Liên hệ với bạn trong những trường hợp đặc biệt liên quan đến tài khoản của bạn. +- Liên hệ với bạn về các yêu cầu pháp lý, chẳng hạn như yêu cầu gỡ xuống theo DMCA. + +Chúng tôi sẽ lưu trữ dữ liệu tài khoản của bạn miễn là tài khoản của bạn vẫn mở. Sau khi đóng tài khoản, chúng tôi có thể giữ lại một số hoặc tất cả dữ liệu tài khoản của bạn dưới dạng sao lưu hoặc lưu trữ trong tối đa 90 ngày. This information is not required to use any of our services and can be erased at any time. + +Nhóm Privacy Guides thường không có quyền truy cập vào dữ liệu cá nhân ngoài quyền truy cập hạn chế được cấp qua một số bảng kiểm duyệt. Các thắc mắc liên quan đến thông tin cá nhân của bạn nên được gửi trực tiếp đến: + +## Liên hệ với chúng tôi + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Quản trị viên dịch vụ +jonah@privacyguides.org +``` + +Đối với các khiếu nại theo GDPR nói chung, bạn có thể khiếu nại với các cơ quan giám sát bảo vệ dữ liệu địa phương của bạn. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## Về Chính sách này + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/about/privacytools.md b/i18n/vi/about/privacytools.md new file mode 100644 index 00000000..83d18bae --- /dev/null +++ b/i18n/vi/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/about/services.md b/i18n/vi/about/services.md new file mode 100644 index 00000000..962c5de7 --- /dev/null +++ b/i18n/vi/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/about/statistics.md b/i18n/vi/about/statistics.md new file mode 100644 index 00000000..ae1945a9 --- /dev/null +++ b/i18n/vi/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/advanced/communication-network-types.md b/i18n/vi/advanced/communication-network-types.md new file mode 100644 index 00000000..50e200cf --- /dev/null +++ b/i18n/vi/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/advanced/dns-overview.md b/i18n/vi/advanced/dns-overview.md new file mode 100644 index 00000000..b96cd32d --- /dev/null +++ b/i18n/vi/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS Overview" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/advanced/tor-overview.md b/i18n/vi/advanced/tor-overview.md new file mode 100644 index 00000000..1390df35 --- /dev/null +++ b/i18n/vi/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building + +Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.vi.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/vi/android.md b/i18n/vi/android.md new file mode 100644 index 00000000..e9e20767 --- /dev/null +++ b/i18n/vi/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'fontawesome/brands/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. khuyến nghị + +- [Tổng quan chung về Android và Đề xuất :material-arrow-right:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + Các thiết bị cuối đời (chẳng hạn như thiết bị "hỗ trợ mở rộng" của GrapheneOS hoặc CalyxOS) không có các bản vá bảo mật đầy đủ (cập nhật chương trình cơ sở) do OEM ngừng hỗ trợ. Những thiết bị này không thể được coi là hoàn toàn an toàn bất kể phần mềm được cài đặt. + +### GrapheneOS + +!!! khuyến nghị + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** là sự lựa chọn tốt nhất khi nói đến quyền riêng tư và bảo mật. + + GrapheneOS cung cấp thêm [tăng cường bảo mật](https://en.wikipedia.org/wiki/Hardening_(computing)) và các cải tiến về quyền riêng tư. Nó có [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), quyền mạng và cảm biến cũng như nhiều [tính năng bảo mật](https://grapheneos.org/features). GrapheneOS cũng đi kèm với các bản cập nhật chương trình cơ sở đầy đủ và các bản dựng đã ký, vì vậy khởi động đã xác minh được hỗ trợ đầy đủ. + + [Homepage](https://grapheneos.org/){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://grapheneos.org/faq#privacy-policy){ .md-button } + +Đối với những người cần Google Play Services, CalyxOS tùy chọn bao gồm [microG](https://microg.org/). CalyxOS cũng bao gồm các dịch vụ định vị thay thế, [Mozilla](https://location.services.mozilla.com/) và [DejaVu](https://github.com/n76/DejaVu). + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### CalyxOS + +!!! khuyến nghị + + ![CalyxOS logo](assets/img/android/calyxos.svg){ align=right } + + **CalyxOS** là một hệ thống có một số tính năng bảo mật trên AOSP, bao gồm [Datura](https://calyxos.org/docs/tech/datura-details) tường lửa, [Signal](https://signal.org) tích hợp trong ứng dụng quay số và nút dừng khẩn cấp được tích hợp sẵn. + CalyxOS cũng đi kèm với các bản cập nhật chương trình cơ sở và các bản dựng đã ký, vì vậy khởi động đã xác minh được hỗ trợ đầy đủ. [Homepage](https://calyxos.org/){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://calyxinstitute.org/legal/privacy-policy){ .md-button } + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Nó bao gồm [UnifiedNlp](https://github.com/microg/UnifiedNlp) cho vị trí mạng. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS thực hiện một số bản vá tăng cường hệ thống được phát triển ban đầu cho GrapheneOS. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** là phần mềm fork của [LineageOS](https://lineageos.org/). DivestOS kế thừa nhiều [thiết bị được hỗ trợ](https://divestos.org/index.php?page=devices&base=LineageOS) từ LineageOS. Nó có các bản dựng đã ký, nên có thể có [khởi động đã xác minh](https://source.android.com/security/verifiedboot) trên một số thiết bị không phải Pixel. + + [Homepage](https://divestos.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://divestos.org/index.php?page=privacy_policy){ .md-button } + +## Thiết bị Android + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. Luôn kiểm tra uy tín của người bán. These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Không mua các thiết bị đã đạt hoặc gần hết tuổi thọ, các bản cập nhật firmware bổ sung phải do nhà sản xuất cung cấp. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. Các thiết bị này cũng không có cách nào để bạn kiểm tra xem chúng có bị giả mạo hay không. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### DivestOS + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! khuyến nghị + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Chúng tôi vẫn đề xuất GrapheneOS hoặc CalyxOS tùy thuộc vào khả năng tương thích của thiết bị của bạn. + + Đối với các thiết bị khác, DivestOS là một lựa chọn thay thế tốt. + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Giảm giá thường có sẵn vì Google sẽ cố gắng dọn hàng của họ. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. Những điều này có thể cảnh báo bạn về doanh số bán hàng tốt. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## Ứng dụng chung + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Google Pixel + +!!! khuyến nghị + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** được biết là có bảo mật tốt và hỗ trợ đúng cách [Khởi động đã xác minh](https://source.android.com/security/verifiedboot), ngay cả khi cài đặt hệ điều hành tùy chỉnh. + + Bắt đầu với **Pixel 6** và **6 Pro**, các thiết bị Pixel nhận được bản cập nhật bảo mật được đảm bảo tối thiểu 5 năm, đảm bảo tuổi thọ dài hơn nhiều so với 2-4 năm mà các OEM cạnh tranh thường cung cấp. + + [Store](https://store.google.com/category/phones){ .md-button .md-button--primary } downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Các thiết bị khác + +!!! khuyến nghị + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- Bạn sẽ được thông báo về sự thay đổi. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Orbot + +!!! khuyến nghị + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. [Homepage](https://orbot.app/){ .md-button .md-button--primary } + + ??? + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Không cần có quyền đối với micrô trừ khi bạn muốn ghi lại âm thanh + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! khuyến nghị + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## App Stores + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! khuyến nghị + + Vì CalyxOS bao gồm một bộ điều khiển thiết bị, chúng tôi khuyên bạn nên sử dụng hồ sơ công việc được tích hợp sẵn của chúng để thay thế. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. khuyến nghị + +### Trình xem PDF an toàn + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### OnePlus + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### Fairphone + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/assets/img/account-deletion/exposed_passwords.png b/i18n/vi/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/vi/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/vi/assets/img/android/rss-apk-dark.png b/i18n/vi/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/vi/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/vi/assets/img/android/rss-apk-light.png b/i18n/vi/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/vi/assets/img/android/rss-apk-light.png differ diff --git a/i18n/vi/assets/img/android/rss-changes-dark.png b/i18n/vi/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/vi/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/vi/assets/img/android/rss-changes-light.png b/i18n/vi/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/vi/assets/img/android/rss-changes-light.png differ diff --git a/i18n/vi/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/vi/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/vi/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/vi/assets/img/how-tor-works/tor-encryption.svg b/i18n/vi/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/vi/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/vi/assets/img/how-tor-works/tor-path-dark.svg b/i18n/vi/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/vi/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/vi/assets/img/how-tor-works/tor-path.svg b/i18n/vi/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/vi/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/vi/assets/img/multi-factor-authentication/fido.png b/i18n/vi/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/vi/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/vi/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/vi/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/vi/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/vi/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/vi/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/vi/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/vi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/vi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/vi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/vi/basics/account-creation.md b/i18n/vi/basics/account-creation.md new file mode 100644 index 00000000..a3f3af8f --- /dev/null +++ b/i18n/vi/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/basics/account-deletion.md b/i18n/vi/basics/account-deletion.md new file mode 100644 index 00000000..7ea7a71f --- /dev/null +++ b/i18n/vi/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/basics/common-misconceptions.md b/i18n/vi/basics/common-misconceptions.md new file mode 100644 index 00000000..59223e57 --- /dev/null +++ b/i18n/vi/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +--8<-- "includes/abbreviations.vi.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/vi/basics/common-threats.md b/i18n/vi/basics/common-threats.md new file mode 100644 index 00000000..f437fef5 --- /dev/null +++ b/i18n/vi/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.vi.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/vi/basics/email-security.md b/i18n/vi/basics/email-security.md new file mode 100644 index 00000000..16f22f1a --- /dev/null +++ b/i18n/vi/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: Email Security +icon: material/email +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/basics/multi-factor-authentication.md b/i18n/vi/basics/multi-factor-authentication.md new file mode 100644 index 00000000..edceeb29 --- /dev/null +++ b/i18n/vi/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/basics/passwords-overview.md b/i18n/vi/basics/passwords-overview.md new file mode 100644 index 00000000..730b4dbd --- /dev/null +++ b/i18n/vi/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/basics/threat-modeling.md b/i18n/vi/basics/threat-modeling.md new file mode 100644 index 00000000..51af42d4 --- /dev/null +++ b/i18n/vi/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/basics/vpn-overview.md b/i18n/vi/basics/vpn-overview.md new file mode 100644 index 00000000..9ae1522e --- /dev/null +++ b/i18n/vi/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/calendar.md b/i18n/vi/calendar.md new file mode 100644 index 00000000..c9f92469 --- /dev/null +++ b/i18n/vi/calendar.md @@ -0,0 +1,93 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Nhà cung cấp Cloud/SaaS + +!!! khuyến nghị + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. [Website](https://tutanota.com/calendar){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://tutanota.com/privacy){ .md-button } + + ??? + + tải xuống + + - [:fontawesome-brands-windows: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.tutao.tutanota) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/tutao/tutanota) + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Self-hostable + +!!! khuyến nghị + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Tất cả dữ liệu được lưu trữ bên trong nó đều được mã hóa đầu cuối khi được lưu trữ trên các máy chủ của ProtonMail. [Website](https://calendar.protonmail.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://protonmail.com/privacy-policy){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/ProtonMail/WebClients) + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/cloud.md b/i18n/vi/cloud.md new file mode 100644 index 00000000..94b69e73 --- /dev/null +++ b/i18n/vi/cloud.md @@ -0,0 +1,65 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! khuyến nghị + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [Website](https://drive.protonmail.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://protonmail.com/privacy-policy){ .md-button } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/data-redaction.md b/i18n/vi/data-redaction.md new file mode 100644 index 00000000..43cf6bdd --- /dev/null +++ b/i18n/vi/data-redaction.md @@ -0,0 +1,154 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! khuyến nghị + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + [Homepage](https://exifcleaner.com){ .md-button .md-button--primary } + + ??? + + tải xuống + + - [:fontawesome-brands-windows: Windows](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-apple: macOS](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-linux: Linux](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/szTheory/exifcleaner) downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! khuyến nghị + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. chú ý + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! khuyến nghị + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! khuyến nghị + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? [Mã nguồn](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + + ??? + +!!! warning + + Siêu dữ liệu hiện không bị xóa khỏi tệp video nhưng đó là kế hoạch. If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! khuyến nghị + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/desktop-browsers.md b/i18n/vi/desktop-browsers.md new file mode 100644 index 00000000..864b344f --- /dev/null +++ b/i18n/vi/desktop-browsers.md @@ -0,0 +1,265 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! khuyến nghị + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [Homepage](https://www.bromite.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.bromite.org/privacy){ .md-button } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! khuyến nghị + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! khuyến nghị + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.vi.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/vi/desktop.md b/i18n/vi/desktop.md new file mode 100644 index 00000000..7e8e0958 --- /dev/null +++ b/i18n/vi/desktop.md @@ -0,0 +1,180 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! khuyến nghị + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [Homepage](https://getfedora.org/){ .md-button .md-button--primary } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! khuyến nghị + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! khuyến nghị + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [Homepage](https://archlinux.org/){ .md-button .md-button--primary } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! khuyến nghị + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! khuyến nghị + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [Homepage](https://nixos.org/){ .md-button .md-button--primary } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! khuyến nghị + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! khuyến nghị + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! khuyến nghị + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes** là một hệ điều hành mã nguồn mở được thiết kế để cung cấp bảo mật mạnh mẽ cho máy tính để bàn. Qubes dựa trên Xen, X Window System, và Linux, và có thể chạy hầu hết các ứng dụng Linux và sử dụng hầu hết các trình điều khiển Linux. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/dns.md b/i18n/vi/dns.md new file mode 100644 index 00000000..8f26c25c --- /dev/null +++ b/i18n/vi/dns.md @@ -0,0 +1,148 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Chính Sách Bảo Mật | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! khuyến nghị + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! khuyến nghị + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! khuyến nghị + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! khuyến nghị + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.vi.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/vi/email-clients.md b/i18n/vi/email-clients.md new file mode 100644 index 00000000..da53467e --- /dev/null +++ b/i18n/vi/email-clients.md @@ -0,0 +1,241 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! khuyến nghị + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.mozilla.org/privacy/thunderbird){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://www.thunderbird.net) + - [:fontawesome-brands-apple: macOS](https://www.thunderbird.net) + - [:fontawesome-brands-linux: Linux](https://www.thunderbird.net) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.Thunderbird) + - [:fontawesome-brands-git: Mã nguồn](https://hg.mozilla.org/comm-central) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! khuyến nghị + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! khuyến nghị + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [Website](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.apple.com/legal/privacy/en-ww/){ .md-button } downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! khuyến nghị + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? [Website](https://kontact.kde.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://kde.org/privacypolicy-apps){ .md-button } + + ??? + +### GNOME Evolution (GNOME) + +!!! khuyến nghị + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. [Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.mailvelope.com/en/privacy-policy){ .md-button } + + ??? + + tải xuống + + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/mailvelope/mailvelope) downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! khuyến nghị + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + [Homepage](https://k9mail.app){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://k9mail.app/privacy){ .md-button } + + ??? + + tải xuống + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.fsck.k9) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/k9mail) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. [Homepage](https://email.faircode.eu){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .md-button } + + ??? + +### Kontact (KDE) + +!!! khuyến nghị + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! khuyến nghị + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! khuyến nghị + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/email.md b/i18n/vi/email.md new file mode 100644 index 00000000..c737142d --- /dev/null +++ b/i18n/vi/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! khuyến nghị + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! khuyến nghị + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! khuyến nghị + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Nhà cung cấp Cloud/SaaS + +!!! khuyến nghị + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! khuyến nghị + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! khuyến nghị + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! khuyến nghị + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! khuyến nghị + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Framadate + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/encryption.md b/i18n/vi/encryption.md new file mode 100644 index 00000000..569a168d --- /dev/null +++ b/i18n/vi/encryption.md @@ -0,0 +1,355 @@ +--- +title: "Encryption Software" +icon: material/file-lock +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! khuyến nghị + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-git: Mã nguồn](https://www.veracrypt.fr/code) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! khuyến nghị + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. [Homepage](https://cryptomator.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://cryptomator.org/privacy){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://cryptomator.org/downloads) + - [:fontawesome-brands-apple: macOS](https://cryptomator.org/downloads) + - [:fontawesome-brands-linux: Linux](https://cryptomator.org/downloads) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:fontawesome-brands-android: F-Droid repo](https://cryptomator.org/android) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/cryptomator) + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! khuyến nghị + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! khuyến nghị + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! khuyến nghị + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! khuyến nghị + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! khuyến nghị + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [Homepage](https://hat.sh){ .md-button .md-button--primary } + + ??? + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! khuyến nghị + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.kryptor.co.uk/features#privacy){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://www.kryptor.co.uk) + - [:fontawesome-brands-apple: macOS](https://www.kryptor.co.uk) + - [:fontawesome-brands-linux: Linux](https://www.kryptor.co.uk) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/samuel-lucas6/Kryptor) + +### Tomb + +!!! khuyến nghị + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + + ??? + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! khuyến nghị + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [Homepage](https://gnupg.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://gnupg.org/privacy-policy.html){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://gnupg.org/download.html) + - [:fontawesome-brands-apple: macOS](https://gpgtools.org) + - [:fontawesome-brands-linux: Linux](https://gnupg.org/download/index.html#binary) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:fontawesome-brands-git: Mã nguồn](https://git.gnupgi-bin/gitweb.cgi?p=gnupg.git) + +### GPG4win + +!!! khuyến nghị + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [Homepage](https://gpg4win.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://gpg4win.org/privacy-policy.html){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html) + - [:fontawesome-brands-git: Mã nguồn](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! khuyến nghị + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! khuyến nghị + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.openkeychain.org/help/privacy-policy){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/org.sufficientlysecure.keychain/) + - [:fontawesome-brands-git: Mã nguồn](https://github.com/open-keychain/open-keychain) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/file-sharing.md b/i18n/vi/file-sharing.md new file mode 100644 index 00000000..7e1247fc --- /dev/null +++ b/i18n/vi/file-sharing.md @@ -0,0 +1,160 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! khuyến nghị + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. [Homepage](https://onionshare.org){ .md-button .md-button--primary } [:pg-tor:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .md-button } + + ??? You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! khuyến nghị + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [Homepage](https://freedombox.org){ .md-button .md-button--primary } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! khuyến nghị + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! khuyến nghị + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** là bộ ứng dụng văn phòng mã nguồn mở miễn phí với nhiều chức năng. + + [Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-apple: macOS](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/) + - [:pg-flathub: Flatpak](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + - [:pg-openbsd: OpenBSD](https://openports.se/editors/libreoffice) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/misc/libreoffice) + - [:fontawesome-brands-google-play: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-app-store-ios: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-git: Mã nguồn](https://www.libreoffice.org/about-us/source-code) + +!!! danger + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** là lựa chọn thay thế, đây là bộ ứng dụng văn phòng mã nguồn mở miễn phí với nhiều chức năng. + +### Syncthing (P2P) + +!!! khuyến nghị + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/frontends.md b/i18n/vi/frontends.md new file mode 100644 index 00000000..89a3f76d --- /dev/null +++ b/i18n/vi/frontends.md @@ -0,0 +1,274 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! khuyến nghị + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! khuyến nghị + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! khuyến nghị + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! khuyến nghị + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! khuyến nghị + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! khuyến nghị + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! khuyến nghị + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! khuyến nghị + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/index.md b/i18n/vi/index.md new file mode 100644 index 00000000..7357d16d --- /dev/null +++ b/i18n/vi/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.vi.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/kb-archive.md b/i18n/vi/kb-archive.md new file mode 100644 index 00000000..a0b2906e --- /dev/null +++ b/i18n/vi/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/meta/brand.md b/i18n/vi/meta/brand.md new file mode 100644 index 00000000..fc70c8dd --- /dev/null +++ b/i18n/vi/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/meta/git-recommendations.md b/i18n/vi/meta/git-recommendations.md new file mode 100644 index 00000000..e641af67 --- /dev/null +++ b/i18n/vi/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/meta/uploading-images.md b/i18n/vi/meta/uploading-images.md new file mode 100644 index 00000000..ad36c356 --- /dev/null +++ b/i18n/vi/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/meta/writing-style.md b/i18n/vi/meta/writing-style.md new file mode 100644 index 00000000..c7c995ec --- /dev/null +++ b/i18n/vi/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/mobile-browsers.md b/i18n/vi/mobile-browsers.md new file mode 100644 index 00000000..ab514a8b --- /dev/null +++ b/i18n/vi/mobile-browsers.md @@ -0,0 +1,199 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! khuyến nghị + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! khuyến nghị + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! khuyến nghị + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/multi-factor-authentication.md b/i18n/vi/multi-factor-authentication.md new file mode 100644 index 00000000..bacd8a93 --- /dev/null +++ b/i18n/vi/multi-factor-authentication.md @@ -0,0 +1,156 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! khuyến nghị + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! khuyến nghị + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! khuyến nghị + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! khuyến nghị + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/news-aggregators.md b/i18n/vi/news-aggregators.md new file mode 100644 index 00000000..07484c38 --- /dev/null +++ b/i18n/vi/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! khuyến nghị + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. [Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .md-button } + + ??? + + tải xuống + + - [:fontawesome-brands-windows: Windows](https://hyliu.me/fluent-reader) + - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/app/id1520907427) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/yang991178/fluent-reader.git) downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! khuyến nghị + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + + ??? tải xuống + + - [:fontawesome-brands-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.gabmus.gfeeds) + - [:fontawesome-brands-gitlab: Mã nguồn](https://gitlab.gnome.org/World/gfeeds) + +### Fluent Reader + +!!! khuyến nghị + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? [Website](https://apps.kde.org/akregator){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://kde.org/privacypolicy-apps){ .md-button } + + ??? + +### GNOME Feeds + +!!! khuyến nghị + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [Homepage](https://yanus171.github.io/Handy-News-Reader/){ .md-button .md-button--primary } + + ??? tải xuống + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=ru.yanus171.feedexfork) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/ru.yanus171.feedexfork/) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/yanus171/Handy-News-Reader) + +### Miniflux + +!!! khuyến nghị + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [Homepage](https://netnewswire.com/){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://netnewswire.com/privacypolicy){ .md-button } + + ??? + +### NetNewsWire + +!!! khuyến nghị + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [Homepage](https://miniflux.app){ .md-button .md-button--primary } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! khuyến nghị + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [Homepage](https://newsboat.org){ .md-button .md-button--primary } + + ??? + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/notebooks.md b/i18n/vi/notebooks.md new file mode 100644 index 00000000..6d6c532a --- /dev/null +++ b/i18n/vi/notebooks.md @@ -0,0 +1,109 @@ +--- +title: "Sổ Ghi Chép" +icon: material/notebook-edit-outline +--- + +Theo dõi các ghi chú và nhật ký của bạn mà không đưa chúng cho bên thứ ba. + +Nếu bạn hiện đang sử dụng một ứng dụng như Evernote, Google Keep hoặc Microsoft OneNote, chúng tôi khuyên bạn nên chọn một ứng dụng thay thế hỗ trợ E2EE tại đây. + +## Dựa trên đám mây + +### Joplin + +!!! khuyến nghị + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** là một ứng dụng ghi chú và việc cần làm miễn phí, mã nguồn mở và đầy đủ tính năng có thể xử lý một số lượng lớn các ghi chú đánh dấu được sắp xếp thành sổ ghi chép và thẻ. Nó cung cấp E2EE và có thể đồng bộ hóa thông qua Nextcloud, Dropbox, v.v. Nó cũng cung cấp khả năng nhập dễ dàng từ Evernote và ghi chú văn bản thuần túy. + + [Website](https://joplinapp.org/){ .md-button .md-button--primary } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-firefox-browser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/net.cozic.joplin) + - [:fontawesome-brands-github: GitHub](https://github.com/laurent22/joplin) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). Dữ liệu vẫn được mã hóa khi chuyển tiếp và tại vị trí đồng bộ hóa bằng khóa chính của bạn. + +### Standard Notes + +!!! khuyến nghị + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + Standard Notes là một ứng dụng ghi chú đơn giản và riêng tư giúp bạn ghi chú dễ dàng và có sẵn ở mọi nơi. Nó có tính năng E2EE trên mọi nền tảng và trải nghiệm máy tính để bàn mạnh mẽ với các chủ đề và trình chỉnh sửa tùy chỉnh. Nó cũng đã được [kiểm toán độc lập (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [Website](https://standardnotes.com){ .md-button .md-button--primary } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://standardnotes.com) + - [:fontawesome-brands-apple: macOS](https://standardnotes.com) + - [:fontawesome-brands-linux: Linux](https://standardnotes.com) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1285392450) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.standardnotes) + - [:octicons-browser-16: Browser](https://app.standardnotes.com/) + - [:fontawesome-brands-github: GitHub](https://github.com/standardnotes) + +### EteSync Notes + +!!! khuyến nghị + + ![EteSync Notes logo](assets/img/notebooks/etesync-notes.png){ align=right } + + **EteSync Notes** là một ứng dụng ghi chú an toàn, được mã hóa qui trình đầu cuối và tôn trọng quyền riêng tư. EteSync cũng cung cấp phần mềm tùy chọn dưới dạng dịch vụ với giá [$24 mỗi năm](https://dashboard.etebase.com/user/partner/pricing/), hoặc bạn có thể tự lưu trữ máy chủ miễn phí. + + [etebase](https://docs.etebase.com), là nền tảng của EteSync, cũng có thể được các ứng dụng khác sử dụng như một phần mềm phụ trợ để lưu trữ dữ liệu được mã hóa từ đầu đến cuối (E2EE). [Website](https://www.etesync.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.etesync.com/tos/#privacy){ .md-button } + + ??? + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! khuyến nghị + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/os/android-overview.md b/i18n/vi/os/android-overview.md new file mode 100644 index 00000000..856fcc71 --- /dev/null +++ b/i18n/vi/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: fontawesome/brands/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/os/linux-overview.md b/i18n/vi/os/linux-overview.md new file mode 100644 index 00000000..d4d0d812 --- /dev/null +++ b/i18n/vi/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/os/qubes-overview.md b/i18n/vi/os/qubes-overview.md new file mode 100644 index 00000000..3f79defc --- /dev/null +++ b/i18n/vi/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: pg/qubes-os +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/passwords.md b/i18n/vi/passwords.md new file mode 100644 index 00000000..7f8c0030 --- /dev/null +++ b/i18n/vi/passwords.md @@ -0,0 +1,250 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. [Homepage](https://keepassxc.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://keepassxc.org/privacy){ .md-button } + + ??? + + tải xuống + + - [:fontawesome-brands-windows: Windows](https://keepassxc.org/download/#windows) + - [:fontawesome-brands-apple: macOS](https://keepassxc.org/download/#mac) + - [:fontawesome-brands-linux: Linux](https://keepassxc.org/download/#linux) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/keepassxreboot/keepassxc) Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Dựa trên đám mây + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! khuyến nghị + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! khuyến nghị + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [Website](https://bitwarden.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://bitwarden.com/privacy){ .md-button } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! khuyến nghị + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! khuyến nghị + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! khuyến nghị + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! khuyến nghị + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! khuyến nghị + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must be cross-platform. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/productivity.md b/i18n/vi/productivity.md new file mode 100644 index 00000000..4b1a9387 --- /dev/null +++ b/i18n/vi/productivity.md @@ -0,0 +1,171 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Ứng Dụng Văn Phòng + +### LibreOffice + +!!! khuyến nghị + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** là bộ ứng dụng văn phòng mã nguồn mở miễn phí với nhiều chức năng. + + [Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-apple: macOS](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/) + - [:pg-flathub: Flatpak](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + - [:pg-openbsd: OpenBSD](https://openports.se/editors/libreoffice) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/misc/libreoffice) + - [:fontawesome-brands-google-play: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-app-store-ios: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-git: Mã nguồn](https://www.libreoffice.org/about-us/source-code) + +!!! danger + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** là lựa chọn thay thế, đây là bộ ứng dụng văn phòng mã nguồn mở miễn phí với nhiều chức năng. [Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .md-button } + + ??? + +### OnlyOffice + +!!! khuyến nghị + + ![Framadate logo](assets/img/productivity/framadate.svg){ align=right } + + **Framadate** là một dịch vụ trực tuyến mã nguồn mở miễn phí để lên kế hoạch cho một cuộc hẹn hoặc đưa ra quyết định một cách nhanh chóng và dễ dàng. Không cần đăng ký. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Lập Kế Hoạch + +### PrivateBin + +!!! khuyến nghị + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! khuyến nghị + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! khuyến nghị + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/real-time-communication.md b/i18n/vi/real-time-communication.md new file mode 100644 index 00000000..23da1c1e --- /dev/null +++ b/i18n/vi/real-time-communication.md @@ -0,0 +1,199 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! khuyến nghị + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! khuyến nghị + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [Website](https://element.io/){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://element.io/privacy){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://element.io/get-started) + - [:fontawesome-brands-apple: macOS](https://element.io/get-started) + - [:fontawesome-brands-linux: Linux](https://element.io/get-started) + - [:octicons-browser-16: Browser](https://app.element.io) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/im.vector.app/) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/vector-im/element-web) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! khuyến nghị + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [Homepage](https://briarproject.org/){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://briarproject.org/privacy-policy/){ .md-button } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! khuyến nghị + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! khuyến nghị + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/router.md b/i18n/vi/router.md new file mode 100644 index 00000000..58b1ab0a --- /dev/null +++ b/i18n/vi/router.md @@ -0,0 +1,54 @@ +--- +title: "Firmware Bộ định tuyến" +icon: material/router-wireless +--- + +Dưới đây là một số hệ điều hành thay thế, có thể được sử dụng trên bộ định tuyến, điểm truy cập Wi-Fi, v.v. + +## OpenWrt + +!!! khuyến nghị + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** là một hệ điều hành (cụ thể là hệ điều hành nhúng) dựa trên nhân Linux, chủ yếu được sử dụng trên các thiết bị nhúng để định tuyến lưu lượng mạng. Các thành phần chính là Linux kernel, using-linux, uClibc và BusyBox. Tất cả các thành phần đã được tối ưu hóa về kích thước, đủ nhỏ để phù hợp với bộ nhớ và lưu trữ hạn chế có sẵn trong bộ định tuyến gia đình. + + [Homepage](https://openwrt.org){ .md-button .md-button--primary } + + ??? + +Bạn có thể tham khảo OpenWrt's [table of hardware](https://openwrt.org/toh/start) để kiểm tra xem thiết bị của bạn có được hỗ trợ hay không. + +## OPNsense + +!!! khuyến nghị + + ![pfSense logo](assets/img/router/pfsense.svg#only-light){ align=right } + ![pfSense logo](assets/img/router/pfsense-dark.svg#only-dark){ align=right } + + pfSense là một bản phân phối phần mềm máy tính tường lửa/bộ định tuyến mã nguồn mở dựa trên FreeBSD. Nó được cài đặt trên máy tính để làm tường lửa/bộ định tuyến chuyên dụng cho mạng và được chú ý về độ tin cậy và cung cấp các tính năng thường chỉ có trong các tường lửa thương mại đắt tiền. + + pfSense thường được triển khai dưới dạng tường lửa vành đai, bộ định tuyến, điểm truy cập không dây, máy chủ DHCP, máy chủ DNS và điểm cuối VPN. + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/search-engines.md b/i18n/vi/search-engines.md new file mode 100644 index 00000000..4ef4e222 --- /dev/null +++ b/i18n/vi/search-engines.md @@ -0,0 +1,113 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! khuyến nghị + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! khuyến nghị + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). [Website](https://www.startpage.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.startpage.com/en/privacy-policy){ .md-button } + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! khuyến nghị + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [Website](https://www.mojeek.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.mojeek.com/about/privacy){ .md-button } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! khuyến nghị + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/tools.md b/i18n/vi/tools.md new file mode 100644 index 00000000..188917ab --- /dev/null +++ b/i18n/vi/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Firmware Bộ định tuyến + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Sổ Ghi Chép + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/tor.md b/i18n/vi/tor.md new file mode 100644 index 00000000..9c8d74f1 --- /dev/null +++ b/i18n/vi/tor.md @@ -0,0 +1,130 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! khuyến nghị + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. tải xuống + + - [:fontawesome-brands-windows: Windows](https://www.mozilla.org/firefox/windows) + - [:fontawesome-brands-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:fontawesome-brands-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.firefox) + - [:fontawesome-brands-git: Mã nguồn](https://hg.mozilla.org/mozilla-central) + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Google Pixel + +!!! khuyến nghị + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! khuyến nghị + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/video-streaming.md b/i18n/vi/video-streaming.md new file mode 100644 index 00000000..7d82f9a6 --- /dev/null +++ b/i18n/vi/video-streaming.md @@ -0,0 +1,57 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! khuyến nghị + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [Homepage](https://freetubeapp.io){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://freetubeapp.io/privacy.php){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://freetubeapp.io/#download) + - [:fontawesome-brands-apple: macOS](https://freetubeapp.io/#download) + - [:fontawesome-brands-linux: Linux](https://freetubeapp.io/#download) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/FreeTubeApp/FreeTube/) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/vi/vpn.md b/i18n/vi/vpn.md new file mode 100644 index 00000000..d3afeee0 --- /dev/null +++ b/i18n/vi/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN Services" +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! khuyến nghị + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! khuyến nghị + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Framadate + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.vi.txt" diff --git a/i18n/zh-Hant/404.md b/i18n/zh-Hant/404.md new file mode 100644 index 00000000..c5e21f80 --- /dev/null +++ b/i18n/zh-Hant/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/CODE_OF_CONDUCT.md b/i18n/zh-Hant/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/zh-Hant/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/zh-Hant/about/criteria.md b/i18n/zh-Hant/about/criteria.md new file mode 100644 index 00000000..cf299e43 --- /dev/null +++ b/i18n/zh-Hant/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/about/donate.md b/i18n/zh-Hant/about/donate.md new file mode 100644 index 00000000..3924efa1 --- /dev/null +++ b/i18n/zh-Hant/about/donate.md @@ -0,0 +1,52 @@ +--- +title: 支持與贊助 +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +如果你想在經濟上支援我們,對我們來說,最方便的方法是通過 Open Collective 捐款,這是一個由我們的財政主機營運的網站。Open Collective 接受信用卡/借記卡、PayPal 和銀行轉帳的付款。 Open Collective 接受信用卡/借記卡、PayPal 和銀行轉帳的付款。 + +[在 OpenCollective.com 上捐款](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. 捐贈後,您將收到 Open Collective Foundation 的收據。 隱私指南不提供財務建議,您應該聯繫您的稅務顧問,以確定這是否適用於您。 + +如果您已經使用 GitHub 贊助,您也可以在那裡贊助我們的組織。 + +[在 GitHub 上贊助我們](https://github.com/sponsors/privacyguides ""){.md-button} + +## 贊助者清單 + +特別感謝所有支持我們使命的人! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## 我們如何使用贊助費用 + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**域名註冊** +: + +我們有一些網域名稱,如 `privacyguides.org` ,每年花費大約 10 美元。 + +**網站託管** +: + +本網站的流量每月使用大約是數百 GB,我們使用各種服務提供商來提供流量。 + +**線上服務** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). 其中一些公開供我們的社區使用( SearXNG , Tor等) ,有些則提供給我們的團隊成員(電子郵件等)。 + +**產品購買** +: + +我們偶爾會購買產品和服務,以測試我們的 [推薦工具](../tools.md)。 + +我們仍在與我們的財政托管機構(Open Collective Foundation)合作,以接收加密貨幣捐贈,目前會計對許多較小的交易是不可行的,但這種情況在未來應該會發生變化。 與此同時,如果您希望捐贈大於 $ 100 美元的加密貨幣,請聯繫 [jonah@privacyguides.org](mailto:jonah@privacyguides.org) + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/about/index.md b/i18n/zh-Hant/about/index.md new file mode 100644 index 00000000..5171c095 --- /dev/null +++ b/i18n/zh-Hant/about/index.md @@ -0,0 +1,63 @@ +--- +title: "About Privacy Guides" +--- + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. + +[:material-hand-coin-outline: Support the project](donate.md ""){.md-button.md-button--primary} + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub! + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax deductible in the United States. + +## Site License + +*The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE):* + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/about/notices.md b/i18n/zh-Hant/about/notices.md new file mode 100644 index 00000000..87df542c --- /dev/null +++ b/i18n/zh-Hant/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "Notices and Disclaimers" +hide: + - toc +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licenses + +Unless otherwise noted, all content on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). + +Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to this repository you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/about/privacy-policy.md b/i18n/zh-Hant/about/privacy-policy.md new file mode 100644 index 00000000..e6d9462b --- /dev/null +++ b/i18n/zh-Hant/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/about/privacytools.md b/i18n/zh-Hant/about/privacytools.md new file mode 100644 index 00000000..5025f628 --- /dev/null +++ b/i18n/zh-Hant/about/privacytools.md @@ -0,0 +1,120 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/about/services.md b/i18n/zh-Hant/about/services.md new file mode 100644 index 00000000..26384f7b --- /dev/null +++ b/i18n/zh-Hant/about/services.md @@ -0,0 +1,40 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/about/statistics.md b/i18n/zh-Hant/about/statistics.md new file mode 100644 index 00000000..7a967f05 --- /dev/null +++ b/i18n/zh-Hant/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/advanced/communication-network-types.md b/i18n/zh-Hant/advanced/communication-network-types.md new file mode 100644 index 00000000..0449d2cf --- /dev/null +++ b/i18n/zh-Hant/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/advanced/dns-overview.md b/i18n/zh-Hant/advanced/dns-overview.md new file mode 100644 index 00000000..b812a909 --- /dev/null +++ b/i18n/zh-Hant/advanced/dns-overview.md @@ -0,0 +1,307 @@ +--- +title: "DNS 簡介" +icon: material/dns +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS 將網域名稱轉換為 IP 位址,以便瀏覽器和其他服務可以通過分散的伺服器網路載入網路資源。 + +## 什麼是 DNS? + +當您訪問一個網站時,會傳回一個數字地址。 For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS 從網際網路的 [早期](https://en.wikipedia.org/wiki/Domain_Name_System#History) 就存在了。 來往 DNS 伺服器的 DNS 請求通常 **不是** 加密的。 一般家用的網路中,客戶的伺服器通常是由 ISP 透過 [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol)給予的。 + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). 當您要求被封鎖網域的IP位址時,伺服器可能不會回應,或可能會使用其他IP位址回應。 由於DNS通訊協定沒有加密, ISP (或任何網路營運商)可以使用 [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) 來監控請求。 網路服務供應商也可以根據共同特徵封鎖請求,無論你使用哪種 DNS 伺服器。 未加密的 DNS 總是使用 53 號[端口](https://en.wikipedia.org/wiki/Port_(computer_networking)) ,並且總是使用UDP。 + +接下來,我們將討論並提供一個教程來證明外部觀察者可以使用普通的未加密 DNS 和 [加密 DNS ](#what-is-encrypted-dns)看到什麼。 + +### 未加密的 DNS + +1. 使用 [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) ( [Wireshark](https://en.wikipedia.org/wiki/Wireshark) 項目的一部分) ,我們可以監控和記錄網路封包的傳輸。 This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +如果執行上面的 Wireshark 命令,頂部窗格會顯示「[frame](https://en.wikipedia.org/wiki/Ethernet_frame)」,底部窗格會顯示所選框架的所有資料。 企業過濾和監控解決方案(例如政府購買的解決方案)可以自動執行此過程,而無需人工交互,並且可以聚合這些框架以產生對網路觀察者有用的統計數據。 + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## 什麼是「加密後的 DNS」 ? + +加密 DNS 可以引用許多協議之一,最常見的是: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) 是第一種查詢加密 DNS 的方法之一。 DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## 外部人士可以看到什麼? + +在此範例中,我們將記錄當我們提出 DoH 請求時發生的事情: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## 什麼時候 **不該** 使用加密的 DNS ? + +在有網路過濾(或審查)的地方,訪問被禁止的資源可能會產生某些後果,您應該在 [威脅模型](../basics/threat-modeling.md)中考慮這些後果。 We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. 如果您使用的是VPN ,則應使用 VPN 的 DNS 伺服器。 使用 VPN 時,您已經信任它們與您的所有網路活動。 + +當我們進行 DNS 查詢時,通常是因為我們想要存取資源。 接下來,我們將討論一些即使在使用加密 DNS 時也可能會披露您的瀏覽活動的情況: + +### IP 位址 + +確定瀏覽活動的最簡單方法可能是查看您的設備正在訪問的 IP 位址。 例如,如果觀察者知道 `privacyguides.org` 位於 `198.98.54.105`,而您的裝置正在請求 `198.98.54.105`的數據,則很有可能您正在訪問隱私指南。 + +此方法僅在 IP 位址屬於僅託管少數網站的伺服器時才有用。 如果網站託管在共享平臺上(例如Github Pages , Cloudflare Pages , Netlify , WordPress , Blogger等) ,它也不是很有用。 如果服務器託管在 [反向代理](https://en.wikipedia.org/wiki/Reverse_proxy)之後,這也不是很有用,這在現代互聯網上非常常見。 + +### 伺服器名指示(SNI) + +伺服器名稱指示通常用於IP位址託管多個網站時。 This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. 這是因為作為HTTP/3的一部分的 [QUIC](https://en.wikipedia.org/wiki/QUIC) 協議要求 `ClientHello` 也被加密。 + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/advanced/tor-overview.md b/i18n/zh-Hant/advanced/tor-overview.md new file mode 100644 index 00000000..a6525dc6 --- /dev/null +++ b/i18n/zh-Hant/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor 簡介" +icon: 'simple/torproject' +--- + +Tor 是一個免費使用的去中心化網路,專為盡可能多地使用互聯網而設計。 如果使用得當,該網路可以實現私人和匿名瀏覽和通信。 + +## 工作原理 + +Tor 的工作原理是通過一個由數千個志願者運行的服務器組成的網絡路由您的流量,稱為節點(或中繼)。 + +每當您連接到 Tor 時,它都會選擇三個節點來構建通往網際網路的路徑,這種路徑稱為「電路」。 每個節點都有自己的功能: + +### 入口節點 + +入口節點,通常稱為守護節點,是Tor客戶端連接的第一個節點。 入口節點能夠看到您的 IP 位址,但無法看到您正在連接的內容。 + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### 中間節點 + +中間節點是 Tor 客戶端連接的第二個節點。 它可以看到流量來自哪個節點(入口節點)以及它下一步要去哪個節點。 中間節點無法看到您的 IP 位址或您連接的網域。 + +對於每個新電路,中間節點會從所有可用的 Tor 節點中隨機選擇。 + +### 出口節點 + +出口節點是您的 Web 流量離開 Tor 網路並轉發到所需目的地的點。 The exit node is unable to see your IP address, but it does know what site it's connecting to. + +出口節點將從所有可用的 Tor 節點中隨機選擇,並使用退出中繼標記。[^ 2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## 加密 + +Tor 使用來自出口,中間和入口節點的密鑰對每個數據包(傳輸數據區塊)進行三次加密,依此順序。 + +一旦 Tor 構建了電路,數據傳輸將按照以下方式進行: + +1. 首先:當數據包到達入口節點時,第一層加密被移除。 在這個加密數據包中,入口節點將找到另一個具有中間節點地址的加密數據包。 然後,入口節點將將數據包轉發到中間節點。 + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +下面是一個替代圖表,顯示了這個過程。 每個節點都會移除自己的加密層,當目標服務器返回數據時,同樣的過程完全相反。 例如,退出節點不知道你是誰,但它確實知道它來自哪個節點,因此它添加了自己的加密層並將其發送回來。 + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor 允許我們連接到服務器,而不需要任何一方知道整個路徑。 入口節點知道你是誰,但不知道你要去哪裡;中間節點不知道你是誰或你要去哪裡;出口節點知道你要去哪裡,但不知道你是誰。 由於出口節點負責了最終連線,目標伺服器永遠不會知道您的 IP 位址。 + +## 注意事項 + +雖然 Tor 確實提供了強大的隱私保證,但必須意識到 Tor 並不完美: + +- 資金充足的對手有能力被動地觀察全球大多數網絡流量,他們有機會通過先進的流量分析來解除 Tor 用戶的匿名化。 Tor 也不能保護你免於錯誤地暴露自己,例如如果你分享了太多關於你真實身份的信息。 +- Tor 出口節點還可以監控通過它們的流量。 這意味著可以記錄和監控未加密的流量,例如純 HTTP 流量。 如果此類流量包含個人身份識別信息,則可以將您去匿名化到該出口節點。 因此,我們建議在可能的情況下使用 HTTPS。 + +如果您希望使用 Tor 瀏覽網頁,我們只建議使用 **官方** Tor 瀏覽器:它旨在防止指紋。 + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.zh-Hant.txt" + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/zh-Hant/android.md b/i18n/zh-Hant/android.md new file mode 100644 index 00000000..5f3415f3 --- /dev/null +++ b/i18n/zh-Hant/android.md @@ -0,0 +1,353 @@ +--- +title: "Android" +icon: 'simple/android' +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +- [General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md) +- [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/assets/img/account-deletion/exposed_passwords.png b/i18n/zh-Hant/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/zh-Hant/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/zh-Hant/assets/img/android/rss-apk-dark.png b/i18n/zh-Hant/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/zh-Hant/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/zh-Hant/assets/img/android/rss-apk-light.png b/i18n/zh-Hant/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/zh-Hant/assets/img/android/rss-apk-light.png differ diff --git a/i18n/zh-Hant/assets/img/android/rss-changes-dark.png b/i18n/zh-Hant/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/zh-Hant/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/zh-Hant/assets/img/android/rss-changes-light.png b/i18n/zh-Hant/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/zh-Hant/assets/img/android/rss-changes-light.png differ diff --git a/i18n/zh-Hant/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/zh-Hant/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/zh-Hant/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh-Hant/assets/img/how-tor-works/tor-encryption.svg b/i18n/zh-Hant/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/zh-Hant/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh-Hant/assets/img/how-tor-works/tor-path-dark.svg b/i18n/zh-Hant/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/zh-Hant/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh-Hant/assets/img/how-tor-works/tor-path.svg b/i18n/zh-Hant/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/zh-Hant/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh-Hant/assets/img/multi-factor-authentication/fido.png b/i18n/zh-Hant/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/zh-Hant/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/zh-Hant/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/zh-Hant/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/zh-Hant/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/zh-Hant/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/zh-Hant/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/zh-Hant/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/zh-Hant/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/zh-Hant/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/zh-Hant/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/zh-Hant/basics/account-creation.md b/i18n/zh-Hant/basics/account-creation.md new file mode 100644 index 00000000..66910bf4 --- /dev/null +++ b/i18n/zh-Hant/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "帳號創建" +icon: 'material/account-plus' +--- + +人們經常不假思索地註冊網路服務。 也許這是一個流媒體服務,所以你可以觀看每個人都在談論的新節目,或者是一個為你最喜歡的快餐店提供折扣的帳戶。 無論在什麼樣的場景,您都應該考慮現在和以後對數據的影響。 + +當你每刺蝟了一個新的服務創建帳號時,都有相關的風險。 數據洩露;向第三方披露客戶信息;員工有不當的權限可以訪問所有數據;所有這些都是在提供您的信息時必須考慮的可能性。 您需要確信您可以信任該服務,這就是為什麼我們建議只在最成熟且經過測試的產品上儲存有價值的資料。 這通常意味著提供 E2EE 並經過加密審計的服務。 審計增加了產品設計的保證,而不是由缺乏經驗的開發人員引起的明顯的安全問題。 + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +服務條款是您在使用服務時同意遵守的規則。 With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. 例如,您可能會因為使用 VPN 或 VOIP 號碼而被禁止或鎖定某些服務的帳戶。 對這種禁令提出上訴通常很困難,而且通常都由系統自動處理而不是人工審核,造成了上訴的困難度。 這也是我們不建議使用 Gmail 作為電子郵件的原因之一。 電子郵件對於訪問您可能註冊的其他服務至關重要。 + +隱私權政策是該服務表示他們將如何使用您的數據,因此值得閱讀,以便您了解如何使用您的數據。 公司或組織可能沒有法律義務遵守政策中包含的所有內容(取決於司法管轄區)。 我們建議您了解當地法律以及這些法律允許供應商收集哪些資訊。 + +我們建議您尋找特定的術語,例如「資料收集」、「資料分析」、「Cookie」、「廣告」或「第三方」服務。 有時您可以選擇退出資料收集或分享資料,但最好從一開始就選擇尊重您隱私權的服務。 + +您還要信任該公司或組織會實際遵守自己的隱私政策。 + +## 身份驗證方式 + +通常有多種註冊帳戶的方式,每種都有自己的好處和缺點。 + +### 電子郵件和密碼 + +建立新帳戶的最常見方式是使用電子郵件地址和密碼。 使用此方法時,您應該使用密碼管理器,並遵循 [關於密碼的最佳做法](passwords-overview.md) 。 + +!!! tip + + 您也可以使用密碼管理器組織其他驗證方式! 只需新增條目並填寫適當的欄位,即可新增安全問題或備份金鑰等事項的備註。 + +您自己負責管理您的登入憑證。 為了增加安全性,您可以在帳戶上設置 [MFA](multi-factor-authentication.md) 。 + +[推薦密碼管理員](../passwords.md ""){.md-button} + +#### Email aliases + +如果您不想將您的真實電子郵件地址提供給服務,您可以選擇使用別名。 我們在電子郵件服務推薦頁面上更詳細地描述了它們。 基本上,別名服務允許您生成新的電子郵件地址,將所有電子郵件轉發到您的主地址。 這可以幫助防止跨服務跟蹤,並幫助您管理有時會隨註冊過程而來的營銷電子郵件。 這些可以根據它們被發送到的別名自動過濾。 + +如果服務遭到黑客攻擊,您可能會開始收到網絡釣魚或垃圾郵件到您用於註冊的地址。 為每個服務使用獨特的別名可以幫助確定哪些服務被駭。 + +[推薦的電子郵件別名服務](../email.md#email-aliasing-services ""){.md-button} + +### 單一登入(Single Sign-On) + +!!! note + + 我們討論的是個人使用的單一登入,而不是企業用戶。 + +單一登入(SSO) 是一種驗證方法,允許您註冊服務,而無需共享太多信息(如果有的話)。 每當您在註冊表單上看到類似「使用 *提供商名稱*登入」的內容時,它就是 SSO。 + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +主要優勢是: + +- **安全性**:沒有涉及 [資料外洩](https://en.wikipedia.org/wiki/Data_breach) 的風險,因為網站沒有儲存您的憑證。 +- **易用性**:多個帳戶由單一登入管理。 + +但也有一些缺陷: + +- **隱私權**: SSO供應商將知道您使用的服務。 +- **集中化**:如果您的SSO帳戶遭到入侵或您無法登錄,則與其相關的所有其他帳戶都會受到影響。 + +SSO在您可以從服務之間更深入的整合中受益的情況下尤其有用。 例如,其中一個服務可能為其他服務提供SSO。 我們建議將SSO限制在您需要的地方,並以 [MFA](multi-factor-authentication.md)保護主帳戶。 + +所有使用 SSO 的服務將與您的 SSO 帳戶一樣安全。 例如,如果您想使用硬件密鑰來保護帳戶,但該服務不支持硬件密鑰,您可以使用硬件密鑰來保護您的SSO帳戶,現在您的所有帳戶上基本上都有硬件MFA。 需要注意的是, 如果你 SSO 帳戶本身的安全性很弱,意味著與該登錄綁定的任何帳戶的安全性也會很弱。 + +### 電話號碼 + +我們建議您避免使用需要電話號碼才能註冊的服務。 電話號碼可以在多個服務中識別您的身份,並且根據數據共享協議,這將使您的使用更容易跟蹤,特別是當其中一個服務被洩漏時,因為電話號碼通常是 **不是** 加密的。 + +如果可以的話,你應該避免透露你的真實電話號碼。 某些服務將允許使用 VOIP 號碼,但這些通常會觸發欺詐偵測系統,導致帳戶被鎖定,因此我們不建議重要帳戶使用此系統。 + +在許多情況下,您需要提供可以接收短信或電話的號碼,特別是在國際購物時,以防您在邊境審查時的訂單出現問題。 服務通常會使用您的號碼作為驗證方式;不要自作聰明使用假的電話號碼,最後讓自己重要的帳戶被鎖定! + +### 使用者名稱與密碼 + +某些服務允許您在不使用電子郵件地址的情況下註冊,並且只需要您設置用戶名稱和密碼。 當與 VPN 或 Tor 結合時,這些服務可能會提供更高的匿名性。 請記住,對於這類型的帳號,如果你忘記了你的用戶名或密碼,很可能會有**沒有辦法恢復你的帳號**。 + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/basics/account-deletion.md b/i18n/zh-Hant/basics/account-deletion.md new file mode 100644 index 00000000..5b3d3fe9 --- /dev/null +++ b/i18n/zh-Hant/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "刪除帳號" +icon: 'material/account-remove' +--- + +隨著時間的推移,它可以很容易地積累一些在線帳戶,其中許多你可能不再使用。 刪除這些未使用的帳戶是收回隱私的重要一步,因為休眠帳戶容易受到數據洩露的影響。 資料外洩是指服務的安全性受到破壞,受保護的資訊被未經授權的行為者檢視、傳輸或竊取。 Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. 本指南的目標是幫助您通過令人討厭的帳戶刪除過程,通常由 [欺騙性設計](https://www.deceptive.design/)使您變得困難,以改善您的在線存在。 + +## 查找舊帳戶 + +### Password Manager + +如果你有一個密碼管理器,你已經使用了你的整個數字生活,這部分將是非常容易的。 通常,它們包括內置功能,用於檢測您的憑證是否在數據洩露中暴露-例如Bitwarden的 [數據洩露報告](https://bitwarden.com/blog/have-you-been-pwned/)。 + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +即使您之前沒有明確使用過密碼管理器,也有可能您在瀏覽器或手機中使用了密碼管理器,甚至沒有意識到這一點。 例如: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins)、 [Google Password Manager](https://passwords.google.com/intro) 和 [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336)。 + +桌面平臺通常還有一個密碼管理器,可以幫助您恢復忘記的密碼: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +如果您過去沒有使用密碼管理員,或者您認為您的帳戶從未被添加到密碼管理員,另一個選項是搜索您認為已註冊的電子郵件帳戶。 在電子郵件用戶端上,搜尋「驗證」或「歡迎」等關鍵字。 幾乎每次你建立線上帳戶時,該服務都會向你的電子郵件發送驗證連結或介紹訊息。 這可能是找到舊的,被遺忘的帳戶的好方法。 + +## 刪除舊帳戶 + +### 登入 + +若要刪除舊帳戶,您必須先確認能夠登入帳戶。 同樣,如果帳戶在您的密碼管理員中,則此步驟很簡單。 如果沒有,你可以試著猜測你的密碼。 否則,通常有選項可以重新訪問您的帳戶,通常可以通過登錄頁面的「忘記密碼」鏈接來獲得。 您放棄的帳戶也可能已被刪除:有時服務會自動刪除所有舊帳戶。 + +嘗試重新取得存取權時,如果網站傳回錯誤訊息,表示電子郵件未與帳戶關聯,或在多次嘗試後您從未收到重設連結,則您沒有該電子郵件地址下的帳戶,應嘗試其他帳戶。 如果您無法確定使用了哪個電子郵件地址,或者您無法再存取該電子郵件,您可以嘗試聯絡該服務的客戶支援。 不幸的是,我們無法保證您能夠恢復訪問您的帳戶。 + +### GDPR (僅限歐洲經濟區居民) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. 如果適用於您,請閱讀任何特定服務的隱私權政策,以查找有關如何行使刪除權利的資訊。 閱讀隱私政策可能很重要,因為某些服務的「刪除帳戶」選項,實際上只是停用您的帳戶,若要真正刪除,您必須採取額外行動。 Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### 覆寫帳戶資訊 + +在某些情況下,可以採用虛假資料來覆蓋帳戶的信息。 當您登入後,請將帳戶中的所有資訊變更為偽造資訊。 原因是許多網站甚至在帳戶刪除後仍會保留您之前擁有的資訊。 希望他們會用你輸入的最新數據覆蓋之前的信息。 但是,無法保證不會有先前信息的備份。 + +對於帳戶電子郵件,請通過您選擇的提供商創建新的替代電子郵件帳戶,或使用 [電子郵件別名服務](../email.md#email-aliasing-services)創建別名。 完成後,您可以刪除替代電子郵件地址。 我們建議您不要使用臨時電子郵件提供商,因為通常可以重新啟用臨時電子郵件。 + +### 刪除帳戶 + +您可以檢查 [JustDeleteMe](https://justdeleteme. xyz) 以獲取有關刪除特定服務帳戶的指示。 有些網站會慷慨地提供「刪除帳戶」選項,而其他網站則會強迫您與支援人員交談。 刪除過程可能因網站而異,有些網站無法刪除帳戶。 + +對於不允許帳戶刪除的服務,最好的做法是偽造前面提到的所有信息,並加強帳戶安全性。 爲此,啓用 [MFA](multi-factor-authentication.md) 和提供的任何額外安全功能。 此外,請將密碼更改為隨機生成的最大允許大小的密碼( [密碼管理器](../passwords.md) 對此很有用)。 + +如果您確信您關心的所有資訊都已被刪除,您可以放心地忘記此帳戶。 如果沒有,最好將憑證與其他密碼一起儲存,並偶爾重新登錄以重設密碼。 + +即使您能夠刪除帳戶,也無法保證您的所有信息都將被刪除。 事實上,法律要求一些公司保留某些信息,特別是與金融交易有關的信息。 當涉及到網站和雲端服務時,您的數據會發生什麼事情,這在很大程度上是您無法控制的。 + +## 避免註冊新帳戶 + +俗話說:「預防更勝治療。」 每當你覺得想要註冊一個新帳戶時,問問自己:「我真的需要註冊這個嗎? 有不需要註冊的替代方案嗎?」 刪除一個帳戶通常比創建一個帳戶要困難得多。 即使刪除或更改帳戶上的資訊,也可能有來自第三方的緩存版本,例如 [Internet Archive](https://archive.org/)。 如果可能的話,不要隨便註冊帳號-未來的你會感謝你現在的決定! + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/basics/common-misconceptions.md b/i18n/zh-Hant/basics/common-misconceptions.md new file mode 100644 index 00000000..c7be678c --- /dev/null +++ b/i18n/zh-Hant/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "常見的迷思" +icon: 'material/robot-confused' +--- + +## 「開源軟體永遠是安全的」或「商業軟體更安全」 + +這些迷思源於許多偏見,原始碼是否開放以及軟體的許可並不會以任何方式影響其安全性。 開源軟件 *可能* 比商業軟件更安全,但絕對不能保證這一點。當你評估軟體時,你應該根據每個工具的聲譽和安全性進行評估。 + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. 它還允許您查看代碼並禁用您發現的任何可疑功能。 然而,*除非你真的這樣做了*,否則不能保證程式碼曾經被評估過,特別是對於較小的軟體項目。 The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +另一方面,專有軟件不太透明,但這並不意味著它不安全。 主要的專有軟件項目可以由內部和第三方機構進行審計,獨立的安全研究人員仍然可以通過逆向工程等技術發現漏洞。 + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## 「信任的轉移可以增加隱私」 + +在討論 VPN 等解決方案時,我們經常談到「轉移信任」 (將您對 ISP 的信任轉移到 VPN 提供商)。 雖然這可以保護您的瀏覽數據免受 *特定* ISP 的侵害,但您選擇的 VPN 提供商仍然可以訪問您的瀏覽數據:您的數據並非完全受到各方的保護。 這意味著: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. 當您正在尋找更私密的解決方案時,您應該確定潛在的問題是什麼,並找到該問題的技術解決方案。 For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## 「愈複雜愈好」 + +我們經常看到人們描述過於複雜的隱私威脅模型。 通常,這些解決方案包括許多不同的電子郵件帳戶或具有許多運動部件和條件的複雜設置等問題。 The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. 總會有你必須申報你的法定姓名的情況,還有其他你不需要的情況。 + +1. **Known identity** - A known identity is used for things where you must declare your name. 有許多法律文件和合同需要合法身份。 這可能包括開設銀行帳戶,簽署財產租賃,獲得護照,進口物品時的海關申報,或以其他方式與您的政府打交道。 這些東西通常會導致憑證,如信用卡,信用評級檢查,帳戶號碼,以及可能的物理地址。 + + 我們不建議您使用 VPN 或 Tor 來處理這些事情,因為您的身份已經通過其他方式被對方知道。 + + !!! tip + + 在網上購物時,使用[包裹儲物櫃] (https://zh.wikipedia.org/wiki/Parcel_locker)有助於保護您的實際地址的私密性。 + +2. **未知身份** - 未知身份可能是您經常使用的穩定假名。 它不是匿名的,因為它不會改變。 如果您是線上社群的一員,您可能希望保留其他人知道的角色。 這個假名不是匿名的,因為如果監控時間足夠長,關於所有者的詳細信息可以透露更多信息,例如他們的寫作方式,他們對感興趣主題的一般知識等。 + + 您可能希望使用 VPN 來隱藏您的 IP 地址。 金融交易更難掩蓋:您可以考慮使用匿名加密貨幣,例如 [Monero](https://www.getmonero.org/)。 採用山寨幣轉移也可能有助於偽裝您的貨幣起源。 通常情況下,交易所需要完成 KYC (了解您的客戶) ,然後才能將法定貨幣兌換為任何類型的加密貨幣。 線下操作也可能是一個解決方案;然而,這些往往更昂貴,有時也需要 KYC。 + +3. **匿名身份** - 即使有經驗的專家,也很難長時間保持一個帳號的匿名性。 它們應該是短期和短暫的身份,定期輪流。 + + 使用 Tor 可以幫助我們做到這一點。 同樣值得注意的是,通過異步溝通可以實現更大的匿名性:實時溝通容易受到打字模式分析的影響(即不止一段文字,在論壇上分發,通過電子郵件等)。 + +--8<-- "includes/abbreviations.zh-Hant.txt" + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/zh-Hant/basics/common-threats.md b/i18n/zh-Hant/basics/common-threats.md new file mode 100644 index 00000000..7308496a --- /dev/null +++ b/i18n/zh-Hant/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +--- + +從廣義上講,我們將我們的建議分為適用於大多數人的 [個威脅](threat-modeling.md) 或目標。 你可能會關心沒有,一個,幾個或所有這些可能性,你使用的工具和服務取決於你的目標是什麼。 您也可能有這些類別之外的特定威脅,這完全有可能! 重要的是要了解您選擇使用的工具的好處和缺點,因為幾乎沒有一種工具可以保護您免受任何威脅。 + +- :material-incognito: 匿名 -保護您的在線活動免受您的真實身份影響,保護您免受試圖特別揭露 *您* 身份的人的侵害。 +- :material-target-account: 有針對性的攻擊 -保護免受駭客或其他惡意行為者的攻擊,這些行為者正試圖特別訪問 *個您的* 個數據或設備。 +- :material-bug-outline: 被動攻擊 -保護免受惡意軟體、數據洩露和其他同時針對多人的攻擊。 +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +其中一些威脅對您來說可能比其他威脅更重要,這取決於您的具體問題。 For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +--8<-- "includes/abbreviations.zh-Hant.txt" + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/zh-Hant/basics/email-security.md b/i18n/zh-Hant/basics/email-security.md new file mode 100644 index 00000000..a50a2e6e --- /dev/null +++ b/i18n/zh-Hant/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: 電子郵件安全 +icon: material/email +--- + +電子郵件本身即非安全的通訊形式。 您可以使用 OpenPGP 等工具提高電子郵件安全性,這些工具為您的消息添加端到端加密,但與其他消息傳遞應用程序中的加密相比, OpenPGP 仍然存在許多缺點,而且由於電子郵件的設計方式,某些電子郵件數據永遠不會加密。 + +因此,電子郵件最適合用於從您在線註冊的服務接收交易性電子郵件(如通知、驗證電子郵件、密碼重置等),而不是用於與他人溝通。 + +## 郵件是如何加密的 + +將 E2EE 添加到不同電子郵件提供商之間的電子郵件的標準方法是使用 OpenPGP。 OpenPGP 標準有不同的實現,最常見的是 [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) 和 [OpenPGP.js](https://openpgpjs.org)。 + +還有另一種標準被稱為 [S/MIME](https://en.wikipedia.org/wiki/S/MIME),但它需要由 [憑證機構](https://en.wikipedia.org/wiki/Certificate_authority) 頒發的憑證(並非所有憑證都發行S/MIME憑證)。 它支持 [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) 和 [Outlook for Web或Exchange Server 2016 , 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480)。 + +即使您使用OpenPGP ,它也不支持 [向前保密](https://en.wikipedia.org/wiki/Forward_secrecy),這意味著如果您或收件人的私鑰被盜,所有先前加密的消息都將被曝光。 這就是為什麼我們建議 [即時通訊](../real-time-communication.md) ,只要有可能,就實現電子郵件的前向保密性,以進行個人對個人的通信。 + +### 哪些郵件客戶端支持 E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). 根據驗證方法的不同,如果提供者或電子郵件用戶端不支持OAT或橋接應用程序,這可能會導致安全性降低,因為 [多因素驗證](multi-factor-authentication.md) 在純密碼驗證中是不可能的。 + +### 我要怎樣保護自己的私密鑰匙? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +在智能卡上進行解密是有利的,以避免可能將您的私鑰暴露在受損的設備上。 + +## Email Metadata Overview + +電子郵件中繼資料儲存在電子郵件的 [個訊息標題](https://en. wikipedia. org/wiki/Email#Message_header) 中,並包含您可能已經看到的一些可見標題,例如: `To`、 `From`、 `Cc`、 `Date`、 `Subject`。 許多電子郵件客戶端和提供商還包含一些隱藏的標題,可以揭示有關您的帳戶的信息。 + +客戶端軟體可能會使用電子郵件中繼資料來顯示來自誰以及收到訊息的時間。 服務器可以使用它來確定電子郵件消息必須發送的位置,其中 [個其他目的](https://en.wikipedia.org/wiki/Email#Message_header) 並不總是透明的。 + +### 誰可以查看電子郵件中繼資料? + +電子郵件元數據受到外部觀察者的保護, [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) 保護它免受外部觀察者的影響,但它仍然能夠被您的電子郵件客戶端軟件(或網絡郵件)和任何伺服器看到,將您的消息轉發給任何收件人,包括您的電子郵件提供商。 有時,電子郵件伺服器也會使用第三方服務來防範垃圾郵件,垃圾郵件通常也可以訪問您的郵件。 + +### Why Can't Metadata be E2EE? + +電子郵件元數據對於電子郵件最基本的功能(它來自何處,以及它必須去向何處)至關重要。 E2EE 最初並未內建於電子郵件協議中,而是需要像 OpenPGP 這樣的附加軟件。 由於 OpenPGP 訊息仍必須與傳統的電子郵件供應商合作,因此它無法加密電子郵件元數據,只能加密訊息正文本身。 這意味著即使在使用 OpenPGP 時,外部觀察者也可以看到關於您的消息的大量信息,例如您正在發送電子郵件的人,主題行,當您發送電子郵件時等。 + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/basics/multi-factor-authentication.md b/i18n/zh-Hant/basics/multi-factor-authentication.md new file mode 100644 index 00000000..f4bc53f2 --- /dev/null +++ b/i18n/zh-Hant/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "多重身分驗證" +icon: 'material/two-factor-authentication' +--- + +**多因素認證**(**MFA**)是一種安全機制,除了輸入用戶名(或電子郵件)和密碼之外,還需要其他步驟。 最常見的方法是您會從簡訊或應用程式收到的有時間限制的代碼。 + +通常情況下,如果駭客(或任何想要盜取您帳號的人)能夠找出您的密碼,那麼他們將獲得密碼屬於的帳戶的存取權。 MFA 的帳戶迫使駭客同時擁有密碼(您 *知道*的東西)和您擁有的設備(您 *擁有*的東西),例如您的手機。 + +不同 MFA 方式的安全性各不相同,但整體來說,讓攻擊者越難訪問您的 MFA 方法越好。 MFA 方式(從最弱到最強)的例子包括簡訊,電子郵件代碼,應用推送通知, TOTP , Yubico OTP 和 FIDO。 + +## MFA 方式的比較 + +### 簡訊或 Email 多重身分驗證 + +透過簡訊或電子郵件接收 OTP 代碼是透過 MFA 保護帳戶安全的最弱方法之一。 Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. 如果未經授權的人獲得了您的電子郵件訪問權限,他們將能夠使用該訪問權限重設您的密碼並收到驗證碼,使他們能夠完全訪問您的帳戶。 + +### 推送通知 + +推送通知多重身份認證的形式是將訊息發送到手機上的應用程式,要求您確認新的帳戶登入。 這種方法比短信或電子郵件要好得多,因為攻擊者通常無法在沒有已經登錄的設備的情況下獲得這些推送通知,這意味著他們需要首先破壞您的其他設備之一。 + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. 推送通知登入授權通常一次發送到 *所有* 您的設備,如果您有多個設備,則可擴大 MFA 代碼的可用性。 + +推送通知 MFA 的安全性取決於應用程序的品質,伺服器組件以及生成它的開發人員的信任。 Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### 暫時性的一次性密碼 (TOTP) + +TOTP 是最常見的 MFA 形式之一。 當您設置TOTP時,您通常需要掃描 [QR Code](https://en.wikipedia.org/wiki/QR_code) ,該掃描與您打算使用的服務建立“[共享祕密](https://en.wikipedia.org/wiki/Shared_secret)”。 共用祕密在驗證器應用程式的數據中受到保護,有時會受到密碼的保護。 + +然後,時間限制代碼從共享機密和當前時間衍生出來。 由於代碼僅在短時間內有效,無法訪問共享機密,因此對手無法生成新代碼。 + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +對手可以建立一個網站來模仿官方服務,試圖欺騙你提供你的用戶名,密碼和當前的 TOTP 代碼。 如果對手使用這些記錄的憑證,他們可能能夠登錄到真正的服務並劫持帳戶。 + +雖然不完美,但 TOTP 對大多數人來說足夠安全,當 [硬件安全金鑰](../multi-factor-authentication.md#hardware-security-keys) 不受支持時, [驗證器應用程序](../multi-factor-authentication.md#authenticator-apps) 仍然是一個不錯的選擇。 + +### 硬體安全金鑰 + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## 一般性建議 + +我們有這些一般性建議: + +### 我應該選擇哪種方法? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### 備份 + +您應該始終備份您的 MFA 方法。 硬體安全金鑰可能會丟失、被盜或隨著時間的推移而停止運作。 建議您擁有一對具有相同帳戶存取權限的硬體安全金鑰,而不僅僅是一個。 + +當與驗證器應用程式一起使用TOTP時,請務必備份您的恢復密鑰或應用程式本身,或將「共享機密」複製到不同手機上的應用程式的另一個實例或加密容器(例如 [VeraCrypt](../encryption.md#veracrypt))。 + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS 具有 [原生支援](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) 用於使用智慧卡(PIV)進行驗證。 If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +設定智慧卡/安全金鑰後,我們建議您在終端機中執行此命令: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### 暫時性的一次性密碼 (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/basics/passwords-overview.md b/i18n/zh-Hant/basics/passwords-overview.md new file mode 100644 index 00000000..e9c24db8 --- /dev/null +++ b/i18n/zh-Hant/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### 備份 + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/basics/threat-modeling.md b/i18n/zh-Hant/basics/threat-modeling.md new file mode 100644 index 00000000..aacf439e --- /dev/null +++ b/i18n/zh-Hant/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/basics/vpn-overview.md b/i18n/zh-Hant/basics/vpn-overview.md new file mode 100644 index 00000000..27af595a --- /dev/null +++ b/i18n/zh-Hant/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN Overview +icon: material/vpn +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/calendar.md b/i18n/zh-Hant/calendar.md new file mode 100644 index 00000000..3b697e12 --- /dev/null +++ b/i18n/zh-Hant/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/cloud.md b/i18n/zh-Hant/cloud.md new file mode 100644 index 00000000..375c0a8f --- /dev/null +++ b/i18n/zh-Hant/cloud.md @@ -0,0 +1,62 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE. + +If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md). + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do not recommend Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [Proton Mail](https://proton.me/mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive's mobile clients were released in December 2022 and are not yet open-source. Proton has historically delayed their source code releases until after initial product releases, and [plans to](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) release the source code by the end of 2023. Proton Drive desktop clients are still in development. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/data-redaction.md b/i18n/zh-Hant/data-redaction.md new file mode 100644 index 00000000..21b53909 --- /dev/null +++ b/i18n/zh-Hant/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +--- + +分享檔案時,請務必移除相關的中繼資料。 映像文件通常包含 [Exif](https://en.wikipedia.org/wiki/Exif) 數據。 照片有時甚至在文件元數據中包含GPS坐標。 + +## 電腦版應用程式 + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +被清除的元資料取決於影像的檔案類型: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +處理完影像後, ExifEraser會為您提供一份完整的報告,說明每張影像中究竟刪除了哪些內容。 + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! 示例「從檔案目錄中刪除資料」 + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/desktop-browsers.md b/i18n/zh-Hant/desktop-browsers.md new file mode 100644 index 00000000..edaa8052 --- /dev/null +++ b/i18n/zh-Hant/desktop-browsers.md @@ -0,0 +1,263 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping your browser extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### IPFS + +InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +- [x] Select **Disabled** on Method to resolve IPFS resources + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.zh-Hant.txt" + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/zh-Hant/desktop.md b/i18n/zh-Hant/desktop.md new file mode 100644 index 00000000..e373c175 --- /dev/null +++ b/i18n/zh-Hant/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Desktop/PC" +icon: simple/linux +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/dns.md b/i18n/zh-Hant/dns.md new file mode 100644 index 00000000..84def51f --- /dev/null +++ b/i18n/zh-Hant/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.zh-Hant.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/zh-Hant/email-clients.md b/i18n/zh-Hant/email-clients.md new file mode 100644 index 00000000..167d50e3 --- /dev/null +++ b/i18n/zh-Hant/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "Email Clients" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/email.md b/i18n/zh-Hant/email.md new file mode 100644 index 00000000..084c303a --- /dev/null +++ b/i18n/zh-Hant/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/encryption.md b/i18n/zh-Hant/encryption.md new file mode 100644 index 00000000..ca7cb0d2 --- /dev/null +++ b/i18n/zh-Hant/encryption.md @@ -0,0 +1,357 @@ +--- +title: "加密軟體" +icon: material/file-lock +--- + +數據加密是控制誰可以訪問它的唯一方法。 如果您目前沒有為您的硬盤,電子郵件或文件使用加密軟件,您應該在這裡選擇一個選項。 + +## Multi-platform + +此處列出的選項是多平臺的,非常適合建立資料的加密備份。 + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/file-sharing.md b/i18n/zh-Hant/file-sharing.md new file mode 100644 index 00000000..2f3c6591 --- /dev/null +++ b/i18n/zh-Hant/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/frontends.md b/i18n/zh-Hant/frontends.md new file mode 100644 index 00000000..0534be7c --- /dev/null +++ b/i18n/zh-Hant/frontends.md @@ -0,0 +1,268 @@ +--- +title: "Frontends" +icon: material/flip-to-front +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/index.md b/i18n/zh-Hant/index.md new file mode 100644 index 00000000..6f78bdf1 --- /dev/null +++ b/i18n/zh-Hant/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.zh-Hant.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/kb-archive.md b/i18n/zh-Hant/kb-archive.md new file mode 100644 index 00000000..62248502 --- /dev/null +++ b/i18n/zh-Hant/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/meta/brand.md b/i18n/zh-Hant/meta/brand.md new file mode 100644 index 00000000..7fbaa29e --- /dev/null +++ b/i18n/zh-Hant/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/meta/git-recommendations.md b/i18n/zh-Hant/meta/git-recommendations.md new file mode 100644 index 00000000..3218ab77 --- /dev/null +++ b/i18n/zh-Hant/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/meta/uploading-images.md b/i18n/zh-Hant/meta/uploading-images.md new file mode 100644 index 00000000..2b0b800e --- /dev/null +++ b/i18n/zh-Hant/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/meta/writing-style.md b/i18n/zh-Hant/meta/writing-style.md new file mode 100644 index 00000000..446fb02e --- /dev/null +++ b/i18n/zh-Hant/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/mobile-browsers.md b/i18n/zh-Hant/mobile-browsers.md new file mode 100644 index 00000000..45ef1dc7 --- /dev/null +++ b/i18n/zh-Hant/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +
+ +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/multi-factor-authentication.md b/i18n/zh-Hant/multi-factor-authentication.md new file mode 100644 index 00000000..09eb8659 --- /dev/null +++ b/i18n/zh-Hant/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/news-aggregators.md b/i18n/zh-Hant/news-aggregators.md new file mode 100644 index 00000000..f72e764e --- /dev/null +++ b/i18n/zh-Hant/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "News Aggregators" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/notebooks.md b/i18n/zh-Hant/notebooks.md new file mode 100644 index 00000000..16fef5a4 --- /dev/null +++ b/i18n/zh-Hant/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/os/android-overview.md b/i18n/zh-Hant/os/android-overview.md new file mode 100644 index 00000000..27091970 --- /dev/null +++ b/i18n/zh-Hant/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android Overview +icon: simple/android +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Should you want to run an app that you're unsure about, consider using a user or work profile. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/os/linux-overview.md b/i18n/zh-Hant/os/linux-overview.md new file mode 100644 index 00000000..a7d9bcac --- /dev/null +++ b/i18n/zh-Hant/os/linux-overview.md @@ -0,0 +1,143 @@ +--- +title: Linux Overview +icon: simple/linux +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## 一般性建議 + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/os/qubes-overview.md b/i18n/zh-Hant/os/qubes-overview.md new file mode 100644 index 00000000..06bcda1c --- /dev/null +++ b/i18n/zh-Hant/os/qubes-overview.md @@ -0,0 +1,56 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/passwords.md b/i18n/zh-Hant/passwords.md new file mode 100644 index 00000000..be3979e0 --- /dev/null +++ b/i18n/zh-Hant/passwords.md @@ -0,0 +1,230 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/productivity.md b/i18n/zh-Hant/productivity.md new file mode 100644 index 00000000..2a4dc476 --- /dev/null +++ b/i18n/zh-Hant/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/real-time-communication.md b/i18n/zh-Hant/real-time-communication.md new file mode 100644 index 00000000..6046be6f --- /dev/null +++ b/i18n/zh-Hant/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/router.md b/i18n/zh-Hant/router.md new file mode 100644 index 00000000..186b3169 --- /dev/null +++ b/i18n/zh-Hant/router.md @@ -0,0 +1,51 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/search-engines.md b/i18n/zh-Hant/search-engines.md new file mode 100644 index 00000000..63381443 --- /dev/null +++ b/i18n/zh-Hant/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/tools.md b/i18n/zh-Hant/tools.md new file mode 100644 index 00000000..93c1cf7b --- /dev/null +++ b/i18n/zh-Hant/tools.md @@ -0,0 +1,443 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? 注意 "VPN 不會讓您匿名" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### 加密軟體 + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/tor.md b/i18n/zh-Hant/tor.md new file mode 100644 index 00000000..65e38570 --- /dev/null +++ b/i18n/zh-Hant/tor.md @@ -0,0 +1,124 @@ +--- +title: "Tor Network" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/video-streaming.md b/i18n/zh-Hant/video-streaming.md new file mode 100644 index 00000000..29dafe3f --- /dev/null +++ b/i18n/zh-Hant/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh-Hant/vpn.md b/i18n/zh-Hant/vpn.md new file mode 100644 index 00000000..78524974 --- /dev/null +++ b/i18n/zh-Hant/vpn.md @@ -0,0 +1,323 @@ +--- +title: "VPN 服務" +icon: material/vpn +--- + +尋找不會讀取及販賣您流量的 VPN 營運商 + +??? 注意 "VPN 不會讓您匿名" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +??? question "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](basics/vpn-overview.md){ .md-button } + +## Recommended Providers + +!!! abstract "Criteria" + + Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information. + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? success annotate "67 Countries" + + Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? success "Open-Source Clients" + + Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? success "Accepts Cash" + + Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment. + +??? success "WireGuard Support" + + Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? warning "Remote Port Forwarding" + + Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +??? success annotate "35 Countries" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2022-09-16 + +??? success "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? success "Open-Source Clients" + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? success "Accepts Cash and Monero" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? success "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? success annotate "41 Countries" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +1. Last checked: 2023-01-19 + +??? success "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? success "Open-Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? success "Accepts Cash and Monero" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? success "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Monero or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Monero, cash, and other forms of anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.zh-Hant.txt" diff --git a/i18n/zh/404.md b/i18n/zh/404.md new file mode 100644 index 00000000..b8ca171d --- /dev/null +++ b/i18n/zh/404.md @@ -0,0 +1,17 @@ +--- +hide: + - feedback +--- + +# 404 - 页面不存在 + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [威胁模型分析简介](basics/threat-modeling.md) +- [推荐的DNS提供商](dns.md) +- [最好的桌面浏览器](desktop-browsers.md) +- [最好的VPN提供商](vpn.md) +- [Privacy Guides论坛](https://discuss.privacyguides.net) +- [我们的博客](https://blog.privacyguides.org) + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/CODE_OF_CONDUCT.md b/i18n/zh/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/zh/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/zh/about/criteria.md b/i18n/zh/about/criteria.md new file mode 100644 index 00000000..4efde1a2 --- /dev/null +++ b/i18n/zh/about/criteria.md @@ -0,0 +1,42 @@ +--- +title: 通用标准 +--- + +!!! 示例“正在进行的工作” + + 以下页面是一项正在进行的工作,目前并不反映我们建议的全部标准。 过去关于这个主题的讨论。[#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +以下是一些必须适用于所有提交给隐私指南的事项。 每个类别都会有额外的纳入要求。 + +## 财务披露 + +我们不通过推荐某些产品赚钱,我们不使用联盟链接,我们也不为项目捐赠者提供特殊考虑。 + +## 一般准则 + +我们在考虑新的建议时采用这些优先事项。 + +- **安全**:工具应该在适用的地方遵循安全的最佳做法。 +- **来源的可用性**: 开放源码项目通常比同等的专有替代品更受欢迎。 +- **跨平台**:我们通常倾向于建议跨平台,以避免厂商锁定。 +- **积极开发**:我们推荐的工具应该积极开发,未维护的项目在大多数情况下会被删除。 +- **可用性**:工具应该是大多数计算机用户可以使用的,不应该要求有过度的技术背景。 +- **文档化**:工具应该有明确和广泛的使用文档。 + +## 开发商自行提交的资料 + +我们对希望提交其项目或软件供审议的开发者有这些要求。 + +- 必须披露隶属关系,即您在提交的项目中的职位。 + +- 如果是涉及处理敏感信息的项目,如信使、密码管理器、加密的云存储等,必须有一份安全白皮书。 + - 第三方审计情况。 我们想知道你是否有一个或计划了一个。 如果可能,请说明谁将进行审计。 + +- 必须解释该项目在隐私方面带来了什么。 + - 它是否解决了任何新问题? + - 为什么有人要使用它而不是其他的东西呢? + +- 必须说明其项目的确切威胁模式是什么。 + - 潜在的用户应该清楚地知道该项目能提供什么,以及不能提供什么。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/about/donate.md b/i18n/zh/about/donate.md new file mode 100644 index 00000000..218a86cc --- /dev/null +++ b/i18n/zh/about/donate.md @@ -0,0 +1,52 @@ +--- +title: 支持我们 +--- + + +需要大量的 [人](https://github.com/privacyguides/privacyguides.org/graphs/contributors) 和 [工作](https://github.com/privacyguides/privacyguides.org/pulse/monthly) ,以保持《隐私指南》的更新和传播有关隐私和大规模监控的信息。 如果你喜欢我们的工作,帮助我们的最好方式是通过参与 [编辑网站](https://github.com/privacyguides/privacyguides.org) 或 [贡献翻译](https://crowdin.com/project/privacyguides)。 + +如果你想在经济上支持我们,对我们来说,最方便的方法是通过Open Collective捐款,这是一个由我们的财政主机运营的网站。 Open Collective接受通过信用卡/借记卡、PayPal和银行转账付款。 + +[在OpenCollective.com上捐款](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +在美国,直接捐给我们Open Collective的捐款通常是可以免税的,因为我们的财政主机(Open Collective基金会)是一个注册的501(c)3组织。 捐赠后,你会收到开放集体基金会的收据。 《隐私指南》不提供财务建议,你应该联系你的税务顾问,了解这是否适用于你。 + +如果你已经利用了GitHub的赞助,你也可以在那里赞助我们的组织。 + +[在GitHub上赞助我们](https://github.com/sponsors/privacyguides ""){.md-button} + +## 支持者 + +特别感谢所有支持我们任务的人! :heart: + +*请注意:本节直接从Open Collective加载一个小部件。 这一部分并不反映在Open Collective之外的捐赠,我们也无法控制这一部分中的具体捐赠者。* + + + +## 我们如何使用捐赠费 + +隐私指南是一个 **非营利性** 组织。 我们将捐款用于各种目的,包括。 + +**域名注册** +: + +我们有一些域名,如 `privacyguides.org` ,这些域名每年花费我们约10美元来维护其注册。 + +**虚拟主机** +: + +本网站的流量每月使用数百千兆字节的数据,我们使用各种服务提供商来跟上这种流量。 + +**在线服务** +: + +我们的主机 [互联网服务](https://privacyguides.net) ,用于测试和展示我们喜欢的不同隐私产品, [推荐](../tools.md)。 其中一些是公开提供给我们社区使用的(SearXNG、Tor等),一些是提供给我们的团队成员的(电子邮件等)。 + +**购买商品** +: + +我们偶尔会购买产品和服务,以测试我们 [推荐的工具](../tools.md)。 + +我们仍在与我们的财政主机(Open Collective Foundation)合作,以接收加密货币捐款,目前,对于许多较小的交易来说,会计是不可行的,但这在未来应该会改变。 同时,如果您希望进行大额(> $100)加密货币捐赠,请联系 [jonah@privacyguides.org](mailto:jonah@privacyguides.org)。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/about/index.md b/i18n/zh/about/index.md new file mode 100644 index 00000000..7f249fe0 --- /dev/null +++ b/i18n/zh/about/index.md @@ -0,0 +1,63 @@ +--- +title: "关于隐私指南(Privacy Guides)" +--- + +**隐私指南(Privacy Guides)** 是一个有社会动机的网站,提供保护你的数据安全和隐私的信息。 我们是一个非营利性的集体,完全由志愿者 [团队成员](https://discuss.privacyguides.net/g/team) 和贡献者运作。 + +[:material-hand-coin-outline: 支持该项目](donate.md ""){.md-button.md-button--primary} + +## 我们的团队 + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: 主页](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: 电子邮件](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: 电子邮件](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: 主页](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: 主页](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +此外, [多人](https://github.com/privacyguides/privacyguides.org/graphs/contributors) 已经为该项目做了贡献。 你也可以,我们在GitHub上是开源的。 + +我们的团队成员审查所有对网站的修改,并处理行政职责,如网站托管和财务,但他们个人并不从对本网站的任何贡献中获益。 我们的财务状况由开放集体基金会501(c)(3)透明地托管,网址是: [opencollective.com/privacyguides](https://opencollective.com/privacyguides)。 在美国,对隐私指南的捐赠通常可以抵扣税款。 + +## 网站许可证 + +*以下是 [许可证的可读摘要(而不是替代)](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE)。* + +除非另有说明,否则本网站上的所有内容均根据 [Creative Commons Attribution-NoDerivatives 4.0国际公共许可证](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE)的条款提供。 这意味着你可以自由地以任何媒介或形式复制和重新分发材料,用于任何目的,甚至是商业目的;只要你适当地注明 `隐私指南(www.privacyguides.org)` ,并提供许可证的链接。 您可以以任何合理的方式这样做,但不得以任何方式暗示隐私指南认可您或您的使用。 如果您重构、转换或建立在此网站的内容,您可能无法分发修改过的材料。 + +设立这个许可证是为了防止人们在不给予适当信用的情况下分享我们的作品,并防止人们以可能被用来误导的方式修改我们的作品。 如果你觉得这个许可证的条款对你正在进行的项目来说限制性太大,请与我们联系: `jonah@privacyguides.org`。 我们很高兴为隐私领域的善意项目提供替代的许可选项 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/about/notices.md b/i18n/zh/about/notices.md new file mode 100644 index 00000000..e580d137 --- /dev/null +++ b/i18n/zh/about/notices.md @@ -0,0 +1,45 @@ +--- +title: "通知和免责声明" +hide: + - toc +--- + +## 法律声明 + +隐私指南不是律师事务所。 因此,隐私指南网站和撰稿人并不提供法律意见。 我们网站和指南中的材料和建议不构成法律意见,也不会为网站做出贡献或就我们网站与隐私指南或其他贡献者进行沟通,从而建立律师-客户关系。 + +与任何人类努力一样,运行此网站都涉及不确定性和权衡。 我们希望这个网站有所帮助,但它可能包含错误,无法解决所有问题。 如果您对自己的情况有任何疑问,我们建议您自己进行研究,寻求其他专家,并与隐私指南社区进行讨论。 如果您有任何法律问题,请先咨询您自己的法律顾问,然后再继续。 + +隐私指南是一个开放源码项目,根据许可证做出贡献,其中包括为了保护网站及其贡献者,明确规定隐私指南项目和网站可“按原样”提供,不提供保证,并且不对使用网站或网站中的任何建议所造成的损害承担责任。 此外, 隐私指南不保证、不代表使用本网站、或其他与资料相关,或任何关联本网站的其他网站上资料的准确性,可能导致的结果或可靠性。 + +此外,隐私指南不保证本网站将始终可用或完全可用。 + +## 许可证 + +除非另有说明,否则本网站上的所有内容均根据 [Creative Commons Attribution-NoDerivatives 4.0国际公共许可证](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE)的条款提供。 + +这不包括嵌入此存储库的第三方代码,也不包括其他标注了替代许可证的代码。 以下是一些值得注意的例子,但这一清单可能不包括所有方面: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) 根据 [Apache许可证2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt)获得许可。 + +本通知本身的部分内容来自GitHub上的 [openensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) 。 该资源和本页本身在 [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE)下发布。 + +这意味着您可以根据Creative Commons Attribution-NoDerivatives 4.0国际公共许可证文本中列出的条款,将此存储库中的可读内容用于您自己的项目。 您可以以任何合理的方式这样做,但不得以任何方式暗示隐私指南认可您或您的使用。 **未经本项目的明确批准,您 **,不得在您自己的项目中使用隐私指南的品牌。 隐私指南的品牌商标包括“隐私指南”字样和盾形标志。 + +我们认为从第三方提供商获得的 `资产` 中的标志和其他图像属于公共领域或 **合理使用**。 简而言之,法律 [公正使用原则](https://www.copyright.gov/fair-use/more-info.html) 允许使用受版权保护的图像来识别主题,以供公众评论。 然而,在一个或多个司法管辖区,这些徽标和其他图像仍可能受商标法的约束。 在使用此内容之前,请确保其用于识别拥有商标的实体或组织,并且根据适用于您预期使用情况的法律,您有权使用商标。 *从本网站复制内容时,您应自行负责确保您不侵犯他人的商标或版权。* + +当您根据上述许可向该存储库作出贡献时,您授予隐私指南永久性、全球性、非独占性、可转让、免版税、不可撤销的许可,并有权通过多层次的次级被许可人转授此类权利,以复制、修改、展示、执行和分发您的贡献,作为我们项目的一部分。 + +## 可接受用途 + +您不得以任何方式使用本网站,造成或可能造成对本网站的损害或损害隐私指南的可用性或可访问性,或以任何非法、非法、欺诈、有害或与任何非法、非法、欺诈或有害目的或活动相关的方式使用本网站。 + +未经明确的书面同意,您不得在本网站上或与本网站相关进行任何系统或自动化的数据收集活动,包括: + +* 过多的自动扫描 +* 拒绝服务攻击 +* Scraping +* 数据挖掘 +* 'Framing' (IFrames) + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/about/privacy-policy.md b/i18n/zh/about/privacy-policy.md new file mode 100644 index 00000000..d6b40e9f --- /dev/null +++ b/i18n/zh/about/privacy-policy.md @@ -0,0 +1,63 @@ +--- +title: "Privacy Policy" +--- + +隐私指南是一个社区项目,由一些活跃的志愿者贡献者运营。 团队成员的公开列表 [可在GitHub](https://github.com/orgs/privacyguides/people)上找到。 + +## 我们从访客那里收集的数据 + +我们非常重视网站访问者的隐私,因此我们不会跟踪任何个人。 作为我们网站的访问者: + +- 未收集任何个人信息 +- 浏览器中不储存诸如Cookies之类的信息 +- 不与第三方共享、发送或出售任何信息 +- 没有与广告公司共享任何信息 +- 没有挖掘和收集有关个人和行为趋势的信息 +- 没有信息被货币化 + +你可以在我们的 [统计](statistics.md) 页面上查看我们收集的数据。 + +我们运行 [Plausible Analytics (分析)](https://plausible.io) 的自托管安装,以收集一些匿名使用数据,用于统计目的。 我们的目标是跟踪网站流量的总体趋势,而不是跟踪个人访问者。 所有数据仅为汇总数据。 没有收集任何个人数据。 + +收集的数据包括推荐来源、首页、访问持续时间、访问期间使用的设备信息(设备类型、操作系统、国家/地区和浏览器)等。 您可以在此处了解有关Plausible如何以尊重隐私的方式工作和收集信息的更多信息 [](https://plausible.io/data-policy). + +## 我们从账户持有人处收集的数据 + +在我们提供的某些网站和服务中,许多功能可能需要帐户。 例如,可能需要帐户在论坛平台上发布和回复主题。 + +要注册大多数帐户,我们将收集姓名、用户名、电子邮件和密码。 如果网站需要的信息不仅仅是该数据,则会在每个网站的单独隐私声明中清晰标记和注明该信息。 + +我们使用您的帐户数据在网站上识别您的身份,并创建专门针对您的页面,例如您的个人资料页面。 我们还将使用您的帐户数据在我们的服务上为您发布公开个人资料。 + +我们使用您的电子邮件: + +- 通知您网站或服务上的帖子和其他活动。 +- 重置密码,确保账号安全。 +- 在与您的账号相关的特殊情况下与您联系。 +- 就法律要求(如DMCA删除请求)与您联系。 + +在一些网站和服务上,你可以为你的账户提供额外的信息,如简短的传记、头像、你的位置或你的生日。 我们将这些信息提供给每个可以访问有关网站或服务的人。 使用我们的任何服务都不需要这些信息,而且可以在任何时候删除。 + +只要你的账户仍然开放,我们就会储存你的账户数据。 关闭账户后,我们可能会以备份或存档的形式保留您的部分或全部账户数据,最长时间为90天。 + +## 联系我们 + +隐私指南团队通常不能访问个人数据,除了通过一些修改面板授予的有限访问权。 有关您的个人信息的询问应直接发送至。 + +```text +Jonah Aragon +服务管理员 +jonah@privacyguides.org +``` + +对于所有其他查询,你可以联系我们团队的任何成员。 + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## 关于本政策 + +我们将 [在此发布](privacy-policy.md)本声明的新版本。 我们可能会更改此文档未来版本中更改公告的方式。 在此期间,我们可以随时更新我们的联系信息,而不会宣布更改。 请随时参阅 [隐私政策](privacy-policy.md) ,了解最新的联系信息。 + +本页的完整修订版 [历史](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) ,可在GitHub上找到。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/about/privacytools.md b/i18n/zh/about/privacytools.md new file mode 100644 index 00000000..c015d7ba --- /dev/null +++ b/i18n/zh/about/privacytools.md @@ -0,0 +1,146 @@ +--- +title: "隐私工具常见问题" +--- + +# 我们为什么从隐私工具转向隐私指南 + +2021年9月,每个活跃的贡献者都一致同意从隐私工具转到这个网站工作:隐私指南。 之所以做出此决定,是因为PrivacyTools的创始人和域名控制者已消失很长一段时间,无法与之联系。 + +在PrivacyTools.io上构建了一个信誉良好的网站和服务,这对隐私工具的未来造成了严重打击,因为任何未来的意外都可能在没有恢复方法的情况下毁灭整个组织。 这种转变在几个月前通过包括博客、Twitter、Reddit和Mastodon在内的各种渠道传达给隐私工具社区,以确保整个过程尽可能顺利进行。 我们这样做是为了确保没有人被蒙在鼓里,这也是我们团队成立以来的工作方式,同时也是为了确保隐私指南被公认为与转型前的隐私工具一样的可靠组织。 + +在组织搬迁完成后,隐私工具的创始人回来了,并开始传播关于隐私指南项目的错误信息。 他们除了继续传播错误信息外,还在PrivacyTools域名上经营一个付费链接农场。 我们创建这个页面是为了澄清误解。 + +## 什么是隐私工具? + +PrivacyTools由“BurungHantu”于2015年创立,他希望在斯诺登揭露事件后创造一个隐私信息资源--实用的工具。 该网站发展成为一个蓬勃发展的开源项目,有 [个众多贡献者](https://github.com/privacytools/privacytools.io/graphs/contributors),其中一些最终承担了各种组织责任,例如运营Matrix和Mastodon等在线服务,管理和审查GitHub网站的变化,为该项目寻找赞助商,撰写博客文章,以及运营Twitter等社交媒体外联平台等。 + +从2019年开始, BurungHantu越来越远离网站和社区的积极发展,并开始延迟与我们运营的服务器相关的付款。 为了避免我们的系统管理员自掏腰包支付服务器费用,我们将网站上列出的捐赠方式从BurungHantu的个人PayPal和加密货币账户改为新的OpenCollective页面, [,2019年10月31日](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/)。 这具有额外的好处,使我们的财务完全透明,我们坚信这一价值,并且在美国可以免税,因为它们由开放集体基金会501 (c) 3持有。 这一变动得到了团队的一致同意,没有引起争议。 + +## 我们为什么要继续前进 + +2020年, BurungHantu的缺席变得更加明显。 有一次,我们要求将该域名的名称服务器改为由我们的系统管理员控制的名称服务器,以避免未来的中断,而这一改变在最初的要求后一个多月才完成。 他在Matrix的公共聊天室和私人团队聊天室里一连消失了好几个月,偶尔会突然出现,给一些小的反馈,或者承诺会更加活跃,然后再次消失。 + +2020年10月,PrivacyTools 系统管理员 (Jonah) [因这些困难离开了](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) 这个项目,将控制权交给另一个长期贡献者。 Jonah一直在操作几乎所有的PrivacyTools服务,并在BurungHantu不在的情况下担任 *事实上的网站开发项目负责人,因此他的离开对组织来说是一个重大变化。 当时,由于这些重大的组织变化,BurungHantu向剩余的团队承诺,他将回来控制这个项目的发展。 在接下来的几个月里, PrivacyTools团队通过几种沟通方式进行了联系,但没有收到任何回复。

+ +## 域名可靠性 + +2021年初,PrivacyTools团队对项目的未来越来越担心,因为域名将在2021年3月1日到期。 该域名最终由BurungHantu更新,没有发表评论。 + +团队的担忧没有得到解决,我们意识到这将是每年的一个问题。如果域名过期,就会让它被占用者或垃圾邮件发送者窃取,从而毁掉该组织的声誉。 我们也很难联系到社区,让他们了解所发生的事情。 + +在没有与BurungHantu进行任何接触的情况下,我们决定最好的行动方案是在我们仍能保证对旧域名的控制权的情况下,在2022年3月之前的某个时候转移到一个新的域名。 这样,我们就能干净地将所有的PrivacyTools资源重定向到新的网站,而不会出现任何服务中断的情况。 这个决定是提前好几个月做出的,并传达给了整个团队,希望BurungHantu能够伸出援手,保证他继续支持这个项目,因为有了一个可识别的品牌名称和庞大的网上社区,从 "PrivacyTools "转移出去是最不可取的结果。 + +在2021年中期,PrivacyTools团队联系了乔纳,他同意重新加入团队,帮助完成过渡。 + +## 社区呼吁行动 + + 在2021年7月底,我们 + +,通知PrivacyTools社区,我们打算选择一个新的名字,并在一个新的域名上继续项目,将在2022年8月2日选择 [](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw)。 最后,"Privacy Guides "被选中, `privacyguides.org` 域名已经被Jonah拥有,用于2020年的一个副业项目,但没有得到发展。

+ + + +## 控制r/privacytoolsIO + +在privacytools.io网站出现问题的同时,r/privacytoolsIO的管理团队也面临着管理该子版块的挑战。 该子版块一直以来都是基本独立于网站发展的,但BurungHantu也是该子版块的主要版主,而且他是唯一被授予 "完全控制 "特权的版主。 u/trai_dep是当时唯一活跃的版主, [,在2021年6月28日向Reddit的管理员发布了](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) ,要求获得主要版主职位和完全控制权限,以便对Subreddit进行必要的修改。 + +Reddit要求子版块有活跃的版主。 如果主版主长时间不活动(如一年),主版主的位置可以重新任命给下一个版主。 为了使这一请求得到批准,BurungHantu必须在很长一段时间内完全不参与所有Reddit活动,这与他在其他平台上的行为是一致的。 + + + +> 如果你通过Reddit请求被撤掉了子版块的版主,那是因为你缺乏回应和缺乏活动,使该子版块有资格进行r/redditrequest转移。 +> +> r/redditrequest是Reddit确保社区有积极的版主的方式,是 [版主行为准则的一部分](https://www.redditinc.com/policies/moderator-code-of-conduct)。 + + + +## 开始过渡 + +2021年9月14日,我们 [,宣布](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) ,开始迁移到这个新领域。 + + + +> [...] 我们发现有必要尽早进行这一转换,以确保人们尽快发现这一过渡。 这给了我们足够的时间来过渡域名,目前正在重定向到www.privacyguides.org,并希望给每个人足够的时间来注意这一变化,更新书签和网站等。 + +这一变化 [,需要:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- 重定向 www.privacytools.io 到 [www.privacyguides.org](https://www.privacyguides.org)。 +- 在GitHub上存档源代码,以保存我们过去的工作和问题跟踪器,我们继续使用该网站未来几个月的开发。 +- 在我们的subreddit和其他各种社区发布公告,告知人们官方的变化。 +- 正式关闭privacytools.io服务,如Matrix和Mastodon,并鼓励现有用户尽快迁移。 + +事情似乎进行得很顺利,我们活跃的社区中的大多数人都完全按照我们的希望转换到我们的新项目。 + + + +## 后续事件 + +在过渡期后的大约一周,BurungHantu在近一年来首次回到了网上,然而我们团队中没有人愿意回到PrivacyTools,因为他历来不可靠。 他没有为自己的长期缺席道歉,而是立即展开攻势,将向隐私指南的过渡定位为对他和他的项目的攻击。 随后,当社区指出他缺席并放弃了这个项目时,他 [,删除了](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) ,其中许多帖子。 + +此时,BurungHantu声称他想继续自己的privacytools.io的工作,并要求我们删除从www.privacytools.io 到 [www.privacyguides.org](https://www.privacyguides.org)的重定向。 我们答应了他的请求,并要求他保持Matrix、Mastodon和PeerTube的子域名的活跃性,以便我们作为一项公共服务在社区内运行至少几个月,以便让这些平台上的用户能够轻松地迁移到其他账户。 由于我们所提供的服务的联合性质,它们与特定的域名联系在一起,使得迁移非常困难(在某些情况下不可能迁移)。 + + 不幸的是,由于r/privacytoolsIO子版块的控制权没有按照BurungHantu的要求归还他(进一步信息见下文),这些子版块在10月初被 ,终止了任何仍在使用这些服务的用户的迁移可能性。

+ +在这之后,BurungHantu对Jonah从项目中窃取捐款提出了不实指控。 BurungHantu在所谓的事件发生后有一年多的时间,但他从未让任何人知道,直到隐私指南迁移之后。 BurungHantu多次被要求提供证据,并要求团队 [和社区](https://twitter.com/TommyTran732/status/1526153536962281474),对其沉默的原因进行评论,但他没有这样做。 + +BurungHantu还在Twitter上发了一篇 [的帖子](https://twitter.com/privacytoolsIO/status/1510560676967710728) ,声称一名“律师”在Twitter上与他联系并提供建议,再次试图欺负我们让他控制我们的subreddit ,并作为他的诽谤运动的一部分,在假装成为受害者的同时,搅乱了隐私指南发布周围的水域。 + + + +## PrivacyTools.io的现状 + +截至2022年9月25日,我们看到BurungHantu的整体计划在privacytools.io上实现,而这正是我们今天决定创建这个解释页的原因。 他运营的网站似乎是该网站的SEO优化版本,该网站推荐工具以换取经济补偿。 [最近,IVPN和Mullvad这两个VPN供应商几乎被隐私社区普遍推荐为](../vpn.md) ,并因其反对联盟计划的立场而备受关注,被从PrivacyTools中删除。 在他们的位置上? NordVPN、Surfshark、ExpressVPN和hide.me;巨大的VPN公司拥有不值得信赖的平台和商业行为,因其积极的营销和联盟计划而臭名昭著。 + +==**PrivacyTools正是成为了我们 [,在2019年的PrivacyTools博客上警告过的那种网站](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) 。**== 自转型以来,我们一直试图与PrivacyTools保持距离,但他们对我们项目的持续骚扰,以及现在对他们的品牌在6年的开源贡献中获得的信誉的荒谬滥用,令我们感到非常不安。 我们这些真正为隐私而战的人并不是在相互斗争,也不是从出价最高的人那里得到我们的建议。 + + + +## r/privacytoolsIO 的现状 + + 在推出 [r/PrivacyGuides](https://www.reddit.com/r/privacyguides),让u/trai_dep继续主持这两个子版块是不现实的,在社区同意过渡的情况下,r/privacytoolsIO在2021年11月1日的帖子中被 ,成为一个受限制的子版块。

+ + + +> [...] 该小组的成长是PrivacyGuides.org团队数年来努力的结果。 还有你们每一个人。 +> +> 一个Subreddit需要大量的工作来管理和调节。 就像一个花园一样,它需要耐心的照料和日常护理。 这不是一个适合放荡不羁的人或有承诺问题的人的任务。 它不可能在一个抛弃了它好几年的园丁手下茁壮成长,然后出现在那里要求今年的收获作为他们的贡品。 这对多年前组建的团队是不公平的。 这对你不公平。 [...] + +子版块不属于任何人,尤其不属于品牌持有人。 他们属于自己的社区,而社区及其版主做出了支持移至r/PrivacyGuides的决定。 + + 在此后的几个月里,BurungHantu威胁并乞求将subreddit的控制权归还给他的账户, ,违反了Reddit的规则。

+ + + +> 不允许任何版主对删除请求进行报复。 + +对于一个拥有数千名剩余用户的社区来说,我们觉得把这个庞大的平台的控制权还给那个抛弃了它一年多的人,而且他现在经营着一个我们认为提供非常低质量信息的网站,这将是非常不尊重的。 对我们来说,保留该社区过去多年的讨论更为重要,因此u/trai_dep和其他子版块的管理团队做出决定,保持r/privacytoolsIO的现状。 + + + +## OpenCollective Now + +我们的筹款平台OpenCollective是另一个争论的焦点。 我们的立场是,OpenCollective是由我们的团队建立的,并由我们的团队管理,以资助我们目前经营的服务,而PrivacyTools不再做这些。 我们 ,就我们转向隐私指南的问题向所有的捐赠者进行了宣传,我们得到了赞助商和社区的一致支持。

+ +因此,OpenCollective中的资金属于Privacy Guides,它们被赋予了我们的项目,而不是一个知名域名的所有者。 在2021年9月17日向捐赠者发布的公告中,我们向任何不同意我们立场的捐赠者提供退款,但没有人接受这一提议。 + + + +> 如果任何赞助商或支持者不同意或觉得被最近的这些事件误导,并希望在这些极不寻常的情况下要求退款,请通过电子邮件与我们的项目管理员联系,jonah@triplebit.net。 + + + +## 延伸阅读 + +这个话题已经在我们社区的不同地方进行了广泛的讨论,而且似乎大多数人在阅读这个页面时都已经熟悉了导致转向隐私指南的事件。 我们以前关于这个问题的一些帖子可能有额外的细节,为了简洁起见,我们在这里省略了。 为了完整起见,它们已被链接到下面。 + +- [2021年6月28日,请求控制r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [2021年7月27日,在PrivacyTools博客上宣布了我们的搬迁意向,由团队撰写](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [2021年9月13日,在r/privacytoolsIO上宣布我们开始过渡到隐私指南。](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [2021年9月17日,Jonah在OpenCollective上发布的公告](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [2021 年9月30日,Twitter 主题详细介绍了本页上描述的大部分事件](https://twitter.com/privacy_guides/status/1443633412800225280) +- [2021年10月1日,u/dng99发帖指出子域名失败。](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [2022年4月2日u/dng99对PrivacyTools的指责性博文的回应](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [2022年5月16日,由@TommyTran732在Twitter上回应](https://twitter.com/TommyTran732/status/1526153497984618496) +- [2022年9月3日在Techlore的论坛上发表的帖子:@dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/about/services.md b/i18n/zh/about/services.md new file mode 100644 index 00000000..70ad60ca --- /dev/null +++ b/i18n/zh/about/services.md @@ -0,0 +1,40 @@ +# 隐私指南服务 + +我们运行一些网络服务来测试功能,并推广很酷的去中心化、联盟化和/或开源项目。 这些服务中有许多是向公众提供的,详情如下。 + +[:material-comment-alert: 报告问题](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## 论坛 + +- 域名: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- 可用性:公开的 +- 来源: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- 域名: [code.privacyguides.dev](https://code.privacyguides.dev) +- 可用性。仅限邀请 + ,任何从事 *《隐私指南》*相关开发或内容的团队可应要求获得访问权。 +- 来源: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- 域名: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- 可用性。仅限邀请 + ,可根据要求将访问权授予Privacy Guides团队成员、Matrix版主、第三方Matrix社区管理员、Matrix机器人操作员以及其他需要可靠Matrix存在的个人。 +- 来源: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- 域名: [search.privacyguides.net](https://search.privacyguides.net) +- 可用性:公开的 +- 来源: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/about/statistics.md b/i18n/zh/about/statistics.md new file mode 100644 index 00000000..3c4e5fc6 --- /dev/null +++ b/i18n/zh/about/statistics.md @@ -0,0 +1,63 @@ +--- +title: 流量统计 +--- + +## 网站统计 + + +
统计资料由 Plausible Analytics提供
+ + + + +## 博客统计 + + +
统计资料由 Plausible Analytics提供
+ + + + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/advanced/communication-network-types.md b/i18n/zh/advanced/communication-network-types.md new file mode 100644 index 00000000..f8664e13 --- /dev/null +++ b/i18n/zh/advanced/communication-network-types.md @@ -0,0 +1,106 @@ +--- +title: "通信网络类型" +icon: 'material/transit-connection-variant' +--- + +有几种网络架构常用于人与人之间的信息传递。 这些网络可以提供不同的隐私保证,这就是为什么在决定使用哪种应用程序时,应该考虑你的 [威胁模型](../basics/threat-modeling.md)。 + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## 集中式网络 + +![集中式网络示意图](../assets/img/layout/network-centralized.svg){ align=left } + +集中式通讯软件是指所有参与者都在同一服务器或由同一组织控制的服务器网络上。 + +一些自托管通讯软件允许您设置自己的服务器。 自托管可以提供额外的隐私保证,例如没有使用日志或对元数据(关于谁与谁交谈的数据)的访问限制。 自我托管的集中式通讯是孤立的,所有人都必须在同一个服务器上进行交流。 + +**优点:** + +- 新的功能和更改可以更快地实施。 +- 更容易开始使用和寻找联系人。 +- 成熟和稳定的功能生态系统,因为它们集成于一套体系。 +- 当您选择自托管服务器时,隐私问题能缓解不少。 + +**缺点** + +- 可以包括 [访问限制和审查](https://drewdevault.com/2018/08/08/Signal.html)。 这可能包括以下内容: +- 封禁将可能提供更灵活的定制或更好的体验的[第三方客户端](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165)。 通常在使用条款和条件中定义。 +- 为第三方开发者提供的文件很差或没有。 +- 当单个实体控制服务时,[所有权](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/),隐私政策和服务的行为很容易改变,可能会在以后危及服务。 +- 自托管需要耐心和知识。 + +## 联邦网络 + +![联邦网络示意图](../assets/img/layout/network-decentralized.svg){ align=left } + +联邦网络使用多个独立的去中心化服务器,这些服务器能够相互通信(例如电子邮件)。 联邦允许系统管理员控制自己的服务器,并且仍然是更大的网络的一部分。 + +自托管时,联合服务器的成员可以发现其他服务器的成员并与其进行通信,尽管某些服务器可以选择通过不联邦化(例如工作团队服务器)来保持私密性。 + +**优点:** + +- 允许在运行自己的服务器时更好地控制自己的数据。 +- 允许您通过在多个“公共”服务器之间选择信任谁。 +- 通常允许第三方客户端提供更原生、定制或可访问的体验。 +- 可以验证服务器与公共源代码匹配,假设您有权访问服务器或您信任这样做的人(例如,家庭成员)。 + +**缺点** + +- 添加新功能更加复杂,因为这些功能需要进行标准化和测试,以确保网络上的所有服务器都能一起使用。 +- 由于前一点,与集中式平台相比,功能可能缺乏,不完整或以意想不到的方式工作,例如脱机或消息删除时的消息中继。 +- 一些元数据可能是泄漏的(例如,像 "谁在和谁说话 "这样的信息,但如果使用E2EE,则没有实际的消息内容)。 +- 通常需要信任服务器的管理员。 他们可能是业余爱好者,也可能不是“安全专业人士” ,并且可能不会提供标准文档,如隐私政策或服务条款,详细说明如何使用您的数据。 +- 因为其他服务器的滥用行为或违反了公认的行为的一般规则,服务器管理员有时会选择封锁其他服务器 这会妨碍您与这些服务器的成员进行通信。 + +## 点对点网络 + +![P2P网络示意图](../assets/img/layout/network-distributed.svg){ align=left } + +点对点聊天软件连接到一个由节点组成的 [分布式网络](https://en.wikipedia.org/wiki/Distributed_networking) ,在没有第三方服务器的情况下将信息转发给收件人。 + +客户端(对等节点)通常通过使用 [分布式网络](https://en.wikipedia.org/wiki/Distributed_computing) 找到对方。 这方面的例子包括 [分布式哈希表](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT),由 [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) 和 [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) 等使用。 另一种方法是基于近距离的网络,通过WiFi或蓝牙建立连接(例如,Briar或 [Scuttlebutt](https://www.scuttlebutt.nz) 社交网络协议)。 + +一旦一个节点通过这些方法中的任何一种找到了通往其联系人的路线,它们之间就会建立直接连接。 虽然信息通常是加密的,但观察者仍然可以推断出发件人和收件人的位置和身份。 + +P2P网络不使用服务器,因为节点之间直接通信,因此不存在自我托管。 不过,一些附加服务可能依赖于集中式服务器,例如用户发现或中继离线消息,自托管对此仍有帮助。 + +**优点:** + +- 很小的第三方暴露。 +- 现代P2P平台默认端对端加密。 与集中式和联邦式模式不同,没有任何服务器可能会拦截和解密你的信息。 + +**缺点** + +- 缺少很多特性: +- 消息只有在两个节点都在线时才能发送,然而,你的客户端可以将消息存储在本地,以等待联系人重新上线。 +- 通常会增加移动设备的电池用量,因为客户端必须保持与分布式网络的连接,以了解联系人的在线情况。 +- 某些常见的Messenger功能可能没有实现或不完整,例如消息删除。 +- 如果你不与 [VPN](../vpn.md) 或 [Tor](../tor.md)结合使用该软件,你的IP地址和与你通信的联系人的IP地址可能会被暴露。 许多国家都有某种形式的大规模监控或元数据保留。 + +## 匿名路由 + +![匿名网络示意图](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +使用 [匿名路由](https://doi.org/10.1007/978-1-4419-5906-5_628) 的Messenger隐藏发送方、接收方的身份或他们一直在通信的证据。 理想情况下,Messenger应该将这三者都隐藏起来。 + +有 [许多](https://doi.org/10.1145/3182658) 不同的方法来实现匿名网络。 其中最著名的是 + +洋葱路由 (即 [Tor](tor-overview.md)),它通过一个强加密的 [覆盖网络](https://en.wikipedia.org/wiki/Overlay_network) ,隐藏每个节点的位置以及每个信息的接收者和发送者来通信。 发件人和收件人从不直接交互,只通过一个秘密的会合节点会面,这样就不会泄露IP地址或物理位置。 节点不能解密信息,也不能解密最终目的地;只有收件人可以。 每个中间节点只能解密一部分,表明下一步将把仍然加密的信息发送到哪里,直到它到达可以完全解密的收件人那里,因此命名为 "洋葱路由"。

+ +在匿名网络中自托管一个节点并不为托管者提供额外的隐私,而是有助于整个网络对识别攻击的抗性,对每个人都有好处。 + +**优点:** + +- 最小第三方暴露。 +- 消息可以以去中心的方式中继,即使其中一方处于离线状态。 + +**缺点** + +- 慢 +- 通常仅限于较少的媒体类型,主要是文本,因为很慢。 +- 如果通过随机路由选择节点,则某些节点可能远离发送方和接收方,增加延迟,甚至在其中一个节点脱机时无法传输消息。 +- 开始时比较复杂,因为需要创建和安全备份一个加密私钥。 +- 就像其他去中心化平台一样,对开发者来说,增加功能比中心化平台更复杂。 因此,功能可能缺乏或未完全实现,例如脱机消息中继或消息删除。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/advanced/dns-overview.md b/i18n/zh/advanced/dns-overview.md new file mode 100644 index 00000000..7933291a --- /dev/null +++ b/i18n/zh/advanced/dns-overview.md @@ -0,0 +1,355 @@ +--- +title: "DNS简介" +icon: material/dns +--- + +[域名系统](https://en.wikipedia.org/wiki/Domain_Name_System) 是“互联网电话簿”。 DNS将域名转换为IP地址,以便浏览器和其他服务可以通过分散的服务器网络加载互联网资源。 + +## 什么是DNS? + +当您访问某个网站时,系统会返回一个数字地址。 例如,当你访问 `privacyguides.org`时,会返回地址 `192.98.54.105`。 + +DNS自互联网的 [早期](https://en.wikipedia.org/wiki/Domain_Name_System#History) 以来一直存在。 与DNS服务器间的通讯通常是 **未** 加密的。 在家用场景下,客户通过 [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol)获得由ISP提供的服务器。 + +未加密的DNS请求可能会被轻易地 **被监视** ,或者在传输过程中 **被修改**。 在世界的某些地方,Isp被要求做原始的 [DNS过滤](https://en.wikipedia.org/wiki/DNS_blocking)。 当你请求一个被封锁的域名的IP地址时,服务器可能不会回应,或可能以不同的IP地址回应。 由于DNS协议没有加密,ISP(或任何网络运营商)可以使用 [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) 来监控请求。 ISP还可以基于共有特性阻止请求,无论使用的是哪个DNS服务器。 未加密的DNS始终使用 [端口](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 ,并且始终使用UDP。 + +下面,我们将探讨并提供一个教程来验证一下外部观察者对于使用常规未加密DNS和 [加密DNS](#what-is-encrypted-dns)这两种情况下分别可能看到什么。 + +### 未加密DNS + +1. 使用 [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) ( [Wireshark](https://en.wikipedia.org/wiki/Wireshark) 项目的一部分),我们可以监测和记录互联网数据包流。 此命令记录符合指定规则的数据包: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. 然后我们可以使用 [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux,MacOS等)或 [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows)将DNS查询发送到两个服务器。 Web浏览器等软件会自动执行这些查找,除非它们被配置为使用加密的DNS。 + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. 接下来,我们来 [分析](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) 输出的结果: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +如果运行上面的Wireshark命令,顶部窗格显示“[帧](https://en.wikipedia.org/wiki/Ethernet_frame)” ,底部窗格显示有关所选帧的所有数据。 企业过滤和监控解决方案(如政府购买的解决方案)可以自动完成这一过程,无需人工干预,并可以汇总多帧数据以产生对网络观察者有用的统计数据。 + +| No. | 时间 | 来源 | 目的地 | 协议 | 长度 | 信息 | +| --- | -------- | --------- | --------- | --- | --- | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | 云存储 | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | 云存储 | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | 云存储 | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | 云存储 | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +观察者可以修改这些数据包中的任何一个。 + +## 什么是“加密DNS” ? + +加密DNS可以指代若干协议中的一种,最常见的协议是: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) 是首批加密DNS查询的方法之一。 DNSCrypt在端口443上运行,并可以使用TCP或UDP传输协议。 DNSCrypt从未提交给 [互联网工程任务组(IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) 也没有经过 [征求意见(RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) 过程,因此除了少数 [实现](https://dnscrypt.info/implementations)之外没有被广泛使用。 因此,它在很大程度上被更流行的 [DNS over HTTPS](#dns-over-https-doh)取代了。 + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) 是另一种加密DNS通信的方法,在 [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858)中被定义。 首次得到支持是在安卓9、iOS 14和Linux上,被版本号237的 [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) 实现。 近年来,业界的偏好已经从DoT转向DoH,因为DoT是一个 [复杂的协议](https://dnscrypt.info/faq/) ,并且在现有的实现中对RFC的遵守情况各不相同。 DoT也在一个专用的853端口上运行,该端口很容易被限制性的防火墙阻断。 + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS)由[RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) 定义,查询通过[HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) 协议打包并通过 HTTPS保障安全性. 由Firefox 60和Chrome 83等Web浏览器首次实现支持。 由Firefox 60和Chrome 83等Web浏览器首次实现支持。 + +DoH的原生实现出现在iOS 14、macOS 11、微软Windows和Android 13中(然而,它不会被默认启用 [](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144))。 一般的Linux桌面支持还在等待systemd [实现](https://github.com/systemd/systemd/issues/8639) ,所以 [目前依然需要安装第三方软件](../dns.md#linux)。 + +## 外部一方能看到什么? + +在本示例中,我们将记录当我们提出DoH请求时会发生什么: + +1. 首先,启动 `tshark`。 + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. 其次,使用 `curl`提出请求: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. 在提出请求后,我们可以用 CTRL + C停止抓包。 + +4. 在Wireshark中分析结果: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +我们可以看到任何加密连接都需要发生的 [连接建立](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) 和 [TLS握手](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) 过程。 当查看下面的“应用程序数据”数据包时,没有一个数据包包含我们请求的域或返回的IP地址。 + +## 为什么我**不应该** 使用加密的DNS? + +在有互联网过滤(或审查)的地方,访问被禁止的资源可能会有自己的后果,你应该在你的 [威胁模型](../basics/threat-modeling.md)。 我们 **不** 建议为此目的使用加密的DNS。 使用 [Tor](https://torproject.org) 或 [VPN](../vpn.md) 来代替。 如果您使用的是VPN ,则应使用VPN的DNS服务器。 使用VPN时,您已经信任它们的所有网络活动。 + +当我们进行DNS查找时,通常是因为我们想要访问资源。 下面,我们将讨论一些即使在使用加密的DNS时也可能泄露你的浏览活动的方法。 + +### IP 地址 + +确定浏览活动的最简单方法可能是查看你的设备所访问的IP地址。 例如,如果观察者知道 `privacyguides.org` 在 `198.98.54.105`,而你的设备正在从 `198.98.54.105`请求数据,你很有可能正在访问隐私指南。 + +这种方法只有在IP地址属于一个只承载少数网站的服务器时才有用。 如果网站托管在一个共享平台上(如Github Pages、Cloudflare Pages、Netlify、WordPress、Blogger等),它也不是很有用。 如果服务器托管在一个 [反向代理](https://en.wikipedia.org/wiki/Reverse_proxy),它也不是很有用,这在现代互联网上非常普遍。 + +### 服务器名称指示(SNI) + +服务器名称指示通常在一个IP地址承载许多网站时使用。 这可能是一个像Cloudflare这样的服务,或其他一些 [拒绝服务攻击](https://en.wikipedia.org/wiki/Denial-of-service_attack) 保护。 + +1. 再次开始捕获 `tshark`。 我们用我们的IP地址添加了一个过滤器,所以你不会捕获很多数据包。 + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. 然后我们访问 [https://privacyguides.org](https://privacyguides.org)。 + +3. 访问完网站后,我们要用 CTRL + C停止抓包。 + +4. 接下来我们要分析结果: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + 我们将看到连接的建立,然后是隐私指南网站的TLS握手。 第5帧左右。 你会看到一个 "Client Hello"。 + +5. 展开每个字段旁边的三角形 ▸。 + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. 我们可以看到SNI值,它披露了我们正在访问的网站。 `tshark` 命令可以直接给你包含SNI值的所有数据包的值。 + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +这意味着即使我们使用 "加密DNS "服务器,域名也可能通过SNI被披露。 [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) 协议带来了 [Client Hello](https://blog.cloudflare.com/encrypted-client-hello/),可以防止这种泄漏。 + + 各国政府,特别是 [中国](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) 和 [俄罗斯](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/),已经开始阻止 + +,或表示希望这样做。 [最近,俄罗斯开始封锁使用 [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) 标准的外国网站](https://github.com/net4people/bbs/issues/108)。 这是因为作为HTTP/3一部分的 [QUIC](https://en.wikipedia.org/wiki/QUIC) 协议要求 `ClientHello` 也被加密。

+ + + +### 在线证书状态协议(OCSP) + +你的浏览器披露你的浏览活动的另一种方式是通过 [在线证书状态协议](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)。 当访问一个HTTPS网站时,浏览器可能会检查该网站的 [证书](https://en.wikipedia.org/wiki/Public_key_certificate) 是否已被撤销。 这通常是通过HTTP协议完成的,这意味着它是 **,而不是** 加密的。 + +该OCSP请求包含证书"[序列号](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)",该证书是唯一的。 它被发送到 "OCSP响应者",以检查其状态。 + +我们可以使用 [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) 命令来模拟浏览器会做什么。 + +1. 获取服务器证书,并使用 [`sed`](https://en.wikipedia.org/wiki/Sed) ,只保留重要部分,并将其写入文件。 + + + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + + +2. 获得中间证书。 [证书颁发机构(CA)](https://en.wikipedia.org/wiki/Certificate_authority) ,通常不直接签署证书;他们使用所谓的 "中间 "证书。 + + + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + + +3. `pg_and_intermediate.cert` 中的第一个证书实际上是步骤1中的服务器证书。 我们可以再次使用 `sed` ,删除直到END的第一个实例。 + + + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + + +4. 获取服务器证书的OCSP应答器。 + + + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + +我们的证书显示的是Lets Encrypt证书响应者。 如果我们想查看证书的所有详细信息,我们可以使用: + + + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + + +5. 开始捕获数据包。 + + + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + + +6. 提出OCSP请求。 + + + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + + +7. 打开捕获。 + + + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + +在 "OCSP "协议中会有两个数据包:一个 "请求 "和一个 "响应"。 对于 "请求",我们可以通过展开每个字段旁边的三角形 ▸ ,看到 "序列号"。 + + + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + +对于 "回应",我们也可以看到 "序列号"。 + + + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + + +8. 或者使用 `tshark` 来过滤序列号的数据包。 + + + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + + +如果网络观察者拥有公开的公共证书,他们可以将序列号与该证书相匹配,从而从中确定你所访问的网站。 这个过程可以自动化,并能将IP地址与序列号联系起来。 也可以检查 [证书透明度](https://en.wikipedia.org/wiki/Certificate_Transparency) 日志中的序列号。 + + + +## 我应该使用加密的DNS吗? + +我们做了这个流程图来描述你什么时候 *应该* 使用加密的DNS。 + + + +``` mermaid +图TB + 开始[Start] --> 匿名{尝试
匿名?} + anonymous--> | Yes | tor(使用Tor) + anonymous--> | No | censorship{Avoiding
censorship?} + 审查 --> | 是 | vpnOrTor(使用
VPN或Tor) + 审查 --> | 不 | 隐私{想从ISP那里获得隐私
?}。 + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP使
obnoxious
redirects? } + obnoxious --> | Yes | encryptedDNS(使用第三方的
加密DNS
) + obnoxious --> | No | ispDNS{ISP是否支持
加密DNS? } + ispDNS --> | 是 | useISP(与ISP一起使用
加密DNS
) + ispDNS --> | 否 | nothing(什么都不做) +``` + + +第三方的加密DNS应该只用于绕过重定向和基本的 [DNS拦截](https://en.wikipedia.org/wiki/DNS_blocking) ,当你能确定不会有任何后果,或者你对一个能做一些基本过滤的供应商感兴趣时。 + +[推荐的DNS服务器列表](../dns.md ""){.md-button} + + + +## 什么是DNSSEC? + +[域名系统安全扩展](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC)是DNS的一项功能,对域名查询的响应进行认证。 它不为这些查询提供隐私保护,而是防止攻击者操纵或毒害对DNS请求的响应。 + +换句话说,DNSSEC对数据进行数字签名,以帮助确保其有效性。 为了确保安全查询,签名发生在DNS查询过程中的每一级。 因此,来自DNS的所有答案都可以被信任。 + +DNSSEC的签署过程类似于某人用笔签署一份法律文件;该人用一个独特的签名签署,其他人无法创建,法院专家可以查看该签名并验证该文件是由该人签署的。 这些数字签名确保数据没有被篡改。 + +DNSSEC在DNS的所有层面上实现了分层的数字签名政策。 例如,在 `privacyguides.org` 查询的情况下,根 DNS 服务器将签署 `.org` 名称服务器的密钥,然后 `.org` 名称服务器将签署 `privacyguides.org`的权威名称服务器的密钥。 + +改编自Google的[DNS安全扩展(DNSSEC)概述](https://cloud.google.com/dns/docs/dnssec)和Cloudflare的[DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/),两者均以[CC BY 4.0](https://creativecommons.org/licenses/by/4.0/)授权。 + + + +## 什么是QNAME最小化? + +QNAME是一个 "限定名称",例如 `privacyguides.org`。 QNAME最小化减少了从DNS服务器发送至 [权威名称服务器的信息量](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server)。 + +而不是发送整个域名 `privacyguides.org`,QNAME最小化意味着DNS服务器将要求所有以 `.org`结尾的记录。 进一步的技术描述在 [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816)中定义。 + + + +## 什么是EDNS客户子网(ECS)? + +[EDNS 客户端子网](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) 是递归 DNS 解析器为 [主机或客户端](https://en.wikipedia.org/wiki/Client_(computing)) 进行 DNS 查询时,指定一个 [子网](https://en.wikipedia.org/wiki/Subnetwork) 的一种方法。 + +它的目的是 "加快 "数据的交付,给客户一个属于离他们很近的服务器的答案,如 [内容交付网络](https://en.wikipedia.org/wiki/Content_delivery_network),这通常用于视频流和服务JavaScript网络应用。 + +这项功能确实是以隐私为代价的,因为它告诉DNS服务器一些关于客户端位置的信息。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/advanced/tor-overview.md b/i18n/zh/advanced/tor-overview.md new file mode 100644 index 00000000..41b7b325 --- /dev/null +++ b/i18n/zh/advanced/tor-overview.md @@ -0,0 +1,81 @@ +--- +title: "Tor概述" +icon: 'simple/torproject' +--- + +Tor是一个免费使用的去中心化网络,专为尽量隐私地使用互联网而设计。 如果使用得当,该网络可以实现隐私且匿名地浏览和通信。 + +## 路径的构建 + +Tor的工作原理是通过一个由数千个志愿者运行的服务器(称为节点(或中继))组成的网络路由您的流量。 + +每次你连接到Tor,它都会选择三个节点来建立一条通往互联网的路径--这条路径被称为 "线路"。 每个节点都有自己的功能: + +### 入口节点 + +入口节点,通常被称为守护节点,是你的Tor客户端连接到的第一个节点。 入口节点能够看到你的IP地址,但它无法看到你正在连接什么。 + +与其他节点不同,Tor客户端会随机选择一个入口节点并坚持两到三个月,以保护你免受某些攻击。[^1] + +### 中间节点 + +中间节点是你的Tor客户端连接的第二个节点。 它可以看到流量来自哪个节点--入口节点--以及它接下来要去哪个节点。 中间节点不能,看到你的IP地址或你正在连接的域。 + +对于每个新线路,在所有可用的Tor节点中随机选择中间节点。 + +### 出口节点 + +出口节点是你的网络流量离开Tor网络并被转发到待达目的地的地方。 出口节点无法看到你的IP地址,但它确实知道正在连接到哪个网站。 + +出口节点将从运行有出口中继标志的所有可用Tor节点中随机选择。[^2] + +
+ ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +## 加密 + +Tor用出口、中间和入口节点的密钥对每个数据包(一个传输的数据块)进行三次加密--按顺序进行。 + +一旦Tor建立了一个电路,数据传输就会按以下方式进行。 + +1. 首先:当数据包到达入口节点时,第一层的加密被移除。 在这个加密的数据包中,入口节点会发现另一个带有中间节点地址的加密数据包。 然后,入口节点将把数据包转发给中间节点。 + +2. 第二:当中间节点收到来自入口节点的数据包时,它也会用自己的密钥去掉一层加密,这时会发现一个带有出口节点地址的加密数据包。 然后,中间节点将把数据包转发给出口节点。 + +3. 最后:当出口节点收到其数据包时,它将用其密钥去除最后一层加密。 出口节点将看到目标地址并将数据包转发到该地址。 + +下面是一个显示该过程的替代图。 每个节点都会移除自己的加密层,而当目的地服务器返回数据时,同样的过程会完全反向发生。 例如,出口节点不知道你是谁,但它知道它来自哪个节点,因此它添加了自己的加密层并将其发送回来。 + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +通过使用Tor,我们可以在没有任何一方知道整个线路的情况下连接到一个服务器。 入口节点知道你是谁,但不知道你要去哪里;中间节点不知道你是谁,也不知道你要去哪里;而出口节点知道你要去哪里,但不知道你是谁。 因为出口节点是进行最终连接的,目标服务器永远不会知道你的IP地址。 + +## Caveats (注意) + +尽管Tor确实提供了强有力的隐私保障,但您必须意识到Tor并不完美: + +- 资金充足、能够被动地观察全球大多数网络通信量的对手有机会通过先进的通信量分析将Tor用户去匿名化。 Tor也不能防止您错误地暴露自己,例如分享了太多关于您真实身份的信息。 +- Tor出口节点也可以监控通过它们的流量。 这意味着没有加密的流量,如普通的HTTP流量,可以被记录和监控。 如果这种流量包含个人可识别信息,那么那个出口节点可以把你去匿名化。 因此,我们建议尽可能使用HTTPS over Tor。 + +如果您希望使用Tor浏览网页,我们只建议使用 **官方** Tor浏览器,该浏览器旨在防止指纹。 + +- [Tor浏览器 :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## 其它资源 + +- [Tor浏览器用户手册](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +--8<-- "includes/abbreviations.zh.txt" + +[^1]: 您线路上的第一个中继称为“入口警卫“或“警卫”。 它是一个快速而稳定的中继,会在2-3个月内持续作为你的线路的第一个中继,以防止已知的破坏匿名性的攻击。 你的线路其余部分会随着你访问的每个新网站而改变,所有这些中继器一起提供Tor的全部隐私保护。 关于警卫中继器如何工作的更多信息,请参阅这篇 [博文](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) 和 [关于入口警卫的论文](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf)。 ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: 中继标志:由目录权限分配并在目录协议规范中进一步定义的线路位置(例如, “Guard”、“Exit”、“BadExit” )、线路属性(例如, “Fast”、“Stable” )或角色(例如, “Authority”、“HSDir” )的中继的特殊( dis- )限定。 ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/zh/android.md b/i18n/zh/android.md new file mode 100644 index 00000000..f5b2ae27 --- /dev/null +++ b/i18n/zh/android.md @@ -0,0 +1,396 @@ +--- +title: "安卓" +icon: 'simple/android' +--- + +![安卓徽标](assets/img/android/android.svg){ align=right } + +**安卓开源项目** 是一个由谷歌领导的开源移动操作系统,为世界上大多数移动设备提供动力。 大多数使用安卓系统销售的手机都经过修改,包括侵入性的集成和应用程序,如谷歌游戏服务,所以你可以通过用没有这些侵入性功能的安卓系统版本替换你的手机默认安装,来大大改善你在移动设备上的隐私。 + +[:octicons-home-16:](https://source.android.com/){ .card-link title="首页" } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=文档} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="源代码" } + +这些是我们推荐的安卓操作系统、设备和应用程序,以最大限度地提高你的移动设备的安全和隐私。 要了解更多关于安卓的信息。 + +- [安卓概况 :material-arrow-right-drop-circle:](os/android-overview.md) +- [为什么我们推荐GrapheneOS而不是CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) + +## AOSP 衍生品 + +我们建议在你的设备上安装这些定制的安卓操作系统之一,根据你的设备与这些操作系统的兼容性,按偏好顺序列出。 + +!!! note + + 由于OEM停止支持,寿命终止的设备(如GrapheneOS或CalyxOS的 "扩展支持 "设备)没有完整的安全补丁(固件更新)。 无论安装何种软件,都不能认为这些设备是完全安全的。 + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS标志](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS标志](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS**是涉及隐私和安全的最佳选择。 + + GrapheneOS提供了额外的[安全加固](https://en.wikipedia.org/wiki/Hardening_(计算))和隐私改进。 它有一个[加固的内存分配器](https://github.com/GrapheneOS/hardened_malloc)、网络和传感器权限,以及其他各种[安全功能](https://grapheneos.org/features)。 GrapheneOS还带有完整的固件更新和签名构建,因此完全支持验证性启动。 + + [:octicons-home-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="源代码" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title="贡献" } + +GrapheneOS支持 [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play),它像其他普通应用程序一样完全在沙盒中运行 [Google Play服务](https://en.wikipedia.org/wiki/Google_Play_Services)。 这意味着你可以利用大多数Google Play服务,如 [推送通知](https://firebase.google.com/docs/cloud-messaging/),同时让你完全控制其权限和访问,同时将其包含在你选择的特定 [工作档案](os/android-overview.md#work-profile) 或 [用户档案](os/android-overview.md#user-profiles)。 + +谷歌Pixel手机是目前唯一符合GrapheneOS的 [硬件安全要求的设备](https://grapheneos.org/faq#device-support)。 + +### DivestOS + +!!! recommendation + + ![DivestOS标志](assets/img/android/divestos.svg){ align=right } + + **DivestOS**是 [LineageOS](https://lineageos.org/)的一个软分叉。 + DivestOS从LineageOS继承了许多[支持的设备](https://divestos.org/index.php?page=devices&base=LineageOS)。 它有签名的构建,使得在一些非Pixel设备上可以有[验证的启动](https://source.android.com/security/verifiedboot)。 + + [:octicons-home-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="源代码" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title="贡献" } + +DivestOS有自动的内核漏洞([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [补丁](https://gitlab.com/divested-mobile/cve_checker),更少的专有blobs,以及一个自定义的 [hosts](https://divested.dev/index.php?page=dnsbl) 文件。 其加固的WebView, [Mulch](https://gitlab.com/divested-mobile/mulch),使 [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) ,用于所有架构和 [网络状态分区](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning),并接收带外更新。 DivestOS还包括来自GrapheneOS的内核补丁,并通过 [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758),启用所有可用的内核安全功能。 所有比3.4版更新的内核都包括全页面 [sanitization](https://lwn.net/Articles/334747/) ,所有~22个Clang编译的内核都启用了 [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471)。 + +DivestOS实现了一些最初为GrapheneOS开发的系统加固补丁。 DivestOS 16.0及以上版本实现了GrapheneOS的 [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) 和SENSORS权限切换, [硬化的内存分配器](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)),以及部分 [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) 硬化补丁集。 17.1和更高版本的GrapheneOS的每个网络完全 [MAC随机化](https://en.wikipedia.org/wiki/MAC_address#Randomization) 选项, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) 控制,以及自动重启/Wi-Fi/蓝牙 [超时选项](https://grapheneos.org/features)。 + +DivestOS使用F-Droid作为其默认应用商店。 通常情况下,我们会建议避免使用F-Droid,因为它有许多 [安全问题](#f-droid)。 然而,在DivestOS上这样做是不可行的;开发者通过他们自己的F-Droid仓库更新他们的应用程序([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2))。 我们建议禁用官方F-Droid应用程序,并使用 [Neo Store](https://github.com/NeoApplications/Neo-Store/) ,启用DivestOS仓库,以保持这些组件的更新。 对于其他应用程序,我们推荐的获取方法仍然适用。 + +!!! 推荐 + + DivestOS的固件更新 [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS)和质量控制在其支持的设备中各不相同。 我们仍然推荐GrapheneOS,这取决于你设备的兼容性。 对于其他设备,DivestOS是一个不错的选择。 + + 并非所有支持的设备都有验证启动,有些设备的验证启动性能比其他设备好。 + +## 安卓设备 + +在购买设备时,我们建议尽可能购买新的设备。 移动设备的软件和固件只支持有限的时间,因此购买新的设备可以尽可能地延长这一寿命。 + +避免从移动网络运营商那里购买电话。 这些产品通常有一个 **锁定的引导加载器** ,不支持 [OEM解锁](https://source.android.com/devices/bootloader/locking_unlocking)。 这些手机变体将阻止你安装任何种类的替代性安卓发行。 + +对于从网上市场购买二手手机,要非常 **小心**。 始终检查卖家的声誉。 如果设备被盗,有可能 [IMEI黑名单](https://www.gsma.com/security/resources/imei-blacklisting/)。 您与前任所有者的活动相关联的风险也存在。 + +还有一些关于安卓设备和操作系统兼容性的提示。 + +- 不要购买已经达到或接近其使用寿命的设备,额外的固件更新必须由制造商提供。 +- 不要购买预装的LineageOS或/e/OS手机或任何没有适当 [核实启动](https://source.android.com/security/verifiedboot) 支持和固件更新的安卓手机。 这些设备也没有办法让你检查它们是否被篡改过。 +- 简而言之,如果一个设备或Android发行版没有在这里列出,可能有一个很好的理由。 请查看我们的 [论坛](https://discuss.privacyguides.net/) ,了解详情! + +### Google Pixel + +谷歌像素手机是我们推荐购买的 **唯一** 设备。 由于对第三方操作系统的适当AVB支持和谷歌定制的 [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) 安全芯片作为安全元件,Pixel手机的硬件安全性比目前市场上的任何其他安卓设备都强。 + +!!! recommendation + + ![谷歌Pixel 6](assets/img/android/google-pixel.png){ align=right } + + 众所周知,**谷歌Pixel**设备具有良好的安全性,并适当支持[验证启动](https://source.android.com/security/verifiedboot),即使在安装自定义操作系统时也是如此。 + + 从**Pixel 6**和**6 Pro**开始,Pixel设备将获得至少5年的安全更新保证,确保其使用寿命比其他竞争OEM厂商通常提供的2-4年要长得多。 + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +像泰坦M2这样的安全元件比大多数其他手机使用的处理器的可信执行环境更加有限,因为它们只用于秘密存储、硬件证明和速率限制,而不是用于运行 "可信 "程序。 没有安全元件的手机必须使用TEE来 *,所有这些功能的* ,从而导致更大的攻击面。 + +谷歌Pixel手机使用的是名为Trusty的TEE操作系统,它是 [开源](https://source.android.com/security/trusty#whyTrusty),与其他许多手机不同。 + +在Pixel手机上安装GrapheneOS很容易,他们的 [网页安装程序](https://grapheneos.org/install/web)。 如果你觉得自己做起来不舒服,并且愿意多花一点钱,可以看看 [NitroPhone](https://shop.nitrokey.com/shop) ,因为它们预装了GrapheneOS,来自著名的 [Nitrokey](https://www.nitrokey.com/about) 公司。 + +购买谷歌Pixel的另外几个提示: + +- 如果你想买到便宜的Pixel设备,我们建议购买"**a**"型号,就在下一个旗舰机发布之后。 通常会有折扣,因为谷歌将试图清理他们的库存。 +- 考虑在实体店提供的打价方案和特价商品。 +- 看看你所在国家的在线社区便宜货网站。 这些可以提醒你有好的销售。 +- 谷歌提供了一个列表,显示了他们每个设备的 [支持周期](https://support.google.com/nexus/answer/4457705)。 设备每天的价格可以计算为。$\text{Cost} \over \text {EOL Date}-\text{Current Date}$,意味着设备使用时间越长,每天的费用越低。 + +## 常规应用程序 + +我们在整个网站上推荐了各种各样的安卓应用。 这里列出的应用程序是安卓独有的,专门加强或取代关键的系统功能。 + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + * *Shelter* *是一款应用程序,可帮助您利用Android的工作配置文件功能隔离或复制设备上的应用程序。 + + Shelter支持阻止联系人跨档案搜索,并通过默认文件管理器([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui))跨档案共享文件。 + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="源代码" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=贡献 } + + ??? 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! 推荐 + + 推荐使用Shelter而不是 [Insular](https://secure-system.gitlab.io/Insular/)和 [Island](https://github.com/oasisfeng/island),因为它支持[联系人搜索屏蔽](https://secure-system.gitlab.io/Insular/faq.html)。 + + 当使用Shelter时,你完全信任它的开发者,因为Shelter作为一个[设备管理员](https://developer.android.com/guide/topics/admin/device-admin)来创建工作档案,它可以广泛地访问存储在工作档案中的数据。 + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + * *Auditor* * 是一款利用硬件安全功能为[支持的设备](https://attestation.app/about#device-support) 提供设备完整性监控的应用程序。 目前,它只适用于GrapheneOS和设备的库存操作系统。 + + [:octicons-home-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/about#privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="源代码" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title="贡献" } downloads "下载" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor通过以下方式进行鉴证和入侵检测。 + +- 在 *审计员* 和 *被审计者*之间使用 [首次使用信任(TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) 模式,该配对在 + +审计员 *的硬件支持的密钥库 中建立一个私人密钥。 + + - *审计员* ,可以是审计师应用程序的另一个实例,也可以是 [远程认证服务](https://attestation.app)。 +- *审计员* 记录了 *审计对象*的当前状态和配置。 +- 如果在配对完成后发生篡改 *审计对象的操作系统* ,审计人员将意识到设备状态和配置的变化。 +- 你会被提醒注意这一变化。 + +没有个人身份信息被提交给证明服务。 我们建议你用匿名账户注册,并启用远程认证,以进行持续监控。 + +如果你的 [威胁模型](basics/threat-modeling.md) 需要隐私,你可以考虑使用 [Orbot](tor.md#orbot) 或VPN,从证明服务中隐藏你的IP地址。 为了确保你的硬件和操作系统是真实的, [,在设备安装后,在任何互联网连接之前,立即进行本地认证](https://grapheneos.org/install/web#verifying-installation)。 + + + +### Secure Camera + +!!! recommendation + + ![Secure 摄像头标志](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure 摄像头标志](assets/img/android/secure_camara-dark#only-dark){ aligh=right } + + **Secure Camera** 是一个专注于隐私和安全的相机应用,它可以捕捉图像、视频和二维码。 CameraX供应商扩展(肖像、HDR、夜视、面部修饰和自动)也在可用设备上得到支持。 + + [:octicons-repo-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + + [:octicons-info-16:](https://github.com/GrapheneOS/Camera#privacy-policy){ .card-link title="隐私政策" } + [:octicons-code-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title="源代码" } + [](){ .card-link title="贡献" } downloads "下载" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + + +主要隐私功能包括: + +- 自动删除 [Exif](https://en.wikipedia.org/wiki/Exif) 元数据(默认启用)。 +- 使用新的 [媒体](https://developer.android.com/training/data-storage/shared/media) API,因此不需要 [存储权限](https://developer.android.com/training/data-storage) +- 除非您想录制声音,否则不需要麦克风权限 + +!!! note + + 目前,元数据没有从视频文件中删除,但这是计划中的。 + + 图像方向元数据未被删除。 如果你启用位置(在安全相机中),**也不会被删除。 如果你以后想删除,你将需要使用一个外部应用程序,如 [ExifEraser](data-redaction.md#exiferaser)。 + + + + +### 安全的PDF查看器(Secure PDF Viewer) + +!!! recommendation + + ![安全PDF浏览器标志](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![安全PDF浏览器标志](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **安全PDF浏览器**是一个基于 [pdf.js](https://en.wikipedia.org/wiki/PDF.js)的PDF浏览器,不需要任何权限。 该PDF被送入一个 [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview)。 这意味着它不需要权限就能直接访问内容或文件。 + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)是用来强制要求WebView内的JavaScript和造型属性完全是静态内容。 + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="源代码" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=贡献 } + + ??? downloads "下载" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + + + + +## 获取应用程序 + + + +### GrapheneOS应用商店 + +GrapheneOS的应用商店可在 [GitHub](https://github.com/GrapheneOS/Apps/releases)。 它支持Android 12及更高版本,并且能够自行更新。 该应用商店有GrapheneOS项目建立的独立应用,如 [Auditor](https://attestation.app/)、 [Camera](https://github.com/GrapheneOS/Camera)、 [PDF Viewer](https://github.com/GrapheneOS/PdfViewer)。 如果你正在寻找这些应用程序,我们强烈建议你从GrapheneOS的应用程序商店而不是Play商店获得它们,因为他们商店的应用程序是由GrapheneOS的项目自己的签名,而谷歌无法访问。 + + + +### 奥罗拉商店(Aurora Store) + +Google Play商店需要一个Google账户来登录,这对隐私来说不是很好。 你可以通过使用一个替代的客户端,如Aurora Store,来解决这个问题。 + +!!! recommendation + + ![Aurora Store徽标](assets/img/android/aurora-store.webp){ align=right } + + * *Aurora Store* *是Google Play Store客户端,无需Google帐户、Google Play服务或microG即可下载应用程序。 + + [:octicons-home-16: 主页](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="源代码" } + + ??? 下载 + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + + +Aurora Store不允许您下载具有匿名帐户功能的付费应用程序。 您可以选择使用Aurora Store登录您的Google帐户下载您购买的应用程序,这确实可以访问您安装到Google的应用程序列表,但是您仍然可以从不需要完整的Google Play客户端和Google Play服务或设备上的microG中受益。 + + + +### 手动使用RSS通知 + +对于在GitHub和GitLab等平台上发布的应用程序,你也许可以在你的 [新闻聚合器](/news-aggregators) ,添加一个RSS源,这将有助于你跟踪新版本。 + +![RSS应用](./assets/img/android/rss-apk-light.png#only-light) ![RSS应用](./assets/img/android/rss-apk-dark.png#only-dark) ![APK 变更](./assets/img/android/rss-changes-light.png#only-light) ![APK 变更](./assets/img/android/rss-changes-dark.png#only-dark) + + + +#### GitHub + +在GitHub上,以 [安全相机](#secure-camera) 为例,你可以导航到它的 [发布页](https://github.com/GrapheneOS/Camera/releases) ,并在URL上附加 `.atom`。 + +`https://github.com/GrapheneOS/Camera/releases.atom` + + + +#### GitLab + +在GitLab上,以 [Aurora Store](#aurora-store) 为例,你可以导航到它的 [项目库](https://gitlab.com/AuroraOSS/AuroraStore) ,并在URL上附加 `/-/tags?format=atom`。 + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + + + +#### Verifying APK Fingerprints + +如果你下载APK文件进行手动安装,你可以用 [`apksigner`](https://developer.android.com/studio/command-line/apksigner) 工具验证其签名,这是Android [build-tools](https://developer.android.com/studio/releases/build-tools)的一部分。 + +1. 安装 [Java JDK](https://www.oracle.com/java/technologies/downloads/)。 + +2. 下载 [Android Studio命令行工具](https://developer.android.com/studio#command-tools)。 + +3. 解压缩下载的存档: + + + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + + +4. 运行签名验证命令。 + + + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + + +5. 然后,所产生的哈希值可以与另一个来源进行比较。 一些开发商,如Signal [,在其网站上显示了指纹](https://signal.org/android/apk/)。 + + + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + + + + +### F-Droid + +![F-Droid徽标](assets/img/android/f-droid.svg){ align=right width=120px } + +==我们 **,而不是** ,目前推荐F-Droid作为获取应用程序的一种方式。==F-Droid经常被推荐为Google Play的替代品,特别是在隐私社区。 添加第三方资源库并不局限于谷歌的围墙花园这一选择导致了它的流行。 F-Droid另外还有 [可复制的构建](https://f-droid.org/en/docs/Reproducible_Builds/) ,用于一些应用程序,并致力于自由和开源软件。 然而,有 [显著的问题](https://privsec.dev/posts/android/f-droid-security-issues/) ,官方F-Droid客户端,他们的质量控制,以及他们如何建立、签署和交付包裹。 + +由于他们构建应用程序的过程,F-Droid官方资源库中的应用程序经常在更新上落后。 F-Droid维护者在用自己的密钥签署应用程序时也会重复使用包的ID,这并不理想,因为它给了F-Droid团队最终的信任。 + +其他流行的第三方资源库,如 [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) ,缓解了其中的一些担忧。 IzzyOnDroid存储库直接从GitHub拉取构建,是开发者自己存储库的下一个最好的东西。 However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. 虽然这是有道理的(因为该特定仓库的目标是在应用程序被接受到F-Droid主仓库之前托管它们),但它可能会让你安装的应用程序不再收到更新。 + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. 重要的是要记住,这些资源库中的一些应用程序已经多年没有更新,可能依赖于不支持的库等,构成潜在的安全风险。 在通过这种方法寻找新的应用程序时,你应该使用你的最佳判断力。 + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + + + + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + + + + +### 服务供应商 + +- 它必须是开源软件。 +- 必须支持引导器锁定,支持自定义AVB密钥。 +- 必须在发布后0-1个月内接受主要的安卓系统更新。 +- 必须在发布后0-14天内收到安卓功能更新(小版本)。 +- 必须在发布后0-5天内收到定期安全补丁。 +- 必须 **,而不是** ,开箱即 被"root"了。 +- 必须 **,而不是** ,默认启用Google Play服务。 +- 必须 **,而不是** ,需要修改系统以支持Google Play服务。 + + + +### 设备 + +- 必须支持至少一个我们推荐的定制操作系统。 +- 必须是目前在商店里销售的新产品。 +- 必须接受至少5年的安全更新。 +- 必须有专门的安全要素硬件。 + + + +### 应用程序 + +- 本页的应用程序不得适用于网站上的任何其他软件类别。 +- 一般的应用程序应该扩展或取代核心系统功能。 +- 应用程序应定期得到更新和维护。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/assets/img/account-deletion/exposed_passwords.png b/i18n/zh/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/zh/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/zh/assets/img/android/rss-apk-dark.png b/i18n/zh/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/zh/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/zh/assets/img/android/rss-apk-light.png b/i18n/zh/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/zh/assets/img/android/rss-apk-light.png differ diff --git a/i18n/zh/assets/img/android/rss-changes-dark.png b/i18n/zh/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/zh/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/zh/assets/img/android/rss-changes-light.png b/i18n/zh/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/zh/assets/img/android/rss-changes-light.png differ diff --git a/i18n/zh/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/zh/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/zh/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh/assets/img/how-tor-works/tor-encryption.svg b/i18n/zh/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/zh/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh/assets/img/how-tor-works/tor-path-dark.svg b/i18n/zh/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/zh/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh/assets/img/how-tor-works/tor-path.svg b/i18n/zh/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/zh/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh/assets/img/multi-factor-authentication/fido.png b/i18n/zh/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/zh/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/zh/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/zh/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/zh/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/zh/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/zh/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/zh/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/zh/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/zh/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/zh/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/zh/basics/account-creation.md b/i18n/zh/basics/account-creation.md new file mode 100644 index 00000000..1ae405ba --- /dev/null +++ b/i18n/zh/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "账户创建" +icon: 'material/account-plus' +--- + +人们经常不假思索地注册服务。 也许它是一个流媒体服务,这样你就可以看到每个人都在谈论的新节目,或者一个为你最喜欢的快餐店提供折扣的账户。 无论情况如何,你应该考虑现在和以后对你的数据的影响。 + +你所使用的每一项新服务都有风险。 数据泄露;向第三方披露客户信息;流氓雇员访问数据;所有这些都是在提供你的信息时必须考虑的可能性。 你需要确信你可以信任该服务,这就是为什么我们不建议将有价值的数据存储在任何东西上,除了最成熟和经过战斗考验的产品。 这通常意味着提供E2EE并经过加密审计的服务。 审计增加了对产品的保证,即产品的设计没有由缺乏经验的开发者造成的明显的安全问题。 + +在一些服务上删除账户也可能很困难。 有时 [覆盖与一个账户相关的数据](account-deletion.md#overwriting-account-information) ,但在其他情况下,该服务将保留整个账户的变化历史。 + +## 用户协议和隐私政策 + +服务条款是你在使用服务时同意遵守的规则。 对于较大的服务,这些规则通常由自动系统执行。 有时这些自动系统会犯错误。 例如,你可能因为使用VPN或VOIP号码而被禁止或被锁定在某些服务的账户中。 对这种禁令提出上诉往往很困难,而且也涉及到一个自动程序,并不总是成功。 这将是我们不建议使用Gmail的电子邮件作为例子的原因之一。 电子邮件对于访问你可能已经注册的其他服务至关重要。 + +隐私政策是该服务说他们将如何使用你的数据,它值得阅读,以便你了解你的数据将如何被使用。 一个公司或组织可能在法律上没有义务遵守政策中的所有内容(这取决于司法管辖区)。 我们建议对你当地的法律有一些了解,以及他们允许供应商收集什么。 + +我们建议寻找特定的术语,如 "数据收集"、"数据分析"、"cookies"、"广告 "或 "第三方 "服务。 有时你可以选择不收集数据或不分享你的数据,但最好是选择一个从一开始就尊重你的隐私的服务。 + +请记住,你也将你的信任寄托在该公司或组织身上,他们会遵守自己的隐私政策。 + +## 身份验证方法 + +通常有多种注册账户的方式,每种方式都有各自的好处和缺点。 + +### 电子邮件和密码 + +创建新账户最常见的方式是通过电子邮件地址和密码。 当使用这种方法时,你应该使用一个密码管理器,并遵循 [有关密码的最佳实践](passwords-overview.md)。 + +!!! tip + + 你也可以用你的密码管理器来组织其他认证方法 只需添加新条目并填写相应的字段,你可以为安全问题或备份钥匙等事项添加注释。 + +你将负责管理你的登录凭证。 为了增加安全性,你可以在你的账户上设置 [MFA](multi-factor-authentication.md)。 + +[推荐的密码管理器](../passwords.md ""){.md-button} + +#### 邮箱别名 + +如果你不想把你的真实电子邮件地址提供给一个服务,你可以选择使用一个别名。 我们在我们的电子邮件服务推荐页面上对它们进行了更详细的描述。 本质上,别名服务允许你生成新的电子邮件地址,将所有电子邮件转发到你的主地址。 这可以帮助防止跨服务的追踪,并帮助你管理有时伴随着注册过程的营销电子邮件。 这些可以根据它们被发送到的别名自动过滤。 + +如果一项服务被黑客攻击,你可能会开始收到钓鱼或垃圾邮件到你用来注册的地址。 为每项服务使用独特的别名,可以帮助准确识别什么服务被黑。 + +[推荐的电子邮件别名服务](../email.md#email-aliasing-services ""){.md-button} + +### 单点登录 + +!!! note + + 我们讨论的是个人使用的单点登录,而不是企业用户。 + +单点登录(SSO)是一种认证方法,允许你在不分享很多信息的情况下注册一个服务。 只要你在注册表上看到类似于 "用 *提供商名称*"的内容,就是SSO。 + +当你在一个网站上选择单点登录时,它会提示你的SSO供应商的登录页面,之后你的账户就会被连接起来。 你的密码不会被分享,但一些基本信息会被分享(你可以在登录请求中查看)。 每次你想登录同一个账户时,都需要这个过程。 + +主要的优点是: + +- **安全性**:没有卷入 [数据泄露的风险](https://en.wikipedia.org/wiki/Data_breach) ,因为网站不储存你的凭证。 +- **易用性**:多个账户由一个登录账号管理。 + +但也有弊端: + +- **隐私**:SSO供应商会知道你使用的服务。 +- **集中化**:如果你的SSO账户被泄露或你无法登录,所有与之相连的其他账户都会受到影响。 + +SSO在那些你可以从服务之间的深度整合中获益的情况下,可以特别有用。 例如,这些服务中的一个可能为其他服务提供SSO。 我们的建议是将SSO限制在你需要的地方,用 [MFA](multi-factor-authentication.md)来保护主账户。 + +所有使用SSO的服务将和你的SSO账户一样安全。 例如,如果你想用硬件密钥保护一个账户,但该服务不支持硬件密钥,你可以用硬件密钥保护你的SSO账户,现在你的所有账户基本上都有硬件MFA。 但值得注意的是,SSO账户上的弱认证意味着与该登录方式相关的任何账户也会很弱。 + +### 手机号 + +我们建议避免使用那些需要电话号码才能注册的服务。 一个电话号码可以在多个服务中识别你的身份,根据数据共享协议,这将使你的使用情况更容易被追踪,特别是当这些服务之一被破坏时,因为电话号码通常是 **,而不是** 加密。 + +如果可以的话,你应该避免提供你的真实电话号码。 有些服务会允许使用VOIP号码,但是这些号码往往会触发欺诈检测系统,导致账户被锁定,所以我们不建议重要账户使用这种号码。 + +在许多情况下,你将需要提供一个可以接收短信或电话的号码,特别是在国际购物时,以防你的订单在边境检查时出现问题。 服务机构使用你的号码作为验证方法是很常见的;不要因为你想耍小聪明,给了一个假的号码,而让自己被锁定在一个重要的账户之外。 + +### 用户名和密码 + +有些服务允许你不使用电子邮件地址进行注册,只要求你设置一个用户名和密码。 这些服务在与VPN或Tor结合使用时,可以提供更多的匿名性。 **请记住,对于这些账户,如果你忘记了你的用户名或密码,很可能没有办法恢复你的账户**。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/basics/account-deletion.md b/i18n/zh/basics/account-deletion.md new file mode 100644 index 00000000..044a895b --- /dev/null +++ b/i18n/zh/basics/account-deletion.md @@ -0,0 +1,63 @@ +--- +title: "删除帐户" +icon: '资料/账户-删除' +--- + +随着时间的推移,很容易积累一些在线账户,其中许多账户你可能不再使用。 删除这些未使用的账户是找回隐私的一个重要步骤,因为休眠账户很容易受到数据泄露的影响。 数据泄露是指一项服务的安全性受到损害,受保护的信息被未经授权的人查看、传输或窃取。 不幸的是,而今数据泄露 [太过于常见](https://haveibeenpwned.com/PwnedWebsites) ,因此保持良好的数字卫生是将它们对你生活的影响降到最低的最好方法。 本指南的目标就是引导您经由令人讨厌的帐户删除过程来优化你的线上生活,这些过程通常采用了 [欺骗性设计](https://www.deceptive.design/)使得其变得更加困难。 + +## 查找旧帐户 + +### 密码管理器 + +如果您有一个贯穿整个数字生活来使用的密码管理器,这个部分将非常简单。 通常情况下,它们内置有检测你的凭证是否在数据泄露中被暴露的功能--例如Bitwarden的 [数据泄露报告](https://bitwarden.com/blog/have-you-been-pwned/)。 + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +即使你以前没有明确使用过密码管理器,你也有可能在不知不觉中使用了你的浏览器或手机中的密码管理器。 例如。 [火狐密码管理器](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [谷歌密码管理器](https://passwords.google.com/intro) 和 [Edge密码管理器](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336)。 + +桌面平台通常也有一个密码管理器,可以帮助你恢复你忘记的密码。 + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux,Gnome Keyring,可以通过 [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) 或 [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager)访问。 + +### DNS + +如果你过去没有使用密码管理器,或者你认为你有从未被添加到密码管理器的账户,另一个选择是搜索印象里当时注册用的电子邮箱。 在你的电子邮件客户端,搜索关键词,如 "验证 "或 "欢迎"。 几乎每次您创建在线帐户时,注册的服务都会向您的电子邮箱发送验证链接或介绍性消息。 这可能是找到被遗忘的旧账户的一个好方法。 + +## 删除旧账户 + +### 登录 + +为了删除你的旧账户,你需要首先确保你能登录到这些账户。 同样,如果该账户是在你的密码管理器中,这一步很容易。 如果没有,你可以尝试猜测你的密码。 如果做不到这一点,通常可以选择重新获得你账户的访问权限,通常可以通过登录页面上的 "忘记密码 "链接获得。 也有可能你放弃的账户已经被删除了--有时服务机构会裁除所有旧账户。 + +当试图重新获得访问权时,如果网站返回错误信息说该电子邮件没有与一个账户相关联,或者你在多次尝试后从未收到重置链接,那么你在该邮箱地址下没有账户,应该尝试另一个地址。 如果你无法找出你使用的电子邮件地址,或者你不再能访问该电子邮件,你可以尝试联系该服务的客户支持。 很遗憾,我们无法保证您能够恢复对账号的访问权限。 + +### GDPR(仅限欧洲经济区居民) + +欧洲经济区的居民在数据删除方面有额外的权利,具体见 [GDPR第17条](https://www.gdpr.org/regulation/article-17.html)。 如果适用于你,请阅读任何特定服务的隐私政策,以找到关于如何行使你的删除权的信息。 阅读隐私政策可能被证明是重要的,因为一些服务有一个 "删除账户 "的选项,它只是禁用你的账户,而要真正删除,你必须采取额外行动。 有时,实际删除可能涉及填写调查表、向服务的数据保护人员发送电子邮件,甚至证明你在欧洲经济区拥有住所。 如果你打算这么做, **不要** 覆盖账户信息--你作为欧洲经济区居民的身份可能被要求。 请注意,服务的地点并不重要;GDPR适用于任何为欧洲用户服务的人。 如果服务不尊重你的删除权,你可以联系你的国家的 [数据保护局](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) ,你可能有权获得金钱赔偿。 + +### 覆盖账户信息 + +在某些情况下,如果你打算放弃一个账户,用假数据覆盖账户信息可能是有意义的。 一旦你确定你可以登录,将你账户中的所有信息改为伪造的信息。 原因是许多网站会保留你以前的信息,即使是在删除账户后。 这一方法寄希望于他们能用你输入的最新数据来覆盖以前的信息。 但是,无法保证不会使用以前的信息进行备份。 + +对于账户的电子邮件,可以通过你选择的供应商创建一个新的备用电子邮件账户,或者使用 [电子邮件别名服务创建一个别名](/email/#email-aliasing-services)。 一旦完成,您可以删除备用电子邮件地址。 我们建议不要使用临时电子邮件供应商,因为很多时候这类临时电子邮件有可能被重新激活。 + +### 删除 + +你可以查看 [JustDeleteMe](https://justdeleteme.xyz) ,了解关于删除特定服务的账户的说明。 有些网站会慷慨地提供“删除帐户”选项,而其他网站则会迫使您与客服代表交谈。 删除过程可能因网站而异,在一些网站上无法删除账户。 + +对于不允许删除账户的服务,最好的办法是像前面提到的那样伪造你的所有信息,加强账户安全。 要做到这一点,请启用 [MFA](multi-factor-authentication.md) 和提供的任何额外安全功能。 同样,将密码更改为随机生成的最大允许大小( [密码管理器](/passwords/#local-password-managers) 对此很有用)。 + +如果你对所有你关心的信息都被删除感到满意,你可以安全地忘记这个账户。 如果没有,把凭证与你的其他密码存放在一起,偶尔重新登录以重置密码可能是一个好主意。 + +即使你能够删除一个账户,也不能保证你的所有信息都会被删除。 事实上,一些公司被法律要求保留某些信息,特别是与金融交易有关的信息。 当涉及到网站和云服务时,你的数据会发生什么大多是你无法控制的。 + +## 避免新账户 + +老话说,"上医治未病"。 每当你觉得被诱惑去注册一个新账户时,问问自己,"我真的需要这个吗? 没有账户,我可以完成我需要的东西吗?" 删除一个账户往往比创建一个账户要难得多。 而且,即使在删除或改变你的账户信息后,可能还有一个来自第三方的缓存版本,如 [Internet Archive](https://archive.org/)。 当你能够避免诱惑时--你未来的自己会感谢你的。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/basics/common-misconceptions.md b/i18n/zh/basics/common-misconceptions.md new file mode 100644 index 00000000..152ffd10 --- /dev/null +++ b/i18n/zh/basics/common-misconceptions.md @@ -0,0 +1,61 @@ +--- +title: "常见误区" +icon: 'material/robot-confused' +--- + +## “开源软件始终是安全的”或“专有软件更安全” + +这些神话源于一些偏见,但软件产品的来源和许可并不以任何方式内在地影响其安全性。 ==开源软件 *有可能* 比专有软件更安全, 但对于这一点没有绝对保证。== 在你评估软件时,需要去逐一检查每个工具的声誉和安全性。 + + 开源软件 *,可以由第三方进行审计,而且通常比专有的同类软件对潜在的漏洞更加透明。 它还允许你审查代码并禁用你自己发现的任何可疑功能。 然而, *,除非你这样做*,否则不能保证代码曾经被评估过,特别是对于较小的软件项目。 开放的开发过程有时也被利用,甚至在大型项目中引入新的漏洞。[^1]

+ +从另一个角度看,专利软件的透明度较低,但这并不意味着它不安全。 主要的专利软件项目可以由内部和第三方机构进行审计,而独立的安全研究人员仍然可以通过逆向工程等技术找到漏洞。 + +为了避免决策出现偏差, *,你要评估你所使用的软件的隐私和安全标准,这一点至关重要*。 + +## "转移信任可以增加隐私" + +在讨论像VPN这样的解决方案时,我们经常谈到 "转移信任"(它将你对ISP的信任转移到VPN供应商身上)。 虽然这可以保护你的浏览数据不被你的ISP *,特别是*,但你选择的VPN供应商仍然可以访问你的浏览数据。你的数据并不是完全不受各方保护的。 这意味着: + +1. 在选择将信任转移给一个供应商时,你必须谨慎行事。 +2. 你仍然应该使用其他技术,如E2EE,来完全保护你的数据。 仅仅是不信任一个供应商而信任另一个供应商,并不能保证你的数据安全。 + +## "以隐私为重点的解决方案本质上是值得信赖的" + +仅仅关注一个工具或供应商的隐私政策和营销,会让你看不到它的弱点。 当你在寻找一个更私人的解决方案时,你应该确定根本的问题是什么,并为这个问题找到技术解决方案。 例如,您可能希望避免使用Google云端硬盘,因为它允许Google访问您的所有数据。 这种情况下的根本问题是缺乏E2EE,所以你应该确保你切换到的供应商确实实现了E2EE,或者使用一个工具(如 [Cryptomator](../encryption.md#cryptomator-cloud)),在任何云供应商上提供E2EE。 转换到一个 "注重隐私 "的供应商(不实施E2EE)并不能解决你的问题:它只是将信任从谷歌转移到该供应商。 + +你所选择的供应商的隐私政策和商业惯例是非常重要的,但应该被认为是次要的,因为对你的隐私的技术保证。当信任一个供应商根本不是一个要求时,你不应该把信任转移到另一个供应商身上。 + +## "复杂的是更好的" + +我们经常看到人们描述的隐私威胁模型过于复杂。 通常情况下,这些解决方案包括许多不同的电子邮件账户或有许多移动部件和条件的复杂设置等问题。 答案通常是“做 *×*的最佳方式是什么?”。 + +为自己寻找 "最佳 "解决方案并不一定意味着你要追求一个有几十种条件的无懈可击的解决方案--这些解决方案往往难以现实地发挥作用。 正如我们之前所讨论的,安全往往是以便利为代价的。 下面,我们提供一些提示。 + +1. ==行动需要服务于一个特定的目的:==思考如何用最少的行动完成你想要的东西。 +2. ==消除人类的失败点:==我们会失败,会累,会忘记事情。 为了维护安全,避免依赖你必须记住的手动条件和流程。 +3. ==为你的意图使用正确的保护水平。==我们经常看到所谓的执法或防传唤解决方案的建议。 这些往往需要专业知识,通常不是人们想要的。 如果你可以通过一个简单的疏忽轻易地去掉匿名,那么为匿名建立一个复杂的威胁模型就没有意义。 + +那么,如何看待这个问题? + +最清晰的威胁模型之一是,部分人*,知道你是谁* ,而另一部分人不知道。 总有一些情况下你必须申报你的合法姓名,也有一些情况下你不需要这样做。 + +1. **已知身份** - 已知身份是用于必须申报姓名的事情。 有许多法律文件和合同都需要合法身份。 这可能包括开设银行账户、签署房产租赁合同、获得护照、进口物品时的海关申报,或以其他方式与你的政府打交道。 这些东西通常会导致信用卡、信用等级检查、账户号码,以及可能的实际地址等凭证。 + + 我们不建议使用VPN或Tor来做这些事情,因为你的身份已经通过其他方式被了解。 + + !!! tip + + 网购时,使用[快递柜](https://en.wikipedia.org/wiki/Parcel_locker)可以帮助你保持实际住址的隐私。 + +2. **未知身份** -未知身份可能是您经常使用的稳定化名。 它不是匿名的,因为它没有变化。 如果你是一个网络社区的一部分,你可能希望保留一个别人知道的角色。 这个化名不是匿名的,因为如果监测的时间足够长,关于主人的细节可以揭示进一步的信息,如他们的写作方式,他们对感兴趣的话题的一般知识,等等。 + + 你可能希望为此使用VPN,以掩盖你的IP地址。 金融交易更难掩盖。你可以考虑使用匿名的加密货币,如 [Monero](https://www.getmonero.org/)。 采用altcoin转移也可能有助于掩盖你的货币来源。 通常情况下,交易所需要完成KYC(了解你的客户),然后才允许你将法币兑换成任何种类的加密货币。 当地见面会选项也可能是一种解决方案;然而,这些往往更昂贵,有时也需要KYC。 + +3. **匿名身份** - 即使有经验,匿名身份也很难长期维持。 它们应该是短期和短命的身份,定期轮换。 + + 使用Tor可以帮助解决这个问题。 还值得注意的是,通过异步通信可以实现更大的匿名性。实时通信容易受到打字模式的分析(即超过一段文字,在论坛上分发,通过电子邮件等)。 + +--8<-- "includes/abbreviations.zh.txt" + +[^1]: 其中一个明显的例子是 [2021年明尼苏达大学的研究人员将三个漏洞引入了Linux内核开发项目的事件](https://cse.umn.edu/cs/linux-incident)。 diff --git a/i18n/zh/basics/common-threats.md b/i18n/zh/basics/common-threats.md new file mode 100644 index 00000000..c0765537 --- /dev/null +++ b/i18n/zh/basics/common-threats.md @@ -0,0 +1,149 @@ +--- +title: "常见威胁" +icon: '资料/视野' +--- + +广义而言,可以将我们有关[威胁](threat-modeling.md) 或者适用于大多数人的目标的建议分为这几类。 ==你可能关注其中零个、 一个、 几个、 或所有这些可能性==, 你应该使用的工具和服务取决于你的目标。 你可能也有这些类别之外的特定威胁,这完全可以! 重要的是要去了解您选择的这些工具的优缺点,因为也许任何工具都不能够保护您免受所有可以想象到的威胁。 + +- :material-incognito: 匿名性 - 隔离你的线上活动和你的真实身份, 特别是要保护 *你的* 身份不被人揭露。 +- :material-target-account: 定向攻击 -防御专业黑客或恶意代理人获得,特别是 *你的* 数据或设备的访问权。 +- :material-bug-outline: 被动攻击 - 防御诸如恶意软件、数据泄露和其他一些同时针对许多人的攻击。 +- :material-server-network: 服务供应商 - 保护您的数据不受服务供应商的影响,例如,通过端到端加密使您的数据无法被服务器读取。 +- :material-eye-outline: 大规模监控 - 防止政府机构、组织、网站和服务联合起来共同追踪你的活动。 +- :material-account-cash: 监视资本主义 - 保护自己不受谷歌和Facebook等大型广告网络以及其他无数第三方数据收集者的影响 +- :material-account-search: 公开曝光 - 限制搜索引擎或一般公众在线访问到关于你的信息的能力。 +- :material-close-outline: 审查 - 避免信息的获取受到审查或者在网上的发言被审查。 + +其中一些威胁可能比其他威胁更重要,具体取决于您的关注点。 例如,一个能接触到有价值或关键数据的软件开发者可能主要关注 :material-target-account: 定向攻击,但除此之外,他们可能仍然希望保护自己的个人数据不被卷进 :material-eye-outline: 大规模监控 计划。 同样,"普通人 "可能主要关心他们的个人数据的 :material-account-search: ,公开曝光 ,但他们仍应警惕那些侧重于安全的问题,比如:material-bug-outline: ,被动攻击,就像那些会影响到设备的恶意软件 。 + +## 匿名与隐私 + +:material-incognito: 匿名性 + +匿名和隐私经常被混淆,但这是两个截然不同的概念。 隐私是你对如何使用和分享你的数据所做的一系列选择,而匿名则是将你的在线活动与你的现实生活身份完全脱离关系。 + +例如,举报人和记者可能会有一个相对极端的威胁模型,需要完全匿名。 这不仅是在隐藏他们所做的事情,他们有哪些数据,不被黑客或政府入侵,而且还完全隐藏他们是谁。 这意味着为了保护他们的匿名性、隐私或安全,他们可以牺牲任何形式的便利,因为他们的生命可能依赖于前者。 大多数普通人都不需要去这样做。 + +## 安全和隐私 + +:material-bug-outline: 被动攻击 + +安全和隐私经常被混为一谈,因为你需要安全来获得任何形式的隐私。如果这些工具可以很容易地被攻击者利用并随后泄漏你的数据,那么无论再怎么看似隐私都无济于事。 然而,反之亦然;世界上最安全的服务 *不一定是* 私密的。 这方面最好的例子是将数据托付给谷歌,鉴于其规模,谷歌能够通过雇用行业领先的安全专家来保护他们的基础设施,从而最大限度地减少了安全事件。 尽管谷歌提供了非常安全的服务,但很少有人会认为他们在谷歌的免费消费者产品(Gmail、YouTube等) 中的数据是私有的。 + +当涉及到应用程序安全时,我们通常不知道(有时甚至无法知道)我们使用的软件是否是恶意的,或者在未来的某一天会不会变成恶意的。 即使是最值得信赖的开发人员,通常也不能保证他们的软件没有可能在以后被利用的严重漏洞。 + +为了最大限度地减少恶意软件可能造成的损害,您应该采用隔离方式进行安全防护。 这可以是使用不同的计算机进行不同的工作,使用虚拟机来分离不同的相关应用程序组,或者使用一个安全的操作系统,重点是要有应用程序沙盒和强制性的访问控制。 + +!!! tip + + 在应用程序沙盒方面,移动操作系统通常比桌面操作系统更安全。 + + 应用程序无法获得根访问权限,只能访问您授予它们访问权限的系统资源。 桌面操作系统在成熟的沙箱方面通常比较落后。 ChromeOS具有与安卓类似的沙盒属性,而macOS具有完整的系统权限控制和(针对开发者)可选的应用程序沙盒,然而这些操作系统的确会将识别信息传输给各自的OEM。 Linux倾向于不向系统供应商提交信息,但它对漏洞和恶意应用程序的保护很差。 这一点可以通过大量使用虚拟机或容器的专门发行版(如Qubes OS)得到一定程度的缓解。 + +:material-target-account: 定向攻击 + +针对特定用户的有针对性的攻击更加难以处理。 常见的攻击途径包括通过电子邮件发送恶意文件,利用浏览器和操作系统的漏洞,以及物理攻击。 如果您担心这一点,则可能需要采用更高级的威胁缓解策略。 + +!!! tip + + **网络浏览器**、**电子邮件客户端**和**办公应用程序**在设计上通常都运行源自第三方的不可信代码。 运行多个虚拟机来将此类应用程序从主机系统中分离出来,以及彼此分离,是您可以使用的一种技术,以避免这些应用程序中的漏洞被利用,危及系统的其余部分。 例如,Qubes OS或Windows上的Microsoft Defender Application Guard等技术提供了无缝执行此操作的便捷方法。 + +如果你担心 **物理攻击** ,你应该使用具有安全验证启动实现的操作系统,如Android、iOS、macOS、 [Windows(带TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process)。 你还应该确保你的驱动器是加密的,并且操作系统使用TPM或安全 [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) 或 [Element](https://developers.google.com/android/security/android-ready-se) ,以限制输入加密口令的重试速率。 你应该避免与你不信任的人分享你的电脑,因为大多数桌面操作系统没有按用户单独加密数据。 + +## 来自服务提供商的隐私 + +:material-server-network: 服务提供商 + +我们生活在一个几乎所有东西都与互联网相连的世界里。 我们的 "私人 "信息、电子邮件、社交互动通常存储在某个服务器上。 通常,当您向某人发送消息时,该消息会存储在服务器上,当您的朋友想要阅读该消息时,服务器会将其显示给他们。 + +这样做的明显问题是,服务提供商(或入侵服务器的黑客)可以随时随地查看你的 "私人 "对话,而你却对此一无所知。 这适用于许多常见服务,如短信、Telegram、Discord等。 + +值得庆幸的是,可以通过在发送到服务器之前就对您与收件人之间的通信进行端到端加密来缓解此问题。 只要服务提供者不能获得任何一方的私钥,就能保证你的信息的保密性。 + +!!! 注释“关于基于web的加密的说明” + + 在实践中,不同的端到端加密实现的有效性各不相同。 [Signal](../real-time-communication.md#signal)这类应用程序在您的设备本地运行,并且应用程序副本在不同的安装下保持相同。 如果服务提供商在他们的应用程序中设置后门,试图窃取你的私钥,这可以在未来通过逆向工程检测出来。 + + 另一方面,基于Web的端到端加密实现(如Proton Mail的webmail或Bitwarden的web vault)依赖于服务器动态地向浏览器提供JavaScript代码来处理加密操作。 一个恶意的服务器可以针对一个特定的用户,向他们发送恶意的JavaScript代码来窃取他们的加密密钥,而用户是很难注意到这样的事情的。 即使用户注意到有人试图窃取他们的密钥,也很难证明是提供商试图这样做,因为服务器可以选择向不同的用户提供不同的网络客户端。 + + 因此,当依赖端到端加密时,你应该尽可能选择使用本地应用程序而不是网络客户端。 + +即使有端对端加密,服务提供商仍然可以根据 **元数据**,对你进行剖析,而这些元数据通常不受保护。 虽然服务提供商无法阅读您的消息以查看您所说的内容,但他们仍然可以观察到您正在与谁通话、您给他们发送消息的频率以及您通常活跃的时间等情况。 对元数据的保护是相当不常见的,如果你关心这一点,应该密切关注你所使用的软件的技术文档,看看是否有任何元数据最小化或保护。 + +## 大规模监控计划 + +:material-eye-outline: 大规模监控 + +大规模监控是指对许多或所有特定人群进行监控的工作。 它通常是指像[Edward Snowden在2013披露](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present))的那一类政府项目。 + +!!! 摘要“监测地图” + + 如果你想了解更多关于监视方法以及它们在你的城市是如何实施的,你也可以看看[电子前沿基金会](https://atlasofsurveillance.org/)的[监视地图]。 + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +政府经常为大规模监控项目辩护,认为这是打击恐怖主义和防止犯罪的必要手段。 然而,它侵犯人权,最常被用来不成比例地针对少数群体和持不同政见者等。 + +!!! 引用 "美国公民自由联盟。 [*9/11的隐私教训。大规模监控不是前进的方向*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + 面对[爱德华-斯诺登披露的政府项目,如 [PRISM](https://en.wikipedia.org/wiki/PRISM)和 [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)],情报官员也承认,国家安全局多年来一直在秘密收集几乎每个美国人的电话记录--谁在给谁打电话,这些电话是什么时候打的,以及它们持续多长时间。 你应该考虑你的对手能观察到网络的哪些方面,以及你的行动是否有合理的可否认性。 + +尽管美国的大规模监控越来越多,但政府发现,像第215条这样的大规模监控计划在阻止实际犯罪或恐怖主义阴谋方面 "没有什么独特的价值",其努力主要是重复联邦调查局自己的目标监控计划。[^2] + +尽管美国的大规模监控越来越多,但政府发现,像第215条这样的大规模监控计划在阻止实际犯罪或恐怖主义阴谋方面 "没有什么独特的价值",这份工作基本上只是在重复联邦调查局本身的目标监控计划。[^1] + +- 你的IP地址 +- 浏览器 Cookie +- 你提交给网站的数据 +- 你的浏览器或设备指纹 +- 支付方式的关联 + +\ [此列表并非详尽无遗]。 + +如果你担心大规模的监控项目,你可以使用一些策略,比如将你的在线身份进行分隔,与其他用户混在一起,或者尽可能地避免提供身份信息。 + +:material-account-cash: 监视资本主义 + +> 监视资本主义是一种以获取个人数据和将个人数据商品化为核心,从而以此营利的经济体系。[^2] + +确保您的数据私密性的最佳方法是首先不要将其放在外面。 删除你在网上发现的关于自己的信息是你为了恢复隐私可以采取的最佳初步措施之一。 使用内容拦截器等工具来限制对其服务器的网络请求,并阅读你使用的服务的隐私政策,可以帮助你避免许多基本的对手(尽管它不能完全防止跟踪)。[^4] + +在你分享信息的网站上,检查你账户的隐私设置以限制该数据的传播范围是非常重要的。 例如,如果您的帐户具有“隐私模式” ,请启用此功能以确保您的帐户不会被搜索引擎索引,并且不会被未经您事先审核的人查看。 对企业数据收集最有力的保护是尽可能地加密或混淆你的数据,使不同的供应商难以将数据相互关联并建立你的档案。 + +## 限制公共信息 + +:material-account-search: 公开曝光 + +保持数据私密性的最佳方法是首先不要将其公开。 删除你在网上发现的不需要的信息是你可以采取的最好的第一步,以重新获得你的隐私。 + +- [查看我们的账户删除指南 :material-arrow-right-drop-circle:](account-deletion.md) + +极权主义政府、网络管理员和服务提供商都可以在不同程度上进行在线审查,以控制用户的言论和用户可以获得的信息。 这些过滤互联网的行为将永远与言论自由的理想不相容。 + +随着Twitter和Facebook等平台对公众需求、市场压力和政府机构的压力做出让步,企业平台的审查制度也越来越普遍。 政府可以向企业隐蔽,例如白宫 [要求删除](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) 某个挑衅性的YouTube视频;也可以是公开的,例如中国政府要求企业遵守严格的审查制度。 + +## 避免审查 + +:material-close-outline: 审查 + +包括极权主义政府、网络管理员和服务提供商在内的行为者都可以(在不同程度上)进行网上审查。 这些控制通讯和限制获取信息的努力,总是与言论自由的人权不相容。[^5] + +企业平台的审查制度越来越普遍,因为像Twitter和Facebook这样的平台屈服于公众需求、市场压力和政府机构的压力。 政府可以向企业隐蔽,例如白宫 [要求删除](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) 某个挑衅性的YouTube视频;也可以是公开的,例如中国政府要求企业遵守严格的审查制度。 + +关注审查制度威胁的人可以使用像 [Tor](../advanced/tor-overview.md) 这样的技术来规避审查制度,并支持像 [Matrix](../real-time-communication.md#element)这样的抗审查通信平台,该平台没有一个可以任意关闭账户的集中式账户管理机构。 + +!!! tip + + 虽然逃避审查本身很容易,但隐藏你正在做的事实可能非常有问题。 + + 你应该考虑你的对手可以观察到网络的哪些方面,以及你的行动是否有合理的可否认性。 例如,使用[加密DNS](.../advanced/dns-overview.md#what-is-encrypted-dns)可以帮助你绕过初级的、基于DNS的审查系统,但它不能真正向ISP隐藏你正在访问的内容。 VPN或Tor可以帮助向网络管理员隐藏你正在访问的内容,但不能隐藏你首先在使用这些网络。 可插拔的传输工具(如Obfs4proxy、Meek或Shadowsocks)可以帮助你逃避阻挡普通VPN协议或Tor的防火墙,但你的规避尝试仍然可以被探测或[深度包检查](https://en.wikipedia.org/wiki/Deep_packet_inspection)等方法发现。 + +你必须始终考虑试图绕过审查制度的风险,潜在的后果,以及你的对手可能有多复杂。 你应该谨慎地选择软件,并有一个备份计划,以防被发现。 + +--8<-- "includes/abbreviations.zh.txt" + +[^1]: 美国隐私和公民自由监督委员会。 [关于根据第215条进行的电话记录计划的报告](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^2]: 维基百科: [监控资本主义](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^3]: 维基百科。 [*监视资本主义*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[列举坏事](https://www.ranum.com/security/computer_security/editorials/dumb/)"(或 "列出我们知道的所有坏事"),正如许多广告拦截器和防病毒程序所做的那样,无法充分保护你免受新的和未知的威胁,因为它们还没有被添加到过滤器列表中。 你还应该采用其他缓解技术。 +[^5]: 联合国。 [*世界人权宣言》*](https://www.un.org/en/about-us/universal-declaration-of-human-rights)。 diff --git a/i18n/zh/basics/email-security.md b/i18n/zh/basics/email-security.md new file mode 100644 index 00000000..d5e67cf8 --- /dev/null +++ b/i18n/zh/basics/email-security.md @@ -0,0 +1,42 @@ +--- +title: 电子邮件安全 +icon: material/email +--- + +电子邮件在默认情况下是一种不安全的通信形式。 你可以用OpenPGP等工具来提高你的电子邮件的安全性,这些工具为你的邮件增加了端对端加密功能,但OpenPGP与其他消息应用程序的加密相比,仍有一些缺点,而且由于电子邮件的设计方式,一些电子邮件数据永远无法得到固有的加密。 + +因此,电子邮件最好用于接收来自你在线注册的服务的交易性邮件(如通知、验证邮件、密码重置等),而不是用于与他人交流。 + +## 电子邮件加密概述 + +在不同的电邮供应商之间为电子邮件添加端到端加密的标准方法是使用OpenPGP。 OpenPGP标准有不同的实现方式,最常见的是 [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) 和 [OpenPGP.js](https://openpgpjs.org)。 + +有另一种标准受到商业界的欢迎,称为 [S/MIME](https://en.wikipedia.org/wiki/S/MIME),然而,它需要一个由 [证书颁发机构](https://en.wikipedia.org/wiki/Certificate_authority) (不是所有的证书颁发机构都颁发S/MIME证书)颁发的证书。 它在 [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) 和 [Outlook for Web 或 Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480)得到支持。 + +即使你使用OpenPGP,它也不支持 [前向加密](https://en.wikipedia.org/wiki/Forward_secrecy),这意味着如果你或收件人的私钥被盗,所有在之前使用它加密的信息都将被暴露。 这就是为什么我们推荐 [即时通讯工具](../real-time-communication.md) ,比起电子邮件,它尽可能更好地在人与人之间的通信中实现前向保密性。 + +### 哪些电子邮件客户端支持端到端加密? + +允许你使用IMAP和SMTP等标准访问协议的电子邮件提供商可以与我们推荐的任何 [电子邮件客户端一起使用](../email-clients.md)。 根据认证方法,如果供应商或电子邮件客户端不支持OATH或桥接应用,这可能会导致安全性下降,因为 [多因素认证](/basics/multi-factor-authentication/) ,不可能使用普通密码认证。 + +### 我如何保护我的私钥? + +智能卡(如 [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) 或 [Nitrokey](https://www.nitrokey.com))通过从运行电子邮件/网络邮件客户端的设备(手机、平板电脑、计算机等)接收加密的电子邮件信息来工作。 然后,该信息被智能卡解密,解密后的内容被送回设备。 + +在智能卡上进行解密是很有利的,这样可以避免将你的私钥暴露给某个被攻破的设备。 + +## 电子邮件元数据概述 + +电子邮件元数据存储在电子邮件的 [信息标题](https://en.wikipedia.org/wiki/Email#Message_header) ,包括一些你可能已经看到的可见标题,如: `To`, `From`, `Cc`, `Date`, `Subject`。 许多电子邮件客户和供应商还包括一些隐藏的标题,可以揭示有关你的账户的信息。 + +客户端软件可以使用电子邮件元数据来显示信息来自谁,以及什么时间收到的。 服务器可能使用它来确定电子邮件必须发送到哪里,其中还有一些不那么透明的 [其他目的](https://en.wikipedia.org/wiki/Email#Message_header) 。 + +### 谁可以查看电子邮件元数据? + +电子邮件元数据通过 [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) ,保护其不受外界观察者的影响,但它仍然能够被你的电子邮件客户端软件(或网络邮件)和任何将你的信息转发给任何收件人(包括你的电子邮件供应商)的服务器看到。 有时,电子邮件服务器也会使用第三方服务来防止垃圾邮件,这些服务一般也能接触到你的邮件。 + +### 为什么元数据不能被端到端加密? + +电子邮件元数据对于电子邮件最基本的功能(它从哪里来,又要到哪里去)至关重要。 E2EE最初没有内置于电子邮件协议中,而是需要像OpenPGP这样的附加软件。 因为OpenPGP信息仍然要与传统的电子邮件供应商合作,它不能对电子邮件元数据进行加密,只能对信息主体本身进行加密。 这意味着,即使使用OpenPGP,外部观察者也可以看到你的信息的很多信息,如你给谁发电子邮件,主题行,你什么时候发电子邮件,等等。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/basics/multi-factor-authentication.md b/i18n/zh/basics/multi-factor-authentication.md new file mode 100644 index 00000000..b97df59a --- /dev/null +++ b/i18n/zh/basics/multi-factor-authentication.md @@ -0,0 +1,166 @@ +--- +title: "多因认证" +icon: '资料/双因认证' +--- + +**多因素认证** 是一种安全机制,除了输入用户名(或电子邮件)和密码外,还需要其他步骤。 最常见的方法可能是你需要从短信或应用程序中收到限时代码。 + +通常,如果黑客(或对手)能够找出您的密码,那么他们就能够访问密码所属的帐户。 有MFA的账户迫使黑客同时拥有密码(你 *知道*的东西)和你的设备(你 *拥有*的东西),比如你的手机。 + +MFA方法的安全性各不相同,但都是基于同样的前提:攻击者越是难以攻破的MFA方法,就越好。 举例说来,MFA方法(按由弱到强的顺序)包括短信、电子邮件代码、应用程序推送通知、TOTP、Yubico OTP和FIDO。 + +## MFA方法的比较 + +### 短信或电子邮件MFA + +通过短信或电子邮件接收OTP代码这种MFA方法保护帐户的力度比较弱。 通过电子邮件或短信获取代码会破坏掉“你 *拥有*”这个理念, 因为黑客可以通过各种方式 [接管您的电话号码](https://en.wikipedia.org/wiki/SIM_swap_scam) 或者获得您的电子邮件访问权限,而根本不需要实际访问您的设备。 如果一个未经授权的人得以进入你的电子邮箱,他们将能够重设你的密码并且获得验证码,这会让他们完全掌控你的账户。 + +### 推送通知 + +推送通知进行MFA的形式是向你手机上的应用程序发送一条信息,要求你确认新账户的登录。 这种方法比短信或电子邮件好得多,因为如果没有已经登录的设备,攻击者通常无法获得这些推送通知,这意味着他们需要先攻破你的其他设备之一。 + +我们都会犯错,您有可能会不小心地接受登录尝试。 推送通知登录授权通常一次发送至您 *所有* 的设备,如果您有许多设备,会扩大MFA代码的可用性。 + +推送通知MFA的安全性既取决于应用程序的质量,也取决于服务组件以及你有多信任该应用程序的开发者。 安装这样一个应用程序可能也会要求你授予侵入性的权限,比如允许访问你设备上的其他数据。 不同于好的TOTP生成器应用程序,个别应用程序还需要你为每项服务准备一个特定的应用程序,而且可能不需要密码就可以打开。 + +### 基于时间的一次性密码(TOTP)。 + +TOTP是目前最常见的MFA形式之一。 当你设置TOTP时,一般要求你扫描一个 [二维码](https://en.wikipedia.org/wiki/QR_code) ,与你打算使用的服务建立一个"[共享密钥](https://en.wikipedia.org/wiki/Shared_secret)" 。 共享密钥在身份验证器应用程序的数据中得到保护,有时还会受到密码保护。 + +然后,时限代码可以由共享密钥和当前时间派生。 由于代码只在很短的时间内有效,在无法获得共享密钥的情况下,对手无法生成新的代码。 + +如果你有一个支持TOTP的硬件安全密钥(如YubiKey与 [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)),我们建议你将 "共享密钥 "存储在硬件上。 YubiKey等硬件正是为了使 "共享密钥 "难以提取和复制而开发的。 YubiKey也没有连接到互联网,这与带有TOTP应用程序的手机不同。 + +与 [WebAuthn](#fido-fast-identity-online)不同,TOTP不提供对 [网络钓鱼](https://en.wikipedia.org/wiki/Phishing) 或重放攻击的保护。 如果对手从你那里获得一个有效的代码,他们可以随意使用,直到它过期(一般为60秒)。 + +对手可以建立一个网站来模仿官方服务,试图欺骗你提供你的用户名、密码和当前的TOTP代码。 如果对手随后使用这些记录下来的凭证,他们可能能够登录到真正的服务并劫持该账户。 + +虽然不完美,但TOTP对大多数人来说是足够安全的,即使不支持使用 [硬件安全密钥](/multi-factor-authentication/#hardware-security-keys) , 一个[认证器应用程序](/multi-factor-authentication/#authenticator-apps) 仍然是一个不错的选择。 + +### 硬件安全密钥 + +YubiKey将数据存储在防篡改的固态芯片上,如果不经过昂贵的实验室级别的取证程序,用非破坏性的方式是 [不可获取的](https://security.stackexchange.com/a/245772)。 + +这些密钥通常是多功能的,并提供许多验证方法。 以下是最常见的几种情况。 + +#### Yubico OTP + +Yubico OTP是一种通常在硬件安全密钥中实现的认证协议。 当你决定使用Yubico OTP时,密钥将产生一个公共ID、一个私人ID和一个密钥,然后上传到Yubico OTP服务器。 + +在登录网站时,你所需要做的就是用物理方式触摸安全钥匙。 安全键将模拟键盘,并将一次性密码打印到密码区。 + +然后,该服务将把一次性密码转发给Yubico OTP服务器进行验证。 在密钥和Yubico的验证服务器上都会递增计数器。 OTP只能使用一次,当认证成功后,计数器会增加,这可以防止OTP的重复使用。 Yubico提供了一份关于这个过程的 [详细文件](https://developers.yubico.com/OTP/OTPs_Explained.html) 。 + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +与TOTP相比,使用Yubico OTP有一些好处和坏处。 + +Yubico验证服务器是一个基于云的服务,你需要相信Yubico在安全地存储数据,而不是对你进行分析。 与Yubico OTP相关的公共ID在每个网站上都被复用,这可能有助于第三方对你进行行为素描。 与TOTP一样,Yubico OTP不提供防钓鱼功能。 + +如果你的威胁模型要求你为不同的网站准备不同的身份, **,不要** 在这些网站上使用有相同的硬件安全密钥的Yubico OTP,因为每个安全密钥具有唯一的公共ID。 + +#### FIDO(快速在线身份认证) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) 包括许多标准,首先是U2F,后来是 [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) ,其中包括web标准 [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn)。 + +U2F和FIDO2指的是 [客户端到验证器协议](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol),这是安全密钥和计算机(如笔记本电脑或手机)之间的协议。 它带有WebAuthn作为补充,WebAuthn是用来对你试图登录的网站("信赖方")进行认证的组件。 + +WebAuthn是第二因素身份验证中的最安全、最私密的形式。 虽然身份验证体验类似于Yubico OTP ,但密钥不会打印一次性密码并使用第三方服务器进行验证。 相反,它使用 [公钥加密技术](https://en.wikipedia.org/wiki/Public-key_cryptography) 进行认证。 + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +当你创建一个账户时,公钥被发送到该服务,然后当你登录时,该服务将要求你用你的私钥 "签署 "一些数据。 这样做的好处是,服务中没有存储任何密码数据,因此没有任何东西可供对手窃取。 + +这个演示文稿讨论了密码身份验证的历史、隐患(如密码复用)以及FIDO2和 [WebAuthn](https://webauthn.guide) 标准的相关内容。 + +
+ +
+ +与任何MFA方法相比, FIDO2和WebAuthn都具有更加卓越的安全性和隐私性。 + +通常对于web服务,使用的WebAuthn是 [W3C建议](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC))的一部分。 它使用公钥身份验证,比Yubico OTP和TOTP方法中使用的共享密文更安全,因为它包括身份验证期间的来源名称(通常是域名)。 提供认证是为了保护您免受网络钓鱼攻击,因为它可以帮助您确定您使用的是真实的服务,而不是伪造的副本。 + +与Yubico OTP不同, WebAuthn不使用任何公共ID ,因此密钥 **不能** 在不同的网站之间被识别。 它也不使用任何第三方云服务器进行认证。 所有的通信都是在钥匙和你正在登录的网站之间完成的。 FIDO还有会在使用时递增的计数器,以防止会话复用和密钥克隆。 + +如果一个网站或服务支持WebAuthn的认证,强烈建议你使用它而不是任何其他形式的MFA。 + +## 一般建议 + +我们提出以下一般性建议: + +### 我应该选择哪种方法? + +当配置你的MFA方法时,请记住,它的安全程度只相当于你所用的最弱的那种方法。 这意味着您必须仅使用最佳的MFA方法。 例如,如果你已经在使用TOTP,你应该禁用电子邮件和短信MFA。 如果你已经在用FIDO2/WebAuthn,就不应该再在你的账户上同时使用Yubico OTP或TOTP。 + +### 备份 + +你应该始终为你的MFA方法准备备份。 硬件安全钥匙可能会丢失、被盗或仅仅是随着时间的推移停止工作。 建议你准备一对而不是仅一个硬件安全钥匙,它们要对你的账户有相同的访问权限。 + +当使用TOTP和验证器应用程序时,请确保备份您的恢复密钥或应用程序本身,或将 "共享密文"复制到不同手机上的另一个应用程序实例或加密容器中(例如 [VeraCrypt](../encryption.md#veracrypt))。 + +### 初始设置 + +购买安全密钥时,请务必更改默认凭据,为密钥设置密码保护,并在密钥支持时启用触摸确认。 像YubiKey这样的产品有多个接口,每个接口都有独立的证书,所以你应该去检查每个接口,并为它们全都设置保护。 + +### 电子邮件和短信 + +如果你必须使用电子邮件进行MFA,请确保电子邮件账户本身有适当的MFA方法来保护。 + +如果您使用短信MFA ,请使用那些不允许未经授权的电话号码切换的运营商,或使用提供类似安全性的专用VoIP号码,以避免 [SIM交换攻击](https://en.wikipedia.org/wiki/SIM_swap_scam)。 + +[我们推荐的MFA工具](../multi-factor-authentication.md ""){.md-button} + +## MFA适用的更多场合 + +除了保护你的网站登录之外,多因素认证还可以用来保护你的本地登录、SSH密钥甚至是密码数据库。 + +### Windows 系统 + +Yubico有一个专用的 [凭据提供程序](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) ,为本地Windows帐户的用户名+密码登录流程添加质询-响应身份验证步骤。 如果你有一个支持质询-响应验证的YubiKey, 请看 [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), 该指南允许您在Windows计算机上设置MFA + +### mac系统 + +macOS [原生支持](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) 使用智能卡(PIV)进行认证。 如果你有一张支持PIV接口的智能卡或硬件安全钥匙,如YubiKey,我们建议你按照你的智能卡/硬件安全供应商的文档,为你的macOS电脑设置第二要素认证。 + +Yubico有一个指南 [在macOS中把YubiKey作为智能卡使用](https://support.yubico.com/hc/en-us/articles/360016649059) ,可以帮助你在macOS上设置YubiKey。 + +设置智能卡/安全密钥后,我们建议在终端中运行此命令: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +该命令将阻止对手在计算机启动时绕过MFA。 + +### Linux系统 + +!!! 推荐 + + 如果你的系统的主机名改变了(如由于DHCP的原因),你将无法登录。 在遵循本指南之前,为您的计算机设置正确的主机名至关重要。 + +Linux上的 `pam_u2f` 模块可以在大多数流行的Linux发行版上为登录提供双因素认证。 如果你有一个支持U2F的硬件安全密钥,你可以为你的登录设置MFA认证。 Yubico有一个指南 [Ubuntu Linux登录指南 - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) ,它应该适用于任何发行版。 然而,软件包管理器的命令--如 `apt-get`--和软件包名称可能不同。 本指南 **不** 适用于Qubes OS。 + +### Qubes操作系统 + +Qubes OS支持使用YubiKeys进行质询-响应身份验证。 如果您有一个支持质询-响应身份验证的YubiKey,如果您想在Qubes OS上设置MFA,请查看Qubes OS的 [YubiKey文档](https://www.qubes-os.org/doc/yubikey/)。 + +### SSH + +#### 硬件安全密钥 + +可以用多种不同的流行的硬件安全密钥验证方法来设置SSH MFA。 我们建议你查看Yubico的 [文档](https://developers.yubico.com/SSH/) 了解如何设置。 + +#### 基于时间的一次性密码(TOTP)。 + +SSH MFA也可以使用TOTP进行设置。 DigitalOcean提供了一个教程 [如何在Ubuntu 20.04上为SSH设置多因素认证](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04)。 无论哪个发行版,大多数东西都应该是一样的,但是软件包管理器命令--例如 `apt-get`--和软件包名称可能不同。 + +### KeePass (和KeePassXC) + +KeePass和KeePassXC数据库可以使用质询响应或HOTP作为第二因素身份验证进行保护。 Yubico为KeePass提供了一份文件 [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) ,在 [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) 网站上也有一份。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/basics/passwords-overview.md b/i18n/zh/basics/passwords-overview.md new file mode 100644 index 00000000..dad28d69 --- /dev/null +++ b/i18n/zh/basics/passwords-overview.md @@ -0,0 +1,112 @@ +--- +title: "密码简介" +icon: 'material/form-textbox-password' +--- + +密码是我们日常数字生活的重要组成部分。 我们用它们来保护我们的账户、我们的设备和我们的秘密。 尽管密码可能是挡在觊觎我们私人信息的对手前的唯一屏障,但人们并没有在密码上花很多心思,这往往导致使用的密码很容易被猜出或被破解。 + +## 最佳实践 + +### 为每项服务使用独立的密码 + +想象一下;你用同一个电子邮件和相同的密码在 注册了多个在线服务的账户。 只要这些服务提供商有一个是恶意的,或者他们的服务出现数据泄露,使你的密码以明文形式暴露出来,那么坏人只需要在多个流行的服务中尝试这个电子邮件和密码的组合,就能得手。 密码有多强根本不重要,因为那个密码他们已经拿到了。 + +这被称为[凭据填充](https://en.wikipedia.org/wiki/Credential_stuffing), 这也是坏人攻破你帐户的最常见方式之一。 为了避免这种情况,确保你从不复用你的密码。 + +### 使用随机生成的密码 + +==你 **绝不**应该依靠自己去想出一个好密码 == 我们建议使用[随机生成的密码](#passwords) 或者 [diceware短语](#diceware) ,它们的熵值需要足够大,才能保护你的帐户和设备。 + +所有我们 [推荐的密码管理器](../passwords.md) 都有一个你可以使用的内置密码生成器。 + +### 轮换密码 + +除非你有理由相信它已被泄露,否则应避免过于频繁地更改你必须记住的密码(比如密码管理器的主密码),因为过于频繁地更改密码提高了你忘记密码的风险。 + +而那些你不需要记住的密码(如存储在密码管理器内的密码),如果你的 [威胁模型](threat-modeling.md) 有需求,我们建议每隔几个月对重要账户(尤其是不使用多因认证的账户)进行检查并更改其密码,以防它们在尚未公开的数据泄露事件中被泄露。 大多数密码管理器允许你为你的密码设置一个到期日,使之更容易管理。 + +!!! 提示 "检查数据泄露情况" + + 如果你的密码管理器允许你检查被泄露的密码,请确保这样做,并及时更改任何可能在数据泄露中被泄露的密码。 你还可以在[新闻聚合器](.../news-aggregators.md)的帮助下关注[Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches)。 + +## 创建强密码 + +### 密码 + +很多服务在涉及到密码时都有一定的标准,包括最小或最大长度,以及可以使用哪些特殊字符(如果有的话)。 你应该使用你的密码管理器的内置密码生成器,通过包括大写和小写字母、数字和特殊字符,创建当前服务所允许的尽可能长和复杂的密码。 + +如果你需要一个可以记住的密码,我们推荐[diceware口令](#diceware)。 + +### Diceware口令 + +Diceware是一种创建密码的方法,这种密码容易记忆,但很难猜到。 + +当你需要记忆或手动输入你的凭证时,Diceware口令是一个很好的选择,例如,你的密码管理器的主密码或你的设备的加密密码。 + +一个diceware口令的例子是`viewable fastness reluctant squishy seventeen shown pencil`. + +要使用真正的骰子生成一个diceware口令,请遵循以下步骤。 + +!!! note + + 这里的说明步骤假定你使用[EFF的大型词汇表](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt)来生成口令,每个词需要掷五个骰子。 其他词表可能需要更多或更少的回合,也可能需要不同数量的词来实现相同的熵值。 + +1. 掷一个六面体的骰子五次,每次掷完都记下数字。 + +2. 举个例子,假设你掷出 `2-5-2-6-6`。 通过 [EFF的大词表](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) ,寻找与 `25266`相对应的词。 + +3. 你可以得到这个词 `encrypt` 把这个词写下来。 + +4. 重复这个过程,直到你的口令有你所需要的字数,你应该用空格来分隔每个词。 + +!!! 警告 “重要” + + 你**不**应该重新生成单词,来得到一个吸引你的单词组合。 这个过程应该是完全随机的。 + +如果你没有或者不愿意使用真正的骰子,你可以使用你的密码管理器的内置密码生成器,因为除了常规密码之外,大多数密码管理器都有生成骰子密码的选项。 + +我们建议使用 [EFF的大型词表](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) ,以生成你的二维码密码,因为它提供了与原始列表完全相同的安全性,同时包含更容易记忆的单词。 There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? 注:"解释熵和二维码密码的强度" + + 为了演示diceware密码短语有多强,我们将使用前面提到的七个单词密码短语`'viewable fastness,squishy seventeen showed pencil'`和[EFF的大单词列表](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt)为例。 + + 确定双关口令强度的一个指标是它的熵值有多少。 双关口令中每个字的熵计算为$\text{log}_2(\text{WordsInList})$,口令的整体熵计算为$\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$。 + + 因此,上述列表中的每个词都会产生~12.9比特的熵($\text{log}_2(7776)$),而由它衍生出的七个词的口令有~90.47比特的熵($\text{log}_2(7776^7)$)。 + + [EFF的大词表](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt)包含7776个独特的词。 要计算可能的口令数量,我们所要做的就是$\text{WordsInList}^\text{WordsInPhrase}$,或者在我们的例子中,$7776^7$。 + + 让我们换一个角度来看:使用[EFF 's large wordlist] ( https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt )的七个单词密码是~ 1,719,070,799,748,422,500,000,000,000个可能的密码之一。 + + 平均而言,需要尝试所有可能的组合中的50%来猜测你的短语。 考虑到这一点,即使你的对手每秒能够猜出1,000,000,000,000次,他们仍然需要27,255,689年才能猜出你的口令。 即使以下情况属实,情况也是如此: + + - 你的对手知道你使用了diceware方法。 + - 你的对手知道你使用的具体词表。 + - 你的对手知道你的口令包含多少个字。 + +总而言之,当你需要一些既容易记住 *,又特别强大的* ,Diceware密码是你最好的选择。 + +## 存储密码 + +### 生产力工具 + +存储密码的最佳方式是使用密码管理器。 它们允许你将密码存储在文件或云中,并以单一的主密码保护它们。 这样一来,你只需记住一个强密码,就可以访问其余的密码。 + +有许多好的选择,包括基于云的和本地的。 选择我们推荐的密码管理器之一,并使用它在你的所有账户中建立强大的密码。 我们建议用一个至少由七个词组成的 [diceware](#diceware) 口令来保护你的密码管理器。 + +[推荐的密码管理器列表](../passwords.md ""){.md-button} + +!!! 警告 "不要把你的密码和TOTP令牌放在同一个密码管理器中" + + 如果您将TOTP用作任何帐户的 [多因素身份验证](../multi-factor-authentication.md) 方法,请勿在密码管理器中存储这些令牌、它们的任何备份代码或TOTP秘密本身,那样会抵消掉多因认证的益处。 + + 你应该使用专门的[TOTP应用程序](.../multi-factor-authentication.md/#authenticator-apps)来代替。 + + 此外,我们不建议在您的密码管理器中存储用于一次性恢复的代码。 它们应当单独存储在,例如离线存储设备上的加密容器中。 + +### 备份 + +你应该在多个存储设备或云存储提供商上存储 [加密的](../encryption.md) 密码备份。 如果你的主要设备或你正在使用的服务发生意外,这可以帮助你访问你的密码。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/basics/threat-modeling.md b/i18n/zh/basics/threat-modeling.md new file mode 100644 index 00000000..1441cff5 --- /dev/null +++ b/i18n/zh/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +title: "威胁模型" +icon: '资料/目标账户' +--- + +在安全、隐私和可用性之间取得平衡是你在隐私之路上面临的首要和最困难的任务之一。 每件事都是一种权衡:越是安全的东西,一般来说限制性越强或越不方便,等等。 人们经常会发现这些推荐的工具最大的问题就是太难于上手使用! + +如果你想使用**最安全**的工具,你就必须牺牲很多*的可用性*。 即使如此,==没有什么是完全安全的。== 有 **高度**安全 ,但从来没有**完全**安全。 这就是为什么威胁模型很重要。 + +**那么,威胁模型到底是什么?** + +==威胁模型是一份清单,列出那些对你的安全/隐私工作最有可能的威胁。== 由于不可能防御**每个**攻击(者),你应该把重点放在 **最有可能的** 威胁上。 在计算机安全方面,威胁是指可能破坏你保持隐私和安全的努力的事件。 + +专注于与你有关的威胁,缩小你对所需保护的思考范围,这样你就可以选择适合工作的工具。 + +## 创建你的威胁模型 + +为了确定你所珍视的东西可能发生什么,并确定你需要从谁那里保护它们,你应该回答这五个问题。 + +1. 我想保护什么? +2. 我想保护它免受谁的伤害? +3. 它有多大的可能性需要保护? +4. 如果我失败了,后果有多严重? +5. 我愿意付出多少代价来防止这些潜在的后果? + +### 我想保护什么? + +一个 "资产 "是你重视并想保护的东西。 在数字安全方面, ==一项资产通常是某种信息。== 例如,你的电子邮件、联系人名单、即时消息、位置和文件都是可能的资产。 你的设备本身也可能是资产。 + +*列出你的资产清单:你保存的数据,它被保存在哪里,谁可以访问它,以及有什么东西可以阻止其他人访问。* + +### 我想保护它免受谁的伤害? + +要回答这个问题,重要的是要确定你或你的信息可能是谁的目标。 ==对您的资产构成威胁的个人或实体就是"对手"。==举例来说对手可能有你的老板,你的前合伙人,你的商业竞争对手,你的政府或公共网络上的黑客。 + +*列出一份名单,包含你的对手或那些可能想要掌握你的资产的人。 你的名单可能包括个人、政府机构或公司。* + +根据你的对手是谁,在某些情况下,这份名单你可能需要在完成安全规划后把它销毁。 + +### 它有多大的可能性需要保护? + +==风险是指对特定资产的特定威胁实际发生的可能性。==它与能力密不可分。 尽管你的手机运营商有获得你全部数据的能力,但他们把你的隐私数据发布到网上来损害你名誉的风险是很低的。 + +区分一件事情是否有可能发生和这件事情发生的概率是很重要的。 比如说,你的建筑物当然有可能面临倒塌的威胁,但是发生这一威胁的风险在旧金山 (地震频发) 比在斯德哥尔摩 (地震不频发) 要大得多。 + +评估风险既是一个个人的也是一个主观的过程。 许多人认为某些威胁是不可接受的,无论它们发生的可能性有多大,因为仅仅是威胁的存在就不值得付出代价。 在另一些情形下,如果威胁不值一提,即使风险再高人们也可能会忽略掉它们。 + +*写一下你认为哪些威胁是严重的,以及哪些太罕见或者太无足轻重(或者太难对付) 所以不必关注。* + +### 如果我失败了,后果有多严重? + +对手有很多方法来获取你的数据。 比如,对手可以通过网络读取你的私人通讯,或者可以删除或者破坏你的数据。 + +==对手们的动机大相径庭,他们的策略也各不相同。==为了阻止一个揭露警察暴力的视频的传播,政府可能只会简单地删除或者降低这个视频的可得性。 相比之下,一个政治对手可能想要在你不知情的情况下获取你的机密并公之于众。 + +安全规划还需要你考虑,假设对手成功获取到你的某项资产, 这所能够导致的最差结果是什么。 为了确定这一点,你应该考虑你的对手的能力。 例如,您的手机运营商能够获取你全部的通话记录。 一个开放Wi-Fi网络上的骇客能够获取你的未加密通讯。 你的政府可能拥有更强大的能力。 + +*写一下你的对手想要用你的私人数据做什么。* + +### 我愿意付出多少代价来防止这些潜在的后果? + +==没有完美的安全选项。==每个人的优先级,关注点或者对资源的获取能力都不相同。 你的风险评估能够让你规划合适你自己的策略,在便捷,成本和隐私之间取得平衡。 + +比如说,一个国安案件当事人的代理律师,可能会愿意付出大得多的努力来保护案件有关的通讯,比如说使用加密邮箱;而一个通常只是给女儿发有趣的猫咪视频的母亲往往就不太愿意这么做。 + +*写下那些能够帮你减弱针对你的那些威胁的可行选项。 标注一下可能会存在的金融,技术或者社会方面的局限。* + +### 自己试一下:保护你的财物 + +这些问题可以适用于各种各样的情况,无论是线上还是线下。 作为这些问题的通用示范,让我们建立一个计划来保护你的房子和财产。 + +**我想保护什么? (或者, *你有什么值得保护的东西?*)** +: + +你的资产可能包括珠宝、电子产品、重要文件或照片。 + +**我想保护它免受谁的伤害?** +: + +你的对手可能包括窃贼、室友或客人。 + +**它需要我保护的可能性有多大?** +: + +你的社区是否有入室盗窃的历史? 你的室友或客人的可信度如何? 你的对手有哪些能力? 你应该考虑哪些风险? + +**如果我失败了,后果有多严重?** +: + +你的房子里有什么东西是无可替代的吗? 你有时间或金钱来更换这些东西吗? 你是否有为家中物品购买失窃险? + +**为了防止这些后果,你愿意付出多大的代价?** +: + +你愿意为敏感文件买一个保险箱吗? 你能买得起高质量的锁吗? 你有时间在当地银行开一个保险柜,把你的贵重物品放在那里吗? + +只有当你问过自己这些问题后,你才能评估要采取什么措施。 即使你的财物很值钱,如果破门而入的概率很低,那么你可能也不会在锁上投入太多的钱。 但是,如果破门而入的概率很高,你最好去买市面上最高质量的锁,并考虑增加一个安全系统。 + +制定安全计划将帮助你了解你所特有的威胁,并评估你的资产、对手们及其能力,还有你所面临的风险的可能性大小。 + +## 延伸阅读 + +对于希望增加网上隐私和安全的人来说,我们汇编了一份我们的访问者面临的常见威胁或访问者的目标的清单,以给你一些启发,并且展示了一些我们的基础建议。 + +- [常见的目标和威胁 :material-arrow-right-drop-circle:](common-threats.md) + +## 资料来源 + +- [EFF 监控自我防卫: 你的安全计划](https://ssd.eff.org/en/module/your-security-plan) + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/basics/vpn-overview.md b/i18n/zh/basics/vpn-overview.md new file mode 100644 index 00000000..44146179 --- /dev/null +++ b/i18n/zh/basics/vpn-overview.md @@ -0,0 +1,78 @@ +--- +title: VPN概述 +icon: 资料/vpn +--- + +虚拟专用网络是一种将你的网络末端延伸到世界其他地方的方式。 ISP可以看到进入和离开你的网络终端设备(即调制解调器)的互联网流量。 + +互联网上普遍使用HTTPS等加密协议,因此他们可能无法准确看到你所发布或阅读的内容,但他们可以了解到你所请求的 [域](dns-overview.md#why-shouldnt-i-use-encrypted-dns)。 + +VPN可以提供帮助,因为它可以将信任转移到世界其他地方的服务器上。 因此,ISP只看到你连接到了VPN,而对你传入的活动一无所知。 + +## 我应该使用VPN吗? + +**是的**,除非你已经在使用Tor。 VPN做两件事:将风险从你的互联网服务提供商转移到vpn本身,并从第三方服务中隐藏你的IP。 + +VPN不能对你的设备和VPN服务器之间连接之外的数据进行加密。 VPN供应商可以像你的ISP一样看到并修改你的流量。 而且,没有办法以任何方式验证VPN供应商的 "无记录 "政策。 + +然而,假如IP没有泄露,他们的确可以向第三方服务隐藏您的实际IP。 它们可以帮助您融入其他人并减轻基于IP的跟踪。 + +## 什么时候我不应该使用VPN? + +在你使用你的 [已知身份的情况下使用VPN,](common-threats.md#common-misconceptions) ,不太可能是有用的。 + +这样做可能会触发垃圾邮件和欺诈检测系统,例如,如果你要登录银行的网站。 + +## 那加密呢? + +VPN供应商提供的加密是在你的设备和他们的服务器之间。 它保证这个特定的链接是安全的。 这比使用未加密的代理更上一层楼,因为网络上的对手可以截获你的设备和上述代理之间的通信,并修改它们。 然而,你的应用程序或浏览器与服务提供商之间的加密并不由这种加密处理。 + +为了保持你在你访问的网站上的实际操作的私密性和安全性,你必须使用HTTPS。 这将使你的密码、会话令牌和查询不被VPN供应商发现。 考虑在你的浏览器中启用 "HTTPS everywhere",以减轻降级攻击,如 [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf)。 + +## 我是否应该使用带有VPN的加密DNS? + +除非你的VPN供应商托管加密的DNS服务器,否则 **,不要用**。 使用DOH/DOT(或任何其他形式的加密DNS)与第三方服务器将只是增加了更多的实体信任,对改善你的隐私/安全 **根本没用**。 你的VPN供应商仍然可以根据IP地址和其他方法看到你访问的网站。 你现在不是只信任你的VPN供应商,而是同时信任VPN供应商和DNS供应商。 + +推荐加密DNS的一个常见原因是,它有助于防止DNS欺骗。 然而,你的浏览器应该已经在检查 [TLS证书](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) 与 **HTTPS** ,并警告你。 如果你没有使用 **HTTPS**,那么对手仍然可以直接修改你的DNS查询以外的任何东西,最终结果将没有什么不同。 + +更不必说, **,你不应该共用Tor和加密DNS**。 这将把你所有的DNS请求定向到某个单一连接,并允许加密DNS提供商对你进行去匿名化。 + +## 我应该共用Tor *和* VPN吗? + +通过将Vpn与Tor一起使用,您基本上创建了一个永久的入口节点,而且还通常附有资金相关的跟踪线索。 这没有为你带来额外的好处,同时大大增加了连接的攻击面。 如果您希望向ISP或政府隐藏Tor使用情况, Tor有内置的解决方案: Tor桥。 [阅读更多关于Tor桥和为什么使用VPN是没有必要的](tor-overview.md)。 + +## 那如果我需要匿名呢? + +VPN不能提供匿名性。 你的VPN供应商仍然会看到你的真实IP地址,而且往往有一个可以直接关联到你的资金线索。 您不能依赖“无日志记录”策略来保护您的数据。 使用 [Tor](https://www.torproject.org/) 来代替。 + +## 提供Tor节点的VPN供应商怎么样? + +不要使用该功能。 使用Tor的意义在于,你无需信任你的VPN供应商。 目前Tor只支持 [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) 协议。 [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (用于 [WebRTC](https://en.wikipedia.org/wiki/WebRTC) 音频和视频共享,新的[HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) 协议等), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) 和其他数据包将被丢弃。 为了弥补这一点,VPN供应商通常会将所有非TCP数据包通过其VPN服务器(你的第一跳)进行路由。 [ProtonVPN](https://protonvpn.com/support/tor-vpn/)就是这种情况。 此外,在使用这种Tor over VPN设置时, 您无法控制其他重要的Tor功能,例如 [目的地址隔离](https://www.whonix.org/wiki/Stream_Isolation) (对您访问的每个域名使用不同的Tor线路)。 + +该功能应被视为访问Tor网络的一种便捷方式,而不是为了保持匿名。 为了获得适当的匿名性,请使用Tor浏览器、TorSocks或Tor网关。 + +## VPN何时有用? + +VPN在各种情况下仍可能对您有用,例如: + +1. **仅仅** 向您的Internet服务提供商隐藏流量。 +1. 向你的ISP和反盗版组织隐藏你的下载(如torrent)。 +1. 向第三方网站和服务隐藏你的IP,防止基于IP的跟踪。 + +对于这样的情况,或者如果你有其他令人信服的理由,我们上面列出的VPN供应商是我们认为最值得信赖的人。 然而,使用VPN供应商仍然意味着你在 *信任* 该供应商。 几乎在任何其他情况下,你都应该使用一个**由设计保证的** 安全工具,如Tor。 + +## 资料来源及延伸阅读 + +1. [VPN -一个非常危险的叙事 ](https://schub.io/blog/2019/04/08/very-precarious-narrative.html)作者:丹尼斯·舒伯特( Dennis Schubert ) +1. [Tor网络概述](../advanced/tor-overview.md) +1. [IVPN隐私指南](https://www.ivpn.net/privacy-guides) +1. ["我需要一个VPN吗?"](https://www.doineedavpn.com)这是由IVPN开发的一个工具,通过帮助个人决定VPN是否适合他们,来挑战咄咄逼人的VPN营销。 + +## VPN的相关信息 + +- [VPN和隐私审查网站的问题](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [免费VPN应用调查](https://www.top10vpn.com/free-vpn-app-investigation/) +- [揭开隐蔽VPN所有者的面纱:101个VPN产品仅由23家公司运营](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [这家中国公司秘密地在24个流行的应用程序背后寻求危险的权限](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/calendar.md b/i18n/zh/calendar.md new file mode 100644 index 00000000..38b2df1b --- /dev/null +++ b/i18n/zh/calendar.md @@ -0,0 +1,69 @@ +--- +title: "VPN供应商" +icon: material/calendar +--- + +日历包含一些最敏感的数据;使用静态实现E2EE的产品,以防止提供商读取它们。 + +## Tutanota + +!!! recommendation + + ![Tutanota标志](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota标志](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota**在其支持的平台上提供免费和加密的日历。 功能包括:所有数据的自动E2EE,共享功能,导入/导出功能,多因素认证,以及 [more](https://tutanota.com/calendar-app-comparison/)。 + + 多个日历和扩展的共享功能仅限于付费用户。 + + [:octicons-home-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/faq#privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="源代码" } + [:octicons-heart-16:](https://tutanota.com/community){ .card-link title="贡献" } 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar(Proton 日历) + +!!! recommendation + + ![Proton](aassets/img/calendar/proton-calendar.svg)}=right } + + **Proton Calendar** 是一个通过网络或移动客户提供给Proton成员的加密日历服务。 功能包括:所有数据的自动E2EE,共享功能,导入/导出功能,多因素认证,以及 [more](https://proton.me/support/proton-calendar-guide/)。 免费级别上的人可以使用单个日历,而付费用户可以创建多达20个日历。 扩展的分享功能也仅限于付费用户。 + + [:octicons-home-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://proton.me/support/proton-calendar-guide#privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="源代码" } + [](){ .card-link title="贡献" } 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- 必须与E2EE同步并存储信息,以确保数据对服务提供者不可见。 + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- 如果适用的话,应该与本地操作系统的日历和联系人管理应用程序集成。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/cloud.md b/i18n/zh/cloud.md new file mode 100644 index 00000000..c2879832 --- /dev/null +++ b/i18n/zh/cloud.md @@ -0,0 +1,62 @@ +--- +title: "路由器固件" +icon: material/file-cloud +--- + +许多云存储供应商需要你完全信任他们不会查看你的文件。 下面列出的替代方案通过让你控制你的数据或通过实施E2EE来消除对信任的需求。 + +如果这些替代品不能满足你的需求,我们建议你看看 [加密软件](encryption.md)。 + +??? 问题 "寻找Nextcloud?" + + Nextcloud是[仍然是一个推荐的工具](生产力.md),用于自我托管文件管理套件,然而我们目前不推荐第三方Nextcloud存储提供商,因为我们不推荐家庭用户使用Nextcloud的内置E2EE功能。 + +## Proton Drive(Proton 云盘) + +!!! recommendation + + ![Proton Drive徽标](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** 是由流行的加密电子邮件提供商 [Proton Mail](https://proton.me/mail) 提供的E2EE通用文件存储服务。 + + [:octicons-home-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://proton.me/support/drive#privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="源代码" } + [](){ .card-link title="贡献" } 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: Web](https://apps.apple.com/app/id1509667851) + +Proton Drive的移动客户端于2022年12月发布,目前尚未开源。 Proton公司历来将他们的源代码发布时间推迟到初始产品发布之后, [,计划在2023年底之前](https://www.reddit.com/r/ProtonDrive/comments/zf14i8/comment/izdwmme/?utm_source=share&utm_medium=web2x&context=3) ,发布源代码。 Proton Drive桌面客户端仍在开发中。 + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- 使用端到端加密 +- 必须提供免费计划或试用期进行测试。 +- 必须支持TOTP或FIDO2多因素认证,或Passkey登录。 +- 必须提供一个支持基本文件管理功能的网络界面。 +- 必须允许所有文件/文档的轻松导出。 +- 必须使用标准的、经过审计的加密技术。 + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- 客户端应是开源的。 +- 客户端应由独立的第三方对其进行全面的审计。 +- 应提供Linux、Android、Windows、macOS和iOS的本地客户端。 + - 这些客户端应该与云存储供应商的本地操作系统工具集成,如iOS上的Files应用集成,或Android上的DocumentsProvider功能。 +- 应支持与其他用户轻松分享文件。 +- 应在网络界面上至少提供基本的文件预览和编辑功能。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/data-redaction.md b/i18n/zh/data-redaction.md new file mode 100644 index 00000000..23558533 --- /dev/null +++ b/i18n/zh/data-redaction.md @@ -0,0 +1,146 @@ +--- +title: "日历/联系人同步" +icon: material/tag-remove +--- + +共享文件时,请务必删除关联的元数据。 图像文件通常包括 [Exif](https://en.wikipedia.org/wiki/Exif) 数据。 照片有时甚至包括文件元数据中的GPS坐标。 + +## 电脑版 + +### MAT2 + +!!! recommendation + + ![MAT2标志](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2**是免费软件,它允许从图像、音频、洪流和文件类型中删除元数据。 [KDE]它通过[Nautilus的扩展](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus)提供命令行工具和图形用户界面, [GNOME](https://www.gnome.org)的默认文件管理器和 [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin)的默认文件管理器(https://kde.org)。 + + 在Linux上,存在一个由MAT2驱动的第三方图形工具[Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner),并[在Flathub上提供](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner)。 + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title="文档"} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="源代码" } 。 + + ??? 下载 + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Android + +### ExifEraser (安卓系统) + +!!! recommendation + + ![ExifEraser标志](assets/img/data-redaction/exiferaser.svg) { align=right } + + **ExifEraser**是一个现代的、无权限的图像元数据删除应用程序,适用于Android。 + + 它目前支持JPEG、PNG和WebP文件。 + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="源代码" } + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title=贡献 } + + ??? 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +被删除的元数据取决于图像的文件类型。 + +* **JPEG**: ICC Profile、Exif、Photoshop Image Resources和XMP/ExtendedXMP元数据如果存在,将被删除。 +* **PNG**:ICC Profile、Exif和XMP元数据如果存在,将被删除。 +* **WebP**:ICC Profile、Exif和XMP元数据如果存在,将被删除。 + +在处理完图像后,ExifEraser会向你提供一份完整的报告,说明每张图像中到底有哪些被删除。 + +该应用程序提供多种方法来消除图像中的元数据。 名称: + +* 你可以用ExifEraser分享另一个应用程序的图像。 +* 通过应用程序本身,你可以选择一张图片,一次选择多张图片,甚至是整个目录。 +* 它有一个 "相机 "选项,它使用你的操作系统的相机应用程序来拍摄照片,然后它将元数据从照片中删除。 +* 它允许你将照片从另一个应用程序拖入ExifEraser,当它们都以分屏模式打开时。 +* 最后,它允许你从剪贴板上粘贴图片。 + +### Metapho (iOS) + +!!! recommendation + + ![Metapho标志](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho**是一个简单而干净的照片元数据查看器,如日期、文件名、大小、相机型号、快门速度和位置。 + + [:octicons-home-16: 首页](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="隐私政策" } 。 + + ??? 下载 + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur标志](assets/img/data-redaction/privacyblur.svg) { align=right } + + **PrivacyBlur**是一个免费的应用程序,它可以在网上分享之前模糊图片的敏感部分。 + + [:octicons-home-16: 主页](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="隐私政策" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=文档} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="源代码" } + + ??? 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: Web](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! 推荐 + + 您应该* *从不* *使用模糊来编辑[图片中的文本](https://bishopfox.com/blog/unredacter-tool-never-pixelation)。 如果你想编辑图像中的文本,在文本上画一个方框。 为此,我们建议使用[Pocket Paint](https://github.com/Catrobat/Paintroid)等应用程序。 + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool标志](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool**是原始的perl库和命令行应用程序,用于读取、写入和编辑各种文件格式(JPEG、TIFF、PNG、PDF、RAW等)的元信息(Exif、IPTC、XMP等)。 + + 它通常是其他Exif删除应用程序的一个组成部分,并且在大多数Linux发行库中。 + + [:octicons-home-16: 主页](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=文档} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="源代码" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title="贡献" } + + ??? 下载 + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! 例子 "从一个文件目录中删除数据" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- 为开源操作系统开发的应用程序必须是开源的。 +- 应用程序必须是免费的,不应包括广告或其他限制。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/desktop-browsers.md b/i18n/zh/desktop-browsers.md new file mode 100644 index 00000000..5fb4406c --- /dev/null +++ b/i18n/zh/desktop-browsers.md @@ -0,0 +1,312 @@ +--- +title: "电脑浏览器" +icon: material/laptop +--- + +这些是我们目前推荐的用于标准/非匿名浏览的桌面网络浏览器和配置。 如果您需要匿名浏览互联网,则应使用 [Tor](tor.md) 。 一般来说,我们建议尽量减少你的浏览器扩展;它们在你的浏览器内有特权访问,需要你信任开发者,可以使你 [,突出](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint),并且 [,削弱](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) 网站隔离。 + +## Firefox(火狐浏览器) + +!!! recommendation + + ![火狐标志](assets/img/browsers/firefox.svg){ align=right } + + **火狐浏览器**提供强大的隐私设置,如[增强型跟踪保护](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop),它可以帮助阻止各种[类型的跟踪](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks)。 + + [:octicons-home-16: 主页](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="隐私政策" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=文档} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="源代码" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title="贡献" } + + ??? 下载 + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! 警告 + Firefox在从Mozilla网站的下载中包括一个独特的 [下载令牌](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) ,并使用Firefox中的遥测技术来发送该令牌。 该令牌是 **,不包括在 [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/)的版本中。

+ +### 推荐配置 + +Tor浏览器是匿名浏览互联网的唯一途径。 当你使用火狐浏览器时,我们建议改变以下设置,以保护你的隐私不受某些方面的影响,但除了 [Tor浏览器](tor.md#tor-browser) ,其他所有的浏览器都会被 *有人* ,在某些方面可以追踪。 + +这些选项可以在 :material-menu: → **设置** → **隐私 & 安全**中找到。 + +##### 增强跟踪保护 + +- [x] 选择 **严格的** 增强跟踪保护 + +这可以通过阻止社交媒体追踪器、指纹脚本(注意,这并不能保护你 *所有* 指纹)、加密器、跨网站追踪cookies和其他一些追踪内容来保护你。 ETP可以防止许多常见的威胁,但它并不阻止所有的跟踪途径,因为它的设计对网站的可用性影响最小甚至没有影响。 + +##### 关闭时消毒 + +如果你想在特定的网站上保持登录状态,你可以在 **Cookies和网站数据** → **管理例外情况中允许例外。** + +- [x] 勾选 **当Firefox关闭时,删除cookies和网站数据** + +这可以保护您免受持久性cookies的影响,但不能保护您免受在任何一个浏览会话中获得的cookies的影响。 启用该功能后,只需重新启动火狐浏览器,就可以轻松清理浏览器的cookies。 如果你希望在你经常访问的特定网站上保持登录状态,你可以在每个网站的基础上设置例外。 + +##### 搜索建议 + +- [ ] 取消勾选 **提供搜索建议** + +搜索建议功能可能在你的地区无法使用。 + +搜索建议将你在地址栏中输入的所有内容发送到默认的搜索引擎,而不管你是否提交了实际的搜索。 禁用搜索建议可以让你更精确地控制你向搜索引擎供应商发送的数据。 + +##### 遥测 + +- [ ] 取消勾选 **允许火狐浏览器向Mozilla发送技术和互动数据** +- [ ] 取消勾选 **允许Firefox安装和运行研究** +- [ ] 取消勾选 **允许火狐代表您发送积压的崩溃报告** + +> 火狐浏览器会向我们发送有关您的火狐浏览器版本和语言、设备操作系统和硬件配置、内存、有关崩溃和错误的基本信息以及更新、安全浏览和激活等自动处理结果的数据。 当火狐浏览器向我们发送数据时,您的IP地址会被暂时收集,作为我们服务器日志的一部分。 + +此外,火狐账户服务还收集 [一些技术数据](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts)。 如果你使用Firefox账户,你可以选择退出。 + +1. 在 accounts.firefox.com上打开你的 + +配置文件设置。 + + 2 取消勾选 **数据收集和使用** > **帮助改进火狐账户** + + + +##### HTTPS-Only 模式 + +- [x] 选择 **启用所有窗口的纯HTTPS-Only模式** + +这可以防止你无意中以纯文本的HTTP方式连接到一个网站。 现在没有HTTPS的网站已经不多见了,所以这对你的日常浏览应该没有什么影响。 + + + +### 火狐同步 + +[火狐浏览器同步](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) ,使您的浏览数据(历史记录、书签等)可以在您的所有设备上访问,并通过E2EE进行保护。 + + + +### Arkenfox (advanced) + +[Arkenfox项目](https://github.com/arkenfox/user.js) ,为Firefox提供了一套精心考虑的选项。 如果你 [决定](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) 使用Arkenfox,有几个 [选项](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) 是主观严格的和/或可能导致一些网站不能正常工作-- [,你可以很容易地改变](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) 以满足你的需要。 我们 **,强烈建议** ,阅读其完整的 [wiki](https://github.com/arkenfox/user.js/wiki)。 Arkenfox还能支持 [容器](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users)。 + + + +## Brave + +!!! recommendation + + ![Brave标识](assets/img/browsers/brave.svg){ align=right } + + **Brave浏览器**包括一个内置的内容拦截器和[隐私功能](https://brave.com/privacy-features/),其中许多功能都是默认启用的。 + + Brave是建立在Chromium网络浏览器项目之上的,所以它应该有熟悉的感觉,而且网站兼容性问题最小。 + + [:octicons-home-16: 首页](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="洋葱服务" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="隐私政策" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title="文档"} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="源代码" } + + ??? 下载注释 + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + + 1. 我们建议不要使用Flatpak版本的Brave,因为它用Flatpak的沙箱代替了Chromium的沙箱,效果较差。 此外,该软件包并非由Brave Software, Inc.维护。 + + + +### 推荐配置 + +Tor浏览器是匿名浏览互联网的唯一途径。 当您使用Brave时,我们建议您更改以下设置,以保护您的隐私不受某些方的侵害,但除了 [Tor浏览器](tor.md#tor-browser) 之外的所有浏览器都可以在某些方面被 *个人* 追踪。 + +这些选项可以在 :material-menu: → **设置**中找到。 + + + +##### 盾 + +Brave在其 [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) 功能中包括一些防指纹的措施。 我们建议将这些选项配置为 [,在你访问的所有页面上全局](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-)。 + +Shields的选项可以根据需要在每个站点的基础上进行降级,但在默认情况下,我们建议设置以下内容。 + +
+ +- [x] 选择**防止网站根据我的语言偏好对我进行指纹识别** +- [x] 选择跟踪器和广告拦截下的**攻击性** + +?? warning "Use default filter lists" + Brave允许你在内部`brave://adblock`页面中选择额外的内容过滤器。 我们建议不要使用这个功能;相反,保留默认的过滤列表。 使用额外的列表会使你从其他Brave用户中脱颖而出,如果Brave中存在漏洞,恶意规则被添加到你使用的列表中,也可能增加攻击面。 + +- [x] (可选)选择**屏蔽脚本**(1) +- [x] 在屏蔽指纹下选择**严格的,可能会破坏网站**。 + +
+ +1. 该选项提供的功能类似于uBlock Origin的高级 [阻止模式](https://github.com/gorhill/uBlock/wiki/Blocking-mode) 或 [NoScript](https://noscript.net/) 扩展。 + + + +##### 社交媒体图标 + +- [ ] 取消勾选所有社交媒体组件 + + + +##### 隐私和安全 + +
+ +- [x] 在[WebRTC IP处理策略]下选择**禁用非代理的UDP**(https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] 取消勾选 **使用谷歌服务推送消息** +- [ ] 取消勾选 **允许保留隐私的产品分析(P3A)** +- [ ] 取消勾选 **自动向Brave发送每日使用情况的Ping***。[] 取消勾选 **自动向Brave发送每日使用情况的ping** +- [] 取消勾选 **自动发送诊断报告** +- [x] 在**安全**菜单中选择 **始终使用安全连接** +- [] 取消勾选 **使用Tor的私人窗口** (1) + + !!! 提示 "关闭时消毒 " + - [x] 在*Cookies和其他网站数据*菜单中选择**关闭所有窗口时清除cookies和网站数据** + + 如果你希望在你经常访问的特定网站上保持登录状态,你可以在*自定义行为*部分中按网站设置例外。 + +
+ +1. Brave是 **,而不是** ,对指纹的抵抗力不如Tor浏览器,而且使用Brave和Tor的人要少得多,所以你会脱颖而出。 在需要强大的匿名性的地方 [](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) ,使用 [Tor浏览器](tor.md#tor-browser)。 + + + +##### 扩展程序 + +在 **Extensions**,禁用你不使用的内置扩展程序。 + +- [ ] 取消勾选 **Hangouts** +- [] 取消勾选 **WebTorrent** + + + +##### IPFS(星际文件系统) + +InterPlanetary File System(IPFS)是一个分散的、点对点的网络,用于在分布式文件系统中存储和共享数据。 除非你使用该功能,否则禁用它。 + +- [x] 在解决IPFS资源的方法上选择 **禁用** + + + +##### 附加设置 + +在 *系统* 菜单下 + +
+ +- [] 取消勾选**当Brave关闭时继续运行的应用程序**以禁用后台应用程序 (1) + +
+ +1. 这个选项并不存在于所有平台上。 + + + +### Brave 同步 + +[Brave 同步](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) 允许你的浏览数据(历史记录、书签等)在你所有的设备上访问,而不需要账户,并以E2EE进行保护。 + + + +## 其它资源 + +我们一般不建议安装任何扩展,因为它们会增加你的攻击面。 然而,如果你重视内容封锁功能,uBlock Origin可能证明是有用的。 + + + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin标识](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin**是一个流行的内容阻止器,可以帮助你阻止广告、跟踪器和指纹脚本。 + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title="文档"} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="源代码" } + + ??? 下载 + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + + +我们建议按照 [开发人员的文档](https://github.com/gorhill/uBlock/wiki/Blocking-mode) ,并选择其中的一种 "模式"。 额外的过滤器列表会影响性能, [可能会增加攻击面](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css)。 + + + +##### 其它列表 + +这些是其他一些 [过滤器列表](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) ,你可能要考虑添加。 + +- [x] 检查 **隐私** > **AdGuard URL跟踪保护** +- 添加 [其实合法的URL缩短器工具](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + + + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + + + + +### Minimum Requirements + +- 它必须是开源软件。 +- 支持自动更新。 +- 在上游发布后0-1天内收到引擎更新。 +- 可用于Linux、macOS和Windows。 +- 为使浏览器更加尊重隐私所需的任何改变都不应该对用户体验产生负面影响。 +- 默认情况下,阻止第三方的cookies。 +- 支持 [状态分区](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) ,以减轻跨网站追踪。[^1] + + + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- 包括内置的内容阻止功能。 +- 支持cookie分区(à la [多账户容器](https://support.mozilla.org/en-US/kb/containers))。 +- 支持渐进式网络应用程序。 + PWA使你能够安装某些网站,就像在你的电脑上安装本地应用程序一样。 这比安装基于电子的应用程序有优势,因为你可以从浏览器的定期安全更新中受益。 + +- 不包括不影响用户隐私的附加功能(臃肿软件)。 + +- 默认情况下不收集遥测数据。 +- 提供开源的同步服务器实现。 +- 默认为 [私人搜索引擎](search-engines.md)。 + + + +### 扩展标准 + +- 不得复制内置浏览器或操作系统的功能。 +- 必须直接影响用户隐私,即不能简单地提供信息。 + +--8<-- "includes/abbreviations.zh.txt" + + + +[^1]: + Brave的实现详见 [Brave隐私更新。分割网络状态的隐私](https://brave.com/privacy-updates/14-partitioning-network-state/)。 diff --git a/i18n/zh/desktop.md b/i18n/zh/desktop.md new file mode 100644 index 00000000..a134bf4b --- /dev/null +++ b/i18n/zh/desktop.md @@ -0,0 +1,184 @@ +--- +title: "Android 应用" +icon: simple/linux +--- + +由于隐私保护和软件自由,Linux发行版被普遍推荐。 如果你还没有使用Linux,下面是我们建议尝试的一些发行版,以及一些适用于许多Linux发行版的一般隐私和安全改进提示。 + +- [安卓概况 :material-arrow-right-drop-circle:](os/linux-overview.md) + +## 传统发行版 + +### Fedora Workstation(Fedora 工作站) + +!!! recommendation + + ![Fedora标志](assets/img/linux-desktop/fedora-workstation.svg) { align=right } + + **Fedora Workstation**是我们为刚接触Linux的人推荐的发行版。 Fedora通常在其他发行版之前采用较新的技术,例如: [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org)。 这些新技术往往伴随着安全、隐私和总体可用性的改进。 + + [:octicons-home-16: 主页](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=文档} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=贡献 } + +Fedora有一个半滚动的发布周期。 虽然有些软件包如 [GNOME](https://www.gnome.org) 被冻结到下一个 Fedora 版本,但大多数软件包(包括内核)在整个发行期都会频繁更新。 每个Fedora版本都支持一年,每6个月发布一个新版本。 + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensus-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed**是一个稳定的滚动发布版本。 + + openSUSE Tumbleweed 有一个 [事务性更新](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) 系统,使用 [Btrfs](https://en.wikipedia.org/wiki/Btrfs) 和 [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) 来确保快照在出现问题时可以回滚。 + + [:octicons-home-16: 主页](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=文档} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=贡献 } + +Tumbleweed采用的是滚动发布模式,每次更新都是以快照的形式发布。 当你升级你的系统时,会下载一个新的快照。 每个快照都要通过一系列的自动测试,由 [openQA](https://openqa.opensuse.org) ,以确保其质量。 + +### Arch Linux + +!!! recommendation + + ![Arch标志](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux**是一个轻量级的、自己动手的(DIY)发行版,意味着你只得到你所安装的东西。 更多信息见他们的 [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions)。 + + [:octicons-home-16: 主页](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=文档} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=贡献 } + +Arch Linux有一个滚动的发布周期。 没有固定的发布时间表,软件包的更新非常频繁。 + +作为一个 DIY 发行版,您需要 [自行设置并维护您的](os/linux-overview.md#arch-based-distributions) 系统。 Arch有一个 [官方安装程序](https://wiki.archlinux.org/title/Archinstall) ,使安装过程更容易一些。 + +[Arch Linux的很大一部分软件包](https://reproducible.archlinux.org) ,都是 [,可复制的](https://reproducible-builds.org)。 + +## 不变的发行版 + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right }。 + + **Fedora Silverblue**和**Fedora Kinoite**是Fedora的不可改变的变体,非常注重容器工作流程。 Silverblue配有 [GNOME](https://www.gnome.org/)桌面环境,而Kinoite配有 [KDE](https://kde.org/)。 Silverblue和Kinoite遵循与Fedora Workstation相同的发布时间表,受益于同样的快速更新,并与上游保持非常紧密的联系。 + + [:octicons-home-16: 主页](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=文档} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=贡献 } + +Silverblue(和Kinoite)与Fedora Workstation不同,它们用一个更先进的替代品 [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/),取代了 [DNF](https://fedoraproject.org/wiki/DNF) 软件包管理。 `rpm-ostree` 软件包管理器的工作方式是为系统下载一个基本镜像,然后在一个 [git](https://en.wikipedia.org/wiki/Git)-like commit tree中叠加软件包。 当系统更新时,会下载一个新的基本图像,覆盖物将被应用于该新图像。 + +更新完成后,你将重新启动系统进入新的部署。 `rpm-ostree` 保持系统的两个部署,这样如果在新的部署中出现问题,你可以很容易地回滚。 还可以根据需要选择钉更多的部署。 + +[Flatpak](https://www.flatpak.org) 是这些发行版上的主要软件包安装方法,因为 `rpm-ostree` 只是为了在基础镜像上叠加那些不能留在容器内的软件包。 + +作为Flatpaks的替代方案,可以选择 [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) ,创建 [Podman](https://podman.io) 容器,与主机操作系统共享主目录,模仿传统的Fedora环境,这对有眼光的开发者来说是一个 [有用的功能](https://containertoolbx.org)。 + +### NixOS + +!!! recommendation + + ![NixOS标志](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS是一个基于Nix软件包管理器的独立发行版,注重可重复性和可靠性。 + + [:octicons-home-16: 主页](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=文档} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=贡献 } + +NixOS的软件包管理器将每个软件包的每个版本保存在 **Nix商店的不同文件夹中**。 由于这个原因,你可以在你的系统上安装同一软件包的不同版本。 在包的内容被写入文件夹后,该文件夹被变成只读。 + +NixOS还提供了原子式更新;首先它下载(或构建)新一代系统的软件包和文件,然后切换到它。 有不同的方法来切换到新一代;你可以告诉NixOS在重启后激活它,或者你可以在运行时切换到它。 你也可以 *测试* ,在运行时切换到新的一代,但不把它设置为当前系统的一代。 如果在更新过程中出现了什么问题,你可以直接重新启动,并自动返回到你的系统的工作版本。 + +Nix软件包管理器使用一种纯粹的函数式语言--它也被称为Nix--来定义软件包。 + +[Nixpkgs](https://github.com/nixos/nixpkgs) (软件包的主要来源)包含在一个GitHub仓库中。 你也可以用同样的语言定义你自己的包,然后轻松地将它们纳入你的配置中。 + +Nix是一个基于源代码的软件包管理器;如果在二进制缓存中没有预置的可用软件包,Nix将直接使用其定义从源代码中构建软件包。 它在一个沙盒式的 *纯* 环境中构建每个软件包,该环境尽可能地独立于主机系统,从而使二进制文件可以重现。 + +## 以匿名为重点的发行版 + +### Whonix + +!!! recommendation + + ![Whonix标志](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix**是基于 [Kicksecure](https://www.whonix.org/wiki/Kicksecure),一个注重安全的Debian分叉。 它的目的是在互联网上提供隐私、安全和匿名性。 Whonix最好与[Qubes OS](#qubes-os)一起使用。 + + [:octicons-home-16: 主页](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="洋葱服务" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=文档} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=贡献 } + +Whonix旨在作为两个虚拟机运行:一个 "工作站 "和一个Tor "网关"。 工作站的所有通信都必须通过Tor网关。 这意味着,即使工作站被某种恶意软件入侵,真实的IP地址仍然是隐藏的。 + +它的一些功能包括Tor流隔离, [按键匿名化](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [加密的交换](https://github.com/Whonix/swap-file-creator),以及一个加固的内存分配器。 + +Whonix的未来版本可能包括 [全系统AppArmor策略](https://github.com/Whonix/apparmor-profile-everything) 和 [沙盒应用程序启动器](https://www.whonix.org/wiki/Sandbox-app-launcher) ,以完全限制系统上的所有进程。 + +[Whonix最好与Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers),Qubes-Whonix与其他管理程序相比有各种 [,缺点](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581)。 + +### Tails + +!!! recommendation + + ![Tails标志](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails**是一个基于Debian的实时操作系统,它通过Tor路由所有的通信,它可以从DVD、U盘或SD卡安装在几乎任何电脑上启动。 它使用 [Tor](tor.md)来保护隐私和匿名,同时规避审查制度,而且在关闭电源后,它不会在其使用的计算机上留下任何痕迹。 + + [:octicons-home-16: 主页](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=文档} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=贡献 } + +Tails由于具有失忆功能(意味着没有任何东西被写入磁盘),对于反取证来说是非常好的;然而,它并不是像Whonix那样的加固发行版。 它缺乏Whonix所具有的许多匿名和安全功能,而且更新频率更低(每六周才更新一次)。 被恶意软件入侵的Tails系统可能会绕过透明代理,允许用户去匿名化。 + +Tails默认在Tor浏览器中包括 [uBlock Origin](desktop-browsers.md#ublock-origin) ,这有可能使对手更容易对Tails用户进行指纹识别。 [Whonix](desktop.md#whonix) 虚拟机可能更加防漏,然而它们不是失忆的,这意味着数据可能会从你的存储设备中恢复。 + +在设计上,Tails是为了在每次重启后完全重置自己。 加密的 [持久性存储](https://tails.boum.org/doc/persistent_storage/index.en.html) ,可以配置为在重启之间存储一些数据。 + +## 以安全为重点的发行版 + +### Qubes操作系统 + +!!! recommendation + + ![Qubes OS标志](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS**是一个开源的操作系统,旨在为桌面计算提供强大的安全性。 Qubes基于Xen、X窗口系统和Linux,可以运行大多数Linux应用程序并使用大多数Linux驱动程序。 + + [:octicons-home-16: 主页](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: 概述](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="洋葱头服务" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="隐私政策" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title="文档" } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="源代码" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=贡献 } + +Qubes OS是一个基于Xen的操作系统,旨在通过安全的虚拟机(VM)为桌面计算提供强大的安全性,也被称为 *Qubes*。 + +Qubes OS操作系统通过将子系统(如网络、USB等)和应用程序隔离在独立的虚拟机中来保证计算机的安全。 如果系统的一个部分被破坏,额外的隔离可能会保护系统的其他部分。 更多详情请见Qubes [FAQ](https://www.qubes-os.org/faq/)。 + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +我们推荐的操作系统。 + +- 必须是开源的。 +- 必须定期接受软件和Linux内核的更新。 +- Linux发行版必须支持 [Wayland](os/linux-overview.md#Wayland)。 +- 在安装过程中必须支持全盘加密。 +- 不得将定期发布的信息冻结1年以上。 我们 [,不建议将](os/linux-overview.md#release-cycle) "长期支持 "或 "稳定 "的发行版用于桌面使用。 +- 必须支持各种各样的硬件。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/dns.md b/i18n/zh/dns.md new file mode 100644 index 00000000..6ccf6848 --- /dev/null +++ b/i18n/zh/dns.md @@ -0,0 +1,142 @@ +--- +title: "DNS Resolvers" +icon: material/dns +--- + +!!! question "Should I use encrypted DNS?" + + Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + + [Learn more about DNS](advanced/dns-overview.md){ .md-button } + +## 推荐的供应商 + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### 安卓 + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +--8<-- "includes/abbreviations.zh.txt" + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/zh/email-clients.md b/i18n/zh/email-clients.md new file mode 100644 index 00000000..ff15c7d1 --- /dev/null +++ b/i18n/zh/email-clients.md @@ -0,0 +1,239 @@ +--- +title: "笔记" +icon: material/email-open +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### 推荐配置 + +We recommend changing some of these settings to make Thunderbird a little more private. + +这些选项可以在 :material-menu: → **设置** → **隐私 & 安全**中找到。 + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### 遥测 + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! 推荐 + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! 推荐 + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- 为开源操作系统开发的应用程序必须是开源的。 +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/email.md b/i18n/zh/email.md new file mode 100644 index 00000000..f48f1620 --- /dev/null +++ b/i18n/zh/email.md @@ -0,0 +1,485 @@ +--- +title: "Email Services" +icon: material/email +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +!!! 推荐 + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +??? success "Custom Domains and Aliases" + + Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +??? success "Private Payment Methods" + + Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments. + +??? success "Account Security" + + Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? success "Data Security" + + Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + + Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +??? success "Email Encryption" + + Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + + Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + +??? warning "Digital Legacy" + + Proton Mail doesn't offer a digital legacy feature. + +??? info "Account Termination" + + If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +??? info "Additional Functionality" + + Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +??? success "Custom Domains and Aliases" + + Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? success "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +??? success "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +??? success "Digital Legacy" + + Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +??? info "Account Termination" + + Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +??? info "Additional Functionality" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +??? success "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? success "Account Security" + + StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +??? success "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. + +??? warning "Digital Legacy" + + StartMail does not offer a digital legacy feature. + +??? info "Account Termination" + + On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +??? success "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? success "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +??? success "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +??? warning "Digital Legacy" + + Tutanota doesn't offer a digital legacy feature. + +??? info "Account Termination" + + Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### 技术 + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**符合条件的最低要求。** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### 隐私 + +We prefer our recommended providers to collect as little data as possible. + +**符合条件的最低要求。** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### 安全性 + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**符合条件的最低要求。** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**符合条件的最低要求。** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**符合条件的最低要求。** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/encryption.md b/i18n/zh/encryption.md new file mode 100644 index 00000000..f09d2d61 --- /dev/null +++ b/i18n/zh/encryption.md @@ -0,0 +1,357 @@ +--- +title: "加密软件" +icon: material/file-lock +--- + +对数据进行加密是控制谁能访问数据的唯一方法。 如果你目前没有对你的硬盘、电子邮件或文件使用加密软件,你应该在这里挑选一个选项。 + +## 多平台 + +这里列出的选项是多平台的,对于创建你的数据的加密备份非常好。 + +### Cryptomator (云) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. 它允许你创建存储在虚拟驱动器上的保险库,其中的内容被加密并与你的云存储供应商同步。 + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator使用AES-256加密,对文件和文件名进行加密。 Cryptomator不能加密元数据,如访问、修改和创建时间戳,也不能加密文件和文件夹的数量和大小。 + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt使用安全的XChaCha20密码和Argon2id密钥推导功能来提供高水平的安全。 它使用Go的标准x/crypto模块来实现其加密功能。 + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (磁盘) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. 它可以在一个文件中创建一个虚拟的加密磁盘,加密一个分区,或者用启动前的认证来加密整个存储设备。 + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/file-sharing.md b/i18n/zh/file-sharing.md new file mode 100644 index 00000000..8e33d4fb --- /dev/null +++ b/i18n/zh/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "加密软件" +icon: material/share-variant +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## 文件共享 + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- 它必须是开源软件。 +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! 危险 + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- 它必须是开源软件。 +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/frontends.md b/i18n/zh/frontends.md new file mode 100644 index 00000000..6c011b13 --- /dev/null +++ b/i18n/zh/frontends.md @@ -0,0 +1,268 @@ +--- +title: "文件共享" +icon: material/flip-to-front +--- + +有时,一些服务会用烦人的弹窗阻止你访问内容,以此来强迫你注册账户。 此时如果停用JavaScript网站也会崩溃。 这些前端应用可以帮助你绕过这些限制。 + +## 客户端 + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! 推荐 + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! 推荐 + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. 它使用一个类似 [BitTorrent](https://wikipedia.org/wiki/BitTorrent)的网络来存储视频内容,并使用一个 [blockchain](https://wikipedia.org/wiki/Blockchain)来存储这些视频的索引。 + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! 推荐 + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. 它使用一个类似 [BitTorrent](https://wikipedia.org/wiki/BitTorrent)的网络来存储视频内容,并使用一个 [blockchain](https://wikipedia.org/wiki/Blockchain)来存储这些视频的索引。 + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! 推荐 + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. 它使用一个类似 [BitTorrent](https://wikipedia.org/wiki/BitTorrent)的网络来存储视频内容,并使用一个 [blockchain](https://wikipedia.org/wiki/Blockchain)来存储这些视频的索引。 + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! 推荐备注 + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! 警告 + + When using NewPipe, your IP address will be visible to the video providers used. 它使用一个类似 [BitTorrent](https://wikipedia.org/wiki/BitTorrent)的网络来存储视频内容,并使用一个 [blockchain](https://wikipedia.org/wiki/Blockchain)来存储这些视频的索引。 + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! 推荐 + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +推荐的前端应用... + +- 它必须是开源软件。 +- 必须能够自托管。 +- 必须向匿名用户提供所有基本的网站功能。 + +We only consider frontends for websites which are... + +- 不启用Javascript就不能正常访问。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/index.md b/i18n/zh/index.md new file mode 100644 index 00000000..ef22d9b8 --- /dev/null +++ b/i18n/zh/index.md @@ -0,0 +1,44 @@ +--- +template: overrides/home.zh.html +hide: + - navigation + - toc + - feedback +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/kb-archive.md b/i18n/zh/kb-archive.md new file mode 100644 index 00000000..d438962f --- /dev/null +++ b/i18n/zh/kb-archive.md @@ -0,0 +1,18 @@ +--- +title: KB Archive +icon: material/archive +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/meta/brand.md b/i18n/zh/meta/brand.md new file mode 100644 index 00000000..65d9e40d --- /dev/null +++ b/i18n/zh/meta/brand.md @@ -0,0 +1,24 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/meta/git-recommendations.md b/i18n/zh/meta/git-recommendations.md new file mode 100644 index 00000000..e358e9e3 --- /dev/null +++ b/i18n/zh/meta/git-recommendations.md @@ -0,0 +1,48 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/meta/uploading-images.md b/i18n/zh/meta/uploading-images.md new file mode 100644 index 00000000..1cbc2e8a --- /dev/null +++ b/i18n/zh/meta/uploading-images.md @@ -0,0 +1,91 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/meta/writing-style.md b/i18n/zh/meta/writing-style.md new file mode 100644 index 00000000..1df07592 --- /dev/null +++ b/i18n/zh/meta/writing-style.md @@ -0,0 +1,89 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/mobile-browsers.md b/i18n/zh/mobile-browsers.md new file mode 100644 index 00000000..1ef220c8 --- /dev/null +++ b/i18n/zh/mobile-browsers.md @@ -0,0 +1,193 @@ +--- +title: "移动浏览器" +icon: material/cellphone-information +--- + +这些是我们当前推荐的移动网络浏览器以及标准/非匿名互联网浏览的配置。 如果您需要匿名浏览互联网,则应使用 [Tor](tor.md) 。 一般来说,我们建议将扩展程序保持在最低限度;它们在您的浏览器中具有特权访问权限,要求您信任开发人员,可以使您 [突出](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), [弱化](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) 站点隔离。 + +## 安卓 + +在安卓系统上,火狐的安全性仍然低于基于Chromium的替代品。Mozilla的引擎, [GeckoView](https://mozilla.github.io/geckoview/),还没有支持 [网站隔离](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) 或启用 [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196)。 + +### Brave + +!!! recommendation + + ![Brave标识](assets/img/browsers/brave.svg){ align=right } + + **Brave浏览器**包括一个内置的内容拦截器和[隐私功能](https://brave.com/privacy-features/),其中许多功能都是默认启用的。 + + Brave是建立在Chromium网络浏览器项目之上的,所以它应该有熟悉的感觉,而且网站兼容性问题最小。 + + [:octicons-home-16: 首页](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="洋葱服务" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="隐私政策" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title="文档"} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="源代码" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### 推荐配置 + +Tor浏览器是匿名浏览互联网的唯一途径。 当您使用Brave时,我们建议您更改以下设置,以保护您的隐私不受某些方的侵害,但除了 [Tor浏览器](tor.md#tor-browser) 之外的所有浏览器都可以在某些方面被 *个人* 追踪。 + +这些选项可以在 :material-menu: → **设置** → **Brave Shields & 隐私**中找到 + +##### 盾 + +Brave在其 [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) 功能中包括一些防指纹的措施。 我们建议将这些选项配置为 [,在你访问的所有页面上全局](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-)。 + +##### Brave shields global defaults + +Shields的选项可以根据需要在每个站点的基础上进行降级,但在默认情况下,我们建议设置以下内容。 + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave允许你在内部`brave://adblock`页面中选择额外的内容过滤器。 我们建议不要使用这个功能;相反,保留默认的过滤列表。 使用额外的列表会使你从其他Brave用户中脱颖而出,如果Brave中存在漏洞,恶意规则被添加到你使用的列表中,也可能增加攻击面。 + +- [x] Select **Upgrade connections to HTTPS** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. 该选项提供的功能类似于uBlock Origin的高级 [阻止模式](https://github.com/gorhill/uBlock/wiki/Blocking-mode) 或 [NoScript](https://noscript.net/) 扩展。 + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] 取消勾选所有社交媒体组件 + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +1. InterPlanetary File System(IPFS)是一个分散的、点对点的网络,用于在分布式文件系统中存储和共享数据。 除非你使用该功能,否则禁用它。 + +
+ +#### Brave 同步 + +[Brave 同步](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) 允许你的浏览数据(历史记录、书签等)在你所有的设备上访问,而不需要账户,并以E2EE进行保护。 + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### 推荐配置 + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- 为使浏览器更加尊重隐私所需的任何改变都不应该对用户体验产生负面影响。 +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### 扩展标准 + +- 不得复制内置浏览器或操作系统的功能。 +- 必须直接影响用户隐私,即不能简单地提供信息。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/multi-factor-authentication.md b/i18n/zh/multi-factor-authentication.md new file mode 100644 index 00000000..3592d209 --- /dev/null +++ b/i18n/zh/multi-factor-authentication.md @@ -0,0 +1,144 @@ +--- +title: "Multi-Factor Authenticators" +icon: '资料/双因认证' +--- + +## 硬件安全密钥 + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey / Librem Key + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! 推荐 + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! 推荐 + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + + The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +!!! tip + + The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app). + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- 它必须是开源软件。 +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/news-aggregators.md b/i18n/zh/news-aggregators.md new file mode 100644 index 00000000..469bbf92 --- /dev/null +++ b/i18n/zh/news-aggregators.md @@ -0,0 +1,173 @@ +--- +title: "多因素认证工具" +icon: material/rss +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favourite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- 它必须是开源软件。 +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/notebooks.md b/i18n/zh/notebooks.md new file mode 100644 index 00000000..17e4b4cd --- /dev/null +++ b/i18n/zh/notebooks.md @@ -0,0 +1,115 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/os/android-overview.md b/i18n/zh/os/android-overview.md new file mode 100644 index 00000000..f3f5f702 --- /dev/null +++ b/i18n/zh/os/android-overview.md @@ -0,0 +1,135 @@ +--- +title: Android概述 +icon: simple/android +--- + +安卓是一个安全的操作系统,它有强大的[应用程序沙箱](https://source.android.com/security/app-sandbox),[启动时验证](https://source.android.com/security/verifiedboot)(AVB),以及一个强大的[权限](https://developer.android.com/guide/topics/permissions/overview)控制系统。 + +## 挑选安卓 ROM + +你买到的安卓手机多半已经预装了能侵犯隐私的应用与服务,而这些服务并不属于 [AOSP](https://source.android.com/)。 例如 Google Play 服务:它有权访问你的文件、联系人、通话记录、短信、定位、相机、麦克风、硬件身份码等。且这些权限无法收回。 这类应用与服务扩大了你的设备的攻击面,也是安卓系统的各种隐私问题的源头。 + +换用一个不预装这类软件的安卓 ROM 可以解决这个问题。 不巧,很多安卓 ROM 不支持 AVB、回滚保护、系统更新、等这些关键的安全功能,破坏了安卓的安全模型。 某些 ROM 发布的版本属于 [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) 构建版本。这个版本通过 [ADB](https://developer.android.com/studio/command-line/adb) 来提供 root 访问,并且为了支持调试,[放宽](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code)了 SELinux 规则。这进一步扩大了攻击面,弱化了安全模型。 + +在挑选安卓 ROM 时,理想的情况,是能找到坚持安卓安全模型的 ROM。 最起码的是,你选用的 ROM 应该提供生产版本(而非 `userdebug`版本)的构建,能支持 AVB、回滚保护、按时推送系统更新、把 SELinux 设为[强制模式](https://source.android.com/security/selinux/concepts#enforcement_levels)。 我们推荐的所有安卓 ROM 都满足上述标准。 + +[我们推荐的安卓 ROM :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## 避免 Root + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) 安卓手机会大大降低安全性,因为它削弱了完整的 [安卓安全模型](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy)。 如果有一个被降低的安全性所帮助的漏洞,这可能会减少隐私。 常见的root方法涉及直接篡改启动分区,使得它不可能成功地进行验证性启动。 需要root的应用程序也会修改系统分区,这意味着验证启动将不得不保持禁用。 在用户界面上直接暴露root也增加了你的设备的 [攻击面](https://en.wikipedia.org/wiki/Attack_surface) ,并可能有助于 [特权升级](https://en.wikipedia.org/wiki/Privilege_escalation) 漏洞和SELinux政策的绕过。 + +广告拦截器,修改 [hosts文件](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway)和防火墙(AFWall+),需要持续的根访问是危险的,不应该被使用。 它们也不是解决其预期目的的正确方法。 对于广告屏蔽,我们建议采用加密的 [DNS](../dns.md) 或 [VPN](../vpn.md) 服务器屏蔽解决方案。 RethinkDNS、TrackerControl和AdAway在非root模式下将占用VPN插槽(通过使用本地环回VPN),使你无法使用增强隐私的服务,如Orbot或真正的VPN服务器。 + +AFWall+基于 [包过滤](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) 方法工作,在某些情况下可能会被绕过。 + +我们认为,通过root手机所做的安全牺牲不值得那些应用程序的可疑隐私利益。 + +## 已验证的启动 + +[经过验证的启动](https://source.android.com/security/verifiedboot) ,是安卓安全模式的一个重要组成部分。 它能够保护您免受 [罪恶的](https://en.wikipedia.org/wiki/Evil_maid_attack) 攻击、恶意软件的持久性,并确保安全更新不能用 [回滚保护降级](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection) + +安卓10及以上版本已经从全盘加密转向更灵活的 [基于文件的加密](https://source.android.com/security/encryption/file-based)。 你的数据使用独特的加密密钥进行加密,而操作系统文件则不被加密。 + +验证启动确保了操作系统文件的完整性,从而防止有物理访问权限的对手在设备上篡改或安装恶意软件。 在不太可能的情况下,如果恶意软件能够利用系统的其他部分并获得更高的特权访问,验证性启动将防止并在重启设备时恢复对系统分区的更改。 + +遗憾的是,OEM厂商只有在其库存的安卓系统上才有义务支持验证性启动。 只有少数OEM厂商,如谷歌,支持在他们的设备上定制AVB密钥注册。 此外,一些AOSP衍生产品,如LineageOS或/e/ OS,即使在对第三方操作系统有验证启动支持的硬件上也不支持验证启动。 我们建议你在 购买新设备之前,先查看支持 **。 不支持验证性启动的AOSP衍生产品是 **,不推荐**。

+ +许多原始设备制造商也有破碎的实施验证启动,你必须注意他们的营销之外。 例如,Fairphone 3和4在默认情况下是不安全的,因为 [股票引导程序信任公共AVB签名密钥](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11)。 这破坏了Fairphone设备上的验证引导,因为系统将引导替代Android操作系统(如/e/) [,而没有任何关于自定义操作系统使用的警告](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) 。 + +## 固件更新 + +固件更新是维护安全的关键,没有它们,你的设备就不可能是安全的。 原始设备制造商与他们的合作伙伴有支持协议,在有限的支持期内提供闭源组件。 这些内容详见每月的 [Android安全公告](https://source.android.com/security/bulletin)。 + +由于手机的组件,如处理器和无线电技术依赖于闭源组件,更新必须由各自的制造商提供。 因此,重要的是,你要在一个有效的支持周期内购买设备。 [高通公司](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) 和 [三星](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) ,对其设备的支持期为4年,而便宜的产品往往支持周期更短。 随着 [Pixel 6](https://support.google.com/pixelphone/answer/4457705)的推出,谷歌现在制造自己的SoC,他们将提供至少5年的支持。 + +不再受SoC制造商支持的EOL设备无法从OEM供应商或后市场Android分销商处获得固件更新。 这意味着这些设备的安全问题将继续得不到解决。 + +例如,Fairphone在市场上宣传他们的设备可以获得6年的支持。 然而,SoC(Fairphone 4上的高通骁龙750G)的EOL日期要短得多。 这意味着高通公司为Fairphone 4提供的固件安全更新将在2023年9月结束,无论Fairphone是否继续发布软件安全更新。 + +## Android 版本 + +重要的是,不要使用 [报废的](https://endoflife.date/android) 版本的Android。 较新版本的安卓系统不仅会收到操作系统的安全更新,也会收到重要的隐私增强更新。 例如, [,在Android 10之前](https://developer.android.com/about/versions/10/privacy/changes),任何具有 [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) 权限的应用程序都可以访问你的手机的敏感和独特的序列号,如 [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier),你的SIM卡的 [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity),而现在他们必须是系统应用程序才能这样做。 系统应用只由OEM或安卓发行提供。 + +## Android 权限 + +[Android上的权限](https://developer.android.com/guide/topics/permissions/overview) ,让你控制哪些应用程序被允许访问。 谷歌定期在每个连续的版本中对权限系统进行 [改善](https://developer.android.com/about/versions/11/privacy/permissions)。 你安装的所有应用程序都是严格的 [沙箱](https://source.android.com/security/app-sandbox),因此,没有必要安装任何杀毒软件。 使用最新版本的安卓系统的智能手机永远比使用付费杀毒软件的旧智能手机更安全。 最好不要为杀毒软件付费,省下钱来买一部新的智能手机,如谷歌Pixel。 + +如果你想运行一个你不确定的应用程序,考虑使用用户或工作档案。 + +## 媒体访问 + +相当多的应用程序允许你与他们 "共享 "一个文件进行媒体上传。 例如,如果你想在推特上发布一张图片,不要授予推特对你的 "媒体和照片 "的访问权,因为那时它就可以访问你所有的图片。 相反,去你的文件管理器(documentsUI),按住图片,然后与Twitter分享。 + +## 用户资料 + +多个用户配置文件可以在 **设置** → **系统** → **多个用户** ,是Android中最简单的隔离方式。 + +通过用户个人资料,你可以对一个特定的个人资料施加限制,如:打电话、使用短信或在设备上安装应用程序。 每个用户资料使用自己的加密密钥进行加密,不能访问任何其他人的个人资料。 即使是设备所有者,如果不知道他们的密码,也不能查看其他人的个人资料。 多个个人资料是一种更安全的隔离方法。 + +## 工作身份 + +[工作配置文件](https://support.google.com/work/android/answer/6191949) 是隔离单个应用程序的另一种方式,可能比单独的用户配置文件更方便。 + +在没有企业MDM的情况下,需要一个 **设备控制器** 应用程序,如 [Shelter](#recommended-apps) ,以创建一个工作档案,除非你使用的是包括一个自定义的Android操作系统。 + +该工作档案依赖于设备控制器来运作。 诸如 *文件穿梭* 和 *接触搜索封锁* 或任何种类的隔离功能必须由控制器实现。 你还必须完全信任设备控制器应用程序,因为它可以完全访问你在工作档案中的数据。 + +这种方法通常不如二级用户配置文件安全;但是,它确实允许你在工作和个人配置文件中同时运行应用程序的便利。 + +## VPN Killswitch + +Android 7及更高版本支持VPN killswitch ,无需安装第三方应用程序即可使用。 如果VPN断开连接,此功能可以防止泄漏。 可以在 :gear: **设置** → **网络 & 互联网** → **VPN** → :gear: → **阻止没有VPN的连接**。 + +## 全局切换 + +现代安卓设备有全局切换键,用于禁用蓝牙和定位服务。 安卓12引入了相机和麦克风的切换功能。 在不使用时,我们建议禁用这些功能。 在重新启用之前,应用程序不能使用被禁用的功能(即使被授予个别许可)。 + +## 谷歌 + +如果你使用的是带有谷歌服务的设备,无论是你的原生操作系统还是像GrapheneOS这样的安全沙盒式的操作系统,你可以做一些额外的改变来改善你的隐私。 我们仍然建议完全避免使用谷歌服务,或者通过将 *Shelter* 等设备控制器与GrapheneOS的沙盒化谷歌游戏结合起来,将谷歌游戏服务限制在特定的用户/工作档案中。 + +### 高级保护计划 + +如果你有一个谷歌账户,我们建议注册 [高级保护计划](https://landing.google.com/advancedprotection/)。 任何拥有两个或更多支持 [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) 的硬件安全密钥的人都可以免费使用。 + +高级保护计划提供增强的威胁监控,并支持: + +- 更严格的双因素认证;例如,必须使用 [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **,不允许使用 [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) 和 [OAuth](https://en.wikipedia.org/wiki/OAuth)。 +- 只有谷歌和经过验证的第三方应用程序可以访问账户数据 +- 在 Gmail 帐户上扫描收到的邮件以进行 [钓鱼](https://en.wikipedia.org/wiki/Phishing#Email_phishing) 尝试 +- 更严格的 [安全的浏览器扫描](https://www.google.com/chrome/privacy/whitepaper.html#malware) 与谷歌浏览器 +- 对丢失凭证的账户有更严格的恢复程序 + + 如果你使用非沙盒式的Google Play服务(在股票操作系统上很常见),高级保护计划还带有 [额外的好处](https://support.google.com/accounts/answer/9764949?hl=en) ,例如。 + +- 不允许在Google Play商店、操作系统供应商的应用程序商店之外安装应用程序,或通过 [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- 强制性的自动设备扫描与 [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- 警告你有未经验证的应用程序 + +### Google Play 系统更新 + +在过去,安卓系统的安全更新必须由操作系统供应商来提供。 从安卓10开始,安卓变得更加模块化,谷歌可以通过特权游戏服务推送安全更新, **一些** 系统组件。 + +如果你有一个以安卓10或以上系统出厂的EOL设备,并且无法在你的设备上运行我们推荐的任何操作系统,你很可能最好坚持使用你的OEM安卓安装(而不是这里没有列出的操作系统,如LineageOS或/e/ OS)。 这将允许你从谷歌获得 **,一些** 安全修复,同时不会因为使用不安全的安卓衍生产品而违反安卓安全模式,增加你的攻击面。 我们仍然建议尽快升级到支持的设备。 + +### 广告 ID + +所有安装了Google Play服务的设备都会自动生成一个 [广告ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) ,用于定向广告。 禁用此功能以限制收集到的关于你的数据。 + +在带有 [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play)的安卓发行上,进入 :gear: **设置** → **应用程序** → **Sandboxed Google Play** → **谷歌设置** → **广告**,并选择 *删除广告 ID*。 + +在拥有特权的谷歌游戏服务的安卓发行版上(如股票操作系统),该设置可能在几个位置之一。 查看 + +- :gear: **设置** → **谷歌** → **广告** +- :gear: **设置** → **隐私** → **广告** + +你可以选择删除你的广告ID,或者 *,选择退出基于兴趣的广告*,这在安卓的OEM发行中是不同的。 如果呈现出删除广告ID的选项,那是首选。 如果没有,那么请确保选择退出并重新设置你的广告ID。 + +### SafetyNet和Play Integrity API + +[安全网](https://developer.android.com/training/safetynet/attestation) 和 [Play Integrity APIs](https://developer.android.com/google/play/integrity) ,一般用于 [银行应用程序](https://grapheneos.org/usage#banking-apps)。 许多银行应用程序在GrapheneOS中使用沙盒游戏服务可以正常工作,但是一些非金融应用程序有自己的粗略防篡改机制,可能会失败。 GrapheneOS通过了 `basicIntegrity` 检查,但没有通过认证检查 `ctsProfileMatch`。 安卓8或更高版本的设备有硬件认证支持,如果没有泄露的密钥或严重的漏洞,就无法绕过。 + +至于谷歌钱包,我们不推荐这样做,因为他们的 [隐私政策](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en),其中规定如果你不希望你的信用等级和个人信息与联盟营销服务共享,你必须选择退出。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/os/linux-overview.md b/i18n/zh/os/linux-overview.md new file mode 100644 index 00000000..26329c14 --- /dev/null +++ b/i18n/zh/os/linux-overview.md @@ -0,0 +1,171 @@ +--- +title: Linux概述 +icon: simple/linux +--- + +人们通常认为, [开源](https://en.wikipedia.org/wiki/Open-source_software) 软件本身是安全的,因为源代码是可用的。 预期社区验证会定期进行;但这并不总是 [案例](https://seirdy.one/posts/2022/02/02/floss-security/)。 这确实取决于许多因素,如项目活动、开发人员经验、应用于 [代码审查的严格程度](https://en.wikipedia.org/wiki/Code_review),以及对 [代码库](https://en.wikipedia.org/wiki/Codebase) 的特定部分给予关注的频率,这些部分可能多年未被触及。 + +目前,桌面Linux与它们的专利同行相比,确实有一些可以更好地改进的地方,例如:。 + +- 一个经过验证的启动链,如苹果的 [安全启动](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (有 [安全飞地](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)),安卓的 [验证启动](https://source.android.com/security/verifiedboot),ChromeOS的 [验证启动](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot),或微软Windows的 [启动过程](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) ,有 [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm)。 这些功能和硬件技术都可以帮助防止恶意软件的持续篡改或 [邪恶女仆的攻击](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- 一个强大的沙箱解决方案,如在 [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md),和 [Android](https://source.android.com/security/app-sandbox)。 常用的Linux沙箱解决方案,如 [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) 和 [Firejail](https://firejail.wordpress.com/) ,仍然有很长的路要走。 +- 强大的 [漏洞缓解措施](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +尽管有这些缺点,但如果你想,桌面Linux发行版还是很不错的。 + +- 避免专有操作系统中经常出现的遥测现象 +- 保持 [软件自由](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- 有关注隐私的系统,如 [Whonix](https://www.whonix.org) 或 [Tails](https://tails.boum.org/) + +我们的网站通常使用术语 "Linux "来描述桌面Linux发行版。 其他也使用Linux内核的操作系统,如ChromeOS、Android和Qubes OS,这里不作讨论。 + +[我们的Linux推荐 :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## 选择您的发行版 + +并非所有的 Linux 发行版都是相同的。 虽然我们的Linux推荐页面并不是要成为你应该使用哪个发行版的权威来源,但在选择使用哪个发行版时,有几件事你应该记住。 + +### 发布周期 + +我们强烈建议你选择与稳定的上游软件版本接近的发行版,通常被称为滚动发行版。 这是因为冻结发布周期的发行版往往不更新软件包版本,并且在安全更新方面落后。 + +对于冻结的发行版,如 [Debian](https://www.debian.org/security/faq#handling),软件包维护者被要求回传补丁来修复漏洞,而不是将软件提升到上游开发者发布的 "下一个版本"。 有些安全补丁 + +,根本没有收到 [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (特别是不太流行的软件),因此在这种补丁模式下,不能进入发行版。 因此,小的安全修复有时会被推迟到下一个主要版本。

+ +我们不认为保留软件包和应用临时补丁是一个好主意,因为它偏离了开发者可能打算让软件工作的方式。 [理查德-布朗](https://rootco.de/aboutme/) ,有一个关于这个问题的介绍。 + +
+ +
+ +### 传统vs原子更新 + +传统上,Linux发行版的更新方式是依次更新所需的软件包。 如果在更新时发生错误,传统的更新,如基于Fedora、Arch Linux和Debian的发行版中使用的更新,可能不太可靠。 + +原子更新发行版完全或根本不应用更新。 通常情况下,事务性更新系统也是原子性的。 + +事务性更新系统创建了一个快照,在应用更新之前和之后进行。 如果更新在任何时候失败(也许是由于电源故障),更新可以很容易地回滚到 "最后已知良好状态"。 + +原子更新法用于Silverblue、Tumbleweed和NixOS等不可变的发行版,可以通过这种模式实现可靠性。 [Adam Šamalík](https://twitter.com/adsamalik) 提供了一个关于 `rpm-ostree` 如何与Silverblue一起工作的演讲。 + +
+ +
+ +### “以安全为重点”的分发 + +通常在“以安全为中心”的发行版和“渗透测试”发行版之间存在一些混淆。 快速搜索“最安全的Linux发行版”通常会得到像Kali Linux , Black Arch和Parrot OS这样的结果。 这些发行版是攻击性的渗透测试发行版,捆绑了测试其他系统的工具。 它们不包括任何 "额外的安全 "或用于常规使用的防御性缓解措施。 + + + +### 基于Arch的发行版 + +基于Arch的发行版不推荐给那些刚接触Linux的人,(无论哪个发行版),因为它们需要定期进行 [系统维护](https://wiki.archlinux.org/title/System_maintenance)。 Arch没有底层软件选择的分发更新机制。 因此,你必须保持对当前趋势的了解,并在技术取代旧有做法时自行采用。 + +对于一个安全的系统,你还应该有足够的Linux知识来为他们的系统正确设置安全,如采用 [强制性访问控制](https://en.wikipedia.org/wiki/Mandatory_access_control) 系统,设置 [内核模块](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) 黑名单,硬化启动参数,操作 [sysctl](https://en.wikipedia.org/wiki/Sysctl) 参数,并知道他们需要哪些组件,如 [Polkit](https://en.wikipedia.org/wiki/Polkit)。 + +任何使用 [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **的人必须** ,对他们从该服务中安装的PKGBUILD进行审计。 AUR软件包是社区制作的内容,没有经过任何审查,因此很容易受到软件供应链的攻击,事实上在过去已经发生了 [](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/)。 AUR总是应该少用,而且往往在各种网页上有很多不好的建议,指导人们盲目地使用 [AUR帮助器](https://wiki.archlinux.org/title/AUR_helpers) ,而没有足够的警告。 类似的警告也适用于在基于Debian的发行版上使用第三方个人软件包档案(PPAs)或在Fedora上使用社区项目(COPR)。 + +如果你对Linux有经验,并希望使用基于Arch的发行版,我们只推荐主线Arch Linux,而不是它的任何衍生品。 我们特别建议不要使用这两种Arch衍生品。 + +- **Manjaro**: 这个发行版将软件包保留2周,以确保他们自己的修改不会破坏,而不是确保上游的稳定。 当使用AUR软件包时,它们通常是根据Arch的软件库中最新的 [库构建的](https://en.wikipedia.org/wiki/Library_(computing))。 +- **Garuda**: 他们使用 [Chaotic-AUR](https://aur.chaotic.cx/) ,它自动地、盲目地从AUR编译软件包。 没有验证过程来确保AUR包不会受到供应链的攻击。 + + + +### Kicksecure + +虽然我们强烈建议不要使用像Debian这样的过时的发行版,但有一种基于Debian的操作系统已经被加固,比典型的Linux发行版要安全得多。 [Kicksecure](https://www.kicksecure.com/)。 Kicksecure,简单地说,是一组脚本、配置和软件包,可以大大减少 Debian 的攻击面。 它默认涵盖了大量的隐私和加固建议。 + + + +### Linux-libre内核和“Libre”发行版 + + 我们强烈建议 **,不要使用Linux-libre内核,因为它 [,删除了安全缓解措施](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) ,并且 [,出于意识形态的原因,抑制了内核对脆弱微码的警告](https://news.ycombinator.com/item?id=29674846)。

+ + + +## 一般建议 + + + +### 驱动器加密 + +大多数Linux发行版在其安装程序中都有一个选项用于启用 [LUKS](../encryption.md#linux-unified-key-setup) FDE。 如果在安装时没有设置这个选项,你将不得不备份你的数据并重新安装,因为加密是在 [磁盘分区](https://en.wikipedia.org/wiki/Disk_partitioning),但在 [文件系统](https://en.wikipedia.org/wiki/File_system) 被格式化之前应用。 我们还建议安全地删除你的存储设备。 + +- [安全数据清除 :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + + + +### Swap + +考虑使用 [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) 或 [加密的交换空间](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) ,而不是未加密的交换空间,以避免敏感数据被推送到 [交换空间](https://en.wikipedia.org/wiki/Memory_paging)的潜在安全问题。 基于Fedora的发行版 [,默认使用ZRAM](https://fedoraproject.org/wiki/Changes/SwapOnZRAM)。 + + + +### Wayland + +我们建议使用支持 [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) 显示协议的桌面环境,因为它的开发考虑到了安全 [](https://lwn.net/Articles/589147/)。 其前身 [X11](https://en.wikipedia.org/wiki/X_Window_System),不支持GUI隔离,允许所有窗口 [,记录屏幕、日志和注入其他窗口的输入](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html),使任何沙箱的尝试都是徒劳的。 虽然有一些选项可以做嵌套的X11,比如 [Xpra](https://en.wikipedia.org/wiki/Xpra) 或 [Xephyr](https://en.wikipedia.org/wiki/Xephyr),但它们往往会带来负面的性能后果,而且设置起来也不方便,比起Wayland来并不可取。 + +幸运的是,常见的环境,如 [GNOME](https://www.gnome.org), [KDE](https://kde.org),以及窗口管理器 [Sway](https://swaywm.org) 都支持 Wayland。 一些发行版如Fedora和Tumbleweed默认使用它,其他一些发行版可能在未来也会这样做,因为X11处于 [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly)。 如果你使用的是这些环境之一,就像在桌面显示管理器中选择 "Wayland "会话一样简单([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)) 。 + + 我们建议 **,反对使用没有Wayland支持的桌面环境或窗口管理器,如Cinnamon(Linux Mint的默认)、Pantheon(Elementary OS的默认)、MATE、Xfce和i3。

+ + + +### 专有固件(Microcode更新) + +Linux发行版,如那些 [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) 或DIY(Arch Linux),不附带专有的 [微码](https://en.wikipedia.org/wiki/Microcode) 更新,而这些更新通常会修补漏洞。 这些漏洞的一些明显例子包括: [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), 以及其他 [硬件漏洞](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html)。 + +我们 **,强烈建议** ,安装微码更新,因为你的CPU在出厂时已经在运行专有的微码。 Fedora和openSUSE都有默认应用的微码更新。 + + + +### 更新 + +大多数Linux发行版会自动安装更新或提醒你这样做。 重要的是保持你的操作系统是最新的,这样当发现漏洞时,你的软件就会打上补丁。 + +一些发行版(尤其是那些针对高级用户的发行版)更加简陋,希望你能自己做一些事情(例如Arch或Debian)。 这些将需要手动运行 "软件包管理器" (`apt`, `pacman`, `dnf`, 等等),以便接收重要的安全更新。 + +此外,一些发行版将不会自动下载固件更新。 为此,你将需要安装 [`fwupd`](https://wiki.archlinux.org/title/Fwupd)。 + + + +## 隐私调整 + + + +### MAC地址随机化 + +许多桌面Linux发行版(Fedora、openSUSE等)将自带 [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager),以配置以太网和Wi-Fi设置。 + +在使用NetworkManager时,可以随机化 [](https://fedoramagazine.org/randomize-mac-address-nm/) [MAC地址](https://en.wikipedia.org/wiki/MAC_address)。 这在Wi-Fi网络上提供了更多的隐私,因为它使你更难追踪你所连接的网络上的特定设备。 它并不是 [****](https://papers.mathyvanhoef.com/wisec2016.pdf) 让你匿名。 + +我们建议将设置改为 **随机** ,而不是 **稳定**,正如 [文章中建议的那样](https://fedoramagazine.org/randomize-mac-address-nm/)。 + +如果你使用 [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components),你需要设置 [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) ,这将启用 [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=)。 + +对以太网连接的MAC地址进行随机化的意义不大,因为系统管理员可以通过查看你在 [网络交换机上使用的端口找到你](https://en.wikipedia.org/wiki/Network_switch)。 随机化Wi-Fi MAC地址取决于Wi-Fi固件的支持。 + + + +### 其他标识符 + +还有一些其他的系统标识符,你可能要小心对待。 你应该考虑一下,看看它是否适用于你的 [威胁模型](../basics/threat-modeling.md)。 + +- **主机名。** 你的系统的主机名是与你所连接的网络共享的。 你应该避免在你的主机名中包括像你的名字或操作系统这样的识别术语,而是坚持使用通用术语或随机字符串。 +- **用户名。** 同样地,你的用户名在你的系统中以各种方式使用。 考虑使用 "用户 "这样的通用术语,而不是你的真实姓名。 +- **机器ID:**:在安装过程中,会生成一个独特的机器ID并存储在你的设备上。 考虑 [,将其设置为一个通用的ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id)。 + + + +### 系统计数 + +Fedora 项目 [通过使用一个 [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) 变量而不是唯一的 ID 来计算](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) 有多少独特的系统访问它的镜像。 Fedora这样做是为了确定负载并在必要时为更新提供更好的服务器。 + +这个 [选项](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) ,目前默认是关闭的。 我们建议将 `countme=false` 添加到 `/etc/dnf/dnf.conf` ,以备将来启用它。 在使用 `rpm-ostree` 的系统上,如Silverblue,通过屏蔽 [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) 计时器来禁用 countme 选项。 + +openSUSE 还使用一个 [唯一的 ID](https://en.opensuse.org/openSUSE:Statistics) 来计算系统,可以通过删除 `/var/lib/zypp/AnonymousUniqueId` 文件来禁用它。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/os/qubes-overview.md b/i18n/zh/os/qubes-overview.md new file mode 100644 index 00000000..03efbb43 --- /dev/null +++ b/i18n/zh/os/qubes-overview.md @@ -0,0 +1,60 @@ +--- +title: "Qubes概述" +icon: simple/qubesos +--- + +[**Qubes OS**](../desktop.md#qubes-os) 是一个操作系统,它使用 [Xen](https://en.wikipedia.org/wiki/Xen) 管理程序,通过隔离的虚拟机为桌面计算提供强大的安全性。 每个虚拟机被称为 *Qube* ,你可以根据它的目的给每个Qube分配一个信任等级。 由于Qubes操作系统通过使用隔离来提供安全,并且只允许在每个案例的基础上进行操作,它与 [坏性枚举](https://www.ranum.com/security/computer_security/editorials/dumb/)。 + +## Qubes操作系统是如何工作的? + +Qubes使用 [分区](https://www.qubes-os.org/intro/) ,以保持系统的安全性。 Qubes是由模板创建的,默认的是Fedora、Debian和 [Whonix](../desktop.md#whonix)。 Qubes OS还允许你创建一次使用的 [一次性的](https://www.qubes-os.org/doc/how-to-use-disposables/) 虚拟机。 + +![Qubes架构](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes架构,信用:什么是Qubes操作系统介绍
+ +每个Qubes应用程序都有一个 [色的边框](https://www.qubes-os.org/screenshots/) ,可以帮助你跟踪它所运行的虚拟机。 例如,你可以为你的银行浏览器使用一种特定的颜色,而对一般的不信任的浏览器使用不同的颜色。 + +![彩色边框](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes窗口边框,图片来源: Qubes截图
+ +## 为什么我应该使用Qubes? + +如果你的 [威胁模型](../basics/threat-modeling.md) ,需要强大的分隔和安全,例如你认为你会从不信任的来源打开不信任的文件,那么Qubes OS就很有用。 使用Qubes OS的一个典型原因是打开来自未知来源的文件。 + +Qubes操作系统利用 [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM(即 "AdminVM")来控制主机操作系统上的其他客户虚拟机或Qubes。 其他虚拟机在Dom0的桌面环境中显示单个应用程序窗口。 它允许你根据信任程度对窗口进行颜色编码,并以非常细化的控制方式运行可以相互交互的应用程序。 + +### 复制和粘贴文本 + +你可以 [,使用 `qvm-copy-to-vm` 或下面的说明复制和粘贴文本](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/)。 + +1. 按 **Ctrl+C** ,告诉你所在的虚拟机,你想复制一些东西。 +2. 按 **Ctrl+Shift+C** ,告诉虚拟机将这个缓冲区提供给全局剪贴板。 +3. 在目标VM中按 **Ctrl+Shift+V** ,使全局剪贴板可用。 +4. 在目标虚拟机中按 **Ctrl+V** ,以粘贴缓冲区中的内容。 + +### 文件交换 + +要从一个虚拟机复制和粘贴文件和目录(文件夹)到另一个虚拟机,可以使用选项 **复制到其他AppVM...** 或 **移动到其他AppVM...**。 不同的是, **Move** 选项将删除原始文件。 无论哪种选择都会保护你的剪贴板不被泄露给任何其他Qubes。 这比空运的文件传输更安全,因为空运的计算机仍将被迫解析分区或文件系统。 这一点在跨区拷贝系统中是不需要的。 + +??? 信息 "AppVMs或qubes没有自己的文件系统" + + 你可以在Qubes之间[复制和移动文件](https://www.qubes-os.org/doc/how-to-copy-and-move-files/)。 当这样做的时候,改变并不是立即进行的,而且在发生事故的情况下可以很容易地撤消。 + +### 虚拟机之间的相互作用 + +[qrexec框架](https://www.qubes-os.org/doc/qrexec/) 是Qubes的一个核心部分,它允许虚拟机在域之间通信。 它建立在Xen库 *vchan*的基础上,通过策略,促进了 + +隔离。

+ + + +## 其它资源 + +关于其他信息,我们鼓励你查阅位于 [Qubes OS网站上的大量Qubes OS文档页面](https://www.qubes-os.org/doc/)。 离线拷贝可以从Qubes OS [文档库中下载](https://github.com/QubesOS/qubes-doc)。 + +- 开放技术基金。 [*可以说是世界上最安全的操作系统*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. 鲁特科夫斯卡。 [*软件区隔与物理分离*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. 鲁特科夫斯卡。 [*将我的数字生活划分为安全领域*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*相关文章*](https://www.qubes-os.org/news/categories/#articles) + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/passwords.md b/i18n/zh/passwords.md new file mode 100644 index 00000000..366d033d --- /dev/null +++ b/i18n/zh/passwords.md @@ -0,0 +1,230 @@ +--- +title: "生产力工具" +icon: material/form-textbox-password +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/productivity.md b/i18n/zh/productivity.md new file mode 100644 index 00000000..8c996d90 --- /dev/null +++ b/i18n/zh/productivity.md @@ -0,0 +1,156 @@ +--- +title: "实时通讯" +icon: material/file-sign +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! 危险 + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- 开源 +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- 它必须是开源软件。 +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/real-time-communication.md b/i18n/zh/real-time-communication.md new file mode 100644 index 00000000..6e6fb77c --- /dev/null +++ b/i18n/zh/real-time-communication.md @@ -0,0 +1,195 @@ +--- +title: "实时通讯" +icon: material/chat-processing +--- + +这些是我们对加密实时通讯的建议。 + +[通信网络的类型 :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## 可加密的聊天软件 + +以下这些聊天软件能够非常好地保护你的敏感聊天信息。 + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** 是Signal Messenger LLC所研发的一款手机应用。 这款应用提供即时通讯,语音通话以及视频通话。 + + 所有的聊天窗口都有端到端加密(E2EE) 联系人列表使用你的Signal PIN码来保护,且服务器无法访问。 个人资料也经过加密,并只与你联系过的人共享。 + + [:octicons-home-16: 主页](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? 下载地址 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal 支持 [私密群组](https://signal.org/blog/signal-private-group-system/). 服务器没有你的群组成员资格,名称,头像以及其他属性的记录。 只有当 [加密发送(Sealed Sender)](https://signal.org/blog/sealed-sender/)启用时,Signal才会保存最少的元数据。 发信人地址与消息正文一起被加密,只有收信人的地址对服务器可见。 加密发送仅对你联系人列表中的人启用,你也可以对所有收件人启用,但是这么做会增加你收到垃圾邮件的风险。 Signal需要你的电话号码作为个人识别码。 + +Signal协议在2016年被独立[审计](https://eprint.iacr.org/2016/1013.pdf) 。 该协议的规范可以在他们的[文档](https://signal.org/docs/)查看。 + +我们有一些额外的配置并加固你的Signal安装的建议: + +[Signal 配置与加固 :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat 是一个去中心化的即时通讯软件,并且不依赖任何的个人识别码(电话号码,用户名等)。 SimpleX Chat的用户可以扫描二维码或着点击邀请链接参与到群组聊天。 + + [:octicons-home-16: 主页](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? 下载地址 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +目前SimpleX Chat只有安卓和iOS版本。 Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! 推荐 + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/router.md b/i18n/zh/router.md new file mode 100644 index 00000000..dd8dac1d --- /dev/null +++ b/i18n/zh/router.md @@ -0,0 +1,51 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- 必须支持各种各样的硬件。 + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/search-engines.md b/i18n/zh/search-engines.md new file mode 100644 index 00000000..f53a0bfc --- /dev/null +++ b/i18n/zh/search-engines.md @@ -0,0 +1,109 @@ +--- +title: "Search Engines" +icon: material/search-web +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! 推荐 + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/tools.md b/i18n/zh/tools.md new file mode 100644 index 00000000..d9f45781 --- /dev/null +++ b/i18n/zh/tools.md @@ -0,0 +1,445 @@ +--- +title: "隐私工具" +icon: 资料/工具 +hide: + - toc +--- + +如果你正在寻找某项具体解决方案,这里是一些我们推荐的各种类别的软硬件工具。 我们推荐的隐私工具主要依据它们的安全功能来选择,另外还强调了去中心化和开源。 They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +关于每个项目的更多相关细节, 为什么选择它们以及我们提议的一些额外的使用提示或技巧,请点击每个部分的 "了解详情" 链接, 或者也可以点击推荐项本身来转到具体的页面部分。 + +## 桌面端浏览器 + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](desktop-browsers.md#tor-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +1. Snowflake 不能够增进你的隐私,但它能够让你轻松地为Tor网络做出贡献,并帮助那些受网络审查的人获得更好的隐私。 + +[了解更多 :hero-arrow-circle-right-fill:](tor.md) + +## 移动端浏览器 + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](desktop-browsers.md#snowflake) (1) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](desktop-browsers.md) + +### 其它资源 + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser (Android)](mobile-browsers.md#tor-browser) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](desktop-browsers.md#additional-resources) + +## 操作系统 + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](mobile-browsers.md) + +### 其它资源 + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](mobile-browsers.md#adguard) + +## 服务供应商 + +### Android + +
+ +- ![Neo Store logo](assets/img/android/neo-store.png){ .twemoji } [Neo Store (F-Droid Client)](android.md#neo-store) +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](android.md) + +#### DNS 供应商 + +
+ +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](linux-desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](linux-desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](linux-desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](linux-desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](linux-desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](linux-desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](linux-desktop.md#tails) +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](qubes.md) (1) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](android.md#general-apps) + +### Android 应用 + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](desktop.md) + +### Router Firmware + +
+ +- ![Cryptee logo](assets/img/cloud/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/cloud/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](cloud.md#cryptee) +- ![Nextcloud logo](assets/img/cloud/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](cloud.md#nextcloud) +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](router.md) + +## 软件 + +### 路由器固件 + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](cloud.md) + +### 云存储 + +#### 加密DNS代理 + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[了解更多 :hero-arrow-circle-right-fill:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](dns.md#self-hosted-solutions) + +### DNS + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](email.md) + +#### Email Aliasing Services + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](email.md#self-hosting-email) + +### Search Engines + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](search-engines.md) + +### 搜索引擎 + +??? 危险 "VPNs 不提供匿名性" + + 使用VPN **不** 会隐藏你的浏览习惯, 它也不会为不安全(HTTP) 流量额外增加安全性。 + + 如果你在寻求**匿名**, 你应该使用Tor 浏览器 **而不是** VPN。 + + 如果你在寻求增进**安全**, 你应该始终确保在使用 HTTPS连接到网站。 VPN不是良好安全实践的替代品。 + + [了解更多:hero-arrow-circle-right-fill:](vpn.md) + +
+ +- ![Tutanota logo](assets/img/calendar-contacts/tutanota.svg){ .twemoji } [Tutanota](calendar-contacts.md#tutanota) +- ![EteSync logo](assets/img/calendar-contacts/etesync.svg){ .twemoji } [EteSync](calendar-contacts.md#etesync) +- ![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar-contacts.md#proton-calendar) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](vpn.md) + +## Software + +### VPN供应商 + +
+ +- ![EteSync Notes logo](assets/img/notebooks/etesync-notes.png){ .twemoji } [EteSync Notes](notebooks.md#etesync-notes) +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](calendar.md) + +### 日历/联系人同步 + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](data-redaction.md) + +### 笔记 + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](email-clients.md) + +### 加密软件 + +??? info "Operating System Disk Encryption" + + 对于加密你的系统盘,我们通常建议使用你的操作系统提供的任何加密工具,无论是Windows上的**BitLocker**,MacOS上的**FileVault**,还是Linux上的**LUKS**。 这些工具包含在操作系统中,通常使用硬件加密组件,如TPM,而其它的全盘加密软件如VeraCrypt则没有。 VeraCrypt仍然适用于加密非系统盘,如外部驱动器,特别是那些可能会从多个操作系统来访问的驱动器。 + + [了解更多:hero-arrow-circle-right-fill:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](encryption.md#openpgp) + +### 加密软件 + +
+ +- ![ExifCleaner logo](assets/img/data-redaction/exifcleaner.svg){ .twemoji } [ExifCleaner](data-redaction.md#exifcleaner) +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](file-sharing.md) + +### 文件共享 + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](frontends.md) + +### 数据和元数据处理 + +
+ +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](multi-factor-authentication.md) + +### 多因素认证工具 + +
+ +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](news-aggregators.md) + +### Notebooks + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](real-time-communication.md#briar-android) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](notebooks.md) + +### 生产力工具 + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](passwords.md) + +### 实时通讯 + +
+ +- ![Freenet logo](./assets/img/self-contained-networks/freenet.svg){ .twemoji } [Freenet](self-contained-networks.md#freenet) +- ![I2P logo](./assets/img/self-contained-networks/i2p.svg#only-light){ .twemoji } ![I2P logo](./assets/img/self-contained-networks/i2p-dark.svg#only-dark){ .twemoji } [I2P](self-contained-networks.md#invisible-internet-project) +- ![Tor logo](./assets/img/self-contained-networks/tor.svg){ .twemoji } [Tor](self-contained-networks.md#tor) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](self-contained-networks.md#orbot) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](productivity.md) + +### 实时通讯 + +
+ +- ![FreeTube logo](assets/img/video-streaming/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](video-streaming.md#freetube) +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) +- ![NewPipe logo](assets/img//video-streaming/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](video-streaming.md#newpipe) +- ![Invidious logo](assets/img/video-streaming/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/video-streaming/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](video-streaming.md#invidious) +- ![Librarian logo](assets/img/video-streaming/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/video-streaming/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](video-streaming.md#librarian) +- ![Piped logo](assets/img/video-streaming/piped.svg){ .twemoji } [Piped (YouTube, Web)](video-streaming.md#piped) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](real-time-communication.md) + +### 自足网络 + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](video-streaming.md) + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/tor.md b/i18n/zh/tor.md new file mode 100644 index 00000000..efd4b7bc --- /dev/null +++ b/i18n/zh/tor.md @@ -0,0 +1,124 @@ +--- +title: "桌面端浏览器" +icon: simple/torproject +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +
+ ![Tor path](assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path](assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway - Nodes in the path can only see the servers they are directly connected to, for example the "Entry" node shown can see your IP address, and the address of the "Middle" node, but has no way to see which website you are visiting.
+
+ +- [More information about how Tor works :material-arrow-right-drop-circle:](advanced/tor-overview.md) + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! 危险 + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/video-streaming.md b/i18n/zh/video-streaming.md new file mode 100644 index 00000000..3337066b --- /dev/null +++ b/i18n/zh/video-streaming.md @@ -0,0 +1,56 @@ +--- +title: "视频串流" +icon: 资料/视频-无线 +--- + +使用视频流媒体平台时的主要威胁是,你的流媒体习惯和订阅名单可能被用来对你进行分析。 你应该将这些工具与 [VPN](vpn.md) 或 [Tor](https://www.torproject.org/) 结合起来,以使你的使用情况更难被分析。 + +## 客户端 + +!!! recommendation + + ![FreeTube logo](assets/img/video-streaming/freetube.svg){ align=right } + + **FreeTube** 是一个自由且开源的 [YouTube](https://youtube.com)桌面应用程序。 当你使用FreeTube时,订阅列表和播放列表都会被保存在设备本地。 默认情况下,FreeTube阻止所有YouTube广告。 + + 此外,FreeTube还可以与 [SponsorBlock](https://sponsor.ajay.app)集成,以帮助你跳过推广的视频片段。 + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? 下载 + + - [:fontawesome-brands-windows: Windows](https://freetubeapp.io/#download) + - [:fontawesome-brands-apple: macOS](https://freetubeapp.io/#download) + - [:fontawesome-brands-linux: Linux](https://freetubeapp.io/#download) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! 推荐 + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** 是一个分布式视频分享网络。 它使用一个类似 [BitTorrent](https://wikipedia.org/wiki/BitTorrent)的网络来存储视频内容,并使用一个 [blockchain](https://wikipedia.org/wiki/Blockchain)来存储这些视频的索引。 + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. 备注 + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/i18n/zh/vpn.md b/i18n/zh/vpn.md new file mode 100644 index 00000000..51a76d58 --- /dev/null +++ b/i18n/zh/vpn.md @@ -0,0 +1,306 @@ +--- +title: "VPN服务" +icon: 资料/vpn +--- + +选择无日志的 VPN 供应商,他们不会出卖或读取你的网络流量。 + +??? 危险 "VPNs 不提供匿名性" + + 使用VPN **不** 会隐藏你的浏览习惯, 它也不会为不安全(HTTP) 流量额外增加安全性。 + + 如果你在寻求**匿名**, 你应该使用Tor 浏览器 **而不是** VPN。 + + 如果你在寻求增进**安全**, 你应该始终确保在使用 HTTPS连接到网站。 VPN不是良好安全实践的替代品。 + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](basics/tor-overview.md){ .md-button } + +??? 问题 "VPN何时有用?" + + 如果你只是想要从ISP那里、或者在使用公共Wi-Fi网络和给文件做种时提高一些**隐私**,那么只要在了解相关风险的前提下,VPN可能是个解决方案。 + + [More Info](basics/vpn-overview.md){ .md-button } + +## 推荐的供应商 + +!!! 摘要"准则" + + 我们推荐的供应商使用加密,接受Monero支付 ,支持WireGuard & OpenVPN ,并且有无日志策略。 请阅读我们的 [full list of criteria](#our-criteria) 了解更多信息。 + +### Proton VPN + +!!! 推荐备注 + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN**是VPN领域的强有力竞争者,他们自2016年以来一直保持运营。 Proton AG总部位于瑞士,提供有限制的免费使用等级,以及更具特色的高级选项。 + + **免费** — **Plus 套餐 USD $71.88/年** (1) + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +??? 检查注释 "64个国家" + + Proton VPN有[64个国家的服务器](https://protonvpn.com/vpn-servers) (1)。 挑一个拥有离你最近的服务器的VPN供应商将减少你的网络流量的发送延迟。 这是因为到达目的地的路由较短(跳数较少)。 + + 我们还认为,如果VPN供应商使用[专用服务器](https://en.wikipedia.org/wiki/Dedicated_hosting_service),而不是使用[虚拟专用服务器](https://en.wikipedia.org/wiki/Virtual_private_server)等更便宜的(与其他客户)共享的解决方案,能提高VPN供应商私人密钥的安全性。 + +1. 如果订阅2年(119.76美元),还可享受10%的折扣。 + +??? 检查"独立审计" + + 截至2020年1月,Proton VPN已经接受了SEC咨询公司的独立审计。 SEC Consult在Proton VPN的Windows、Android和iOS应用程序中发现了一些中度和低度风险的漏洞,在报告发布前,Proton VPN都已经 "妥善修复"。 所发现的问题中没有任何一个能让攻击者远程访问你的设备或流量。 你可以在 [protonvpn.com](https://protonvpn.com/blog/open-source/)查看每个平台的单独报告。 2022年4月,Proton VPN接受了[另一次审计](https://protonvpn.com/blog/no-logs-audit/),报告是[由Securitum制作](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf)。 A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +??? 检查“开源客户端” + + Proton VPN在其[GitHub组织](https://github.com/ProtonVPN)中提供其桌面和移动客户端的源代码。 + +??? 检查"接受现金" + + Proton VPN除了接受信用卡/借记卡和PayPal之外,还接受比特币和**现金/当地货币**作为匿名支付方式。 + +??? 检查 "WireGuard支持"。 + + Proton VPN主要支持WireGuard®协议。 [WireGuard](https://www.wireguard.com)是一个较新的协议,使用最先进的 [cryptography](https://www.wireguard.com/protocol/)。 此外, WireGuard旨在更简单、更高效。 + + Proton VPN [recommends](https://protonvpn.com/blog/wireguard/)在其服务中使用WireGuard。 在Proton VPN的Windows、macOS、iOS、Android、ChromeOS和Android TV应用程序中,WireGuard是默认协议;但是,在他们的Linux应用程序中,该协议还没有得到 [support](https://protonvpn.com/support/how-to-change-vpn-protocols/)。 + +??? 警告 "远程端口转发" + + Proton VPN目前只支持Windows上的远程[端口转发](https://protonvpn.com/support/port-forwarding/),这可能会影响一些应用程序。 特别是点对点的应用,如Torrent客户端。 + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +!!! danger "Killswitch feature is broken on Intel-based Macs" + + System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +!!! recommendation + + ![IVPN标志](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN**是另一个高级VPN供应商,他们自2009年以来一直在运营。 挑一个拥有离你最近的服务器的VPN供应商将减少你的网络流量的发送延迟。 + + 这是因为到达目的地的路由较短(跳数较少)。 我们还认为,如果VPN供应商使用[专用服务器](https://en.wikipedia.org/wiki/Dedicated_hosting_service),而不是使用[虚拟专用服务器](https://en.wikipedia.org/wiki/Virtual_private_server)等更便宜的(与其他客户)共享的解决方案,能提高VPN供应商私人密钥的安全性。 + +??? 检查"独立审计" + + IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations) (1). 挑一个拥有离你最近的服务器的VPN供应商将减少你的网络流量的发送延迟。 这是因为到达目的地的路由较短(跳数较少)。 + + 我们还认为,如果VPN供应商使用[专用服务器](https://en.wikipedia.org/wiki/Dedicated_hosting_service),而不是使用[虚拟专用服务器](https://en.wikipedia.org/wiki/Virtual_private_server)等更便宜的(与其他客户)共享的解决方案,能提高VPN供应商私人密钥的安全性。 + +1. 如果订阅2年(119.76美元),还可享受10%的折扣。 + +??? 检查"独立审计" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +??? 检查“开源客户端” + + As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? 检查 "WireGuard支持"。 + + In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? 检查 "WireGuard支持"。 + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com)是一个较新的协议,使用最先进的 [cryptography](https://www.wireguard.com/protocol/)。 此外, WireGuard旨在更简单、更高效。 + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? success "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. 挑一个拥有离你最近的服务器的VPN供应商将减少你的网络流量的发送延迟。 这是因为到达目的地的路由较短(跳数较少)。 + + 我们还认为,如果VPN供应商使用[专用服务器](https://en.wikipedia.org/wiki/Dedicated_hosting_service),而不是使用[虚拟专用服务器](https://en.wikipedia.org/wiki/Virtual_private_server)等更便宜的(与其他客户)共享的解决方案,能提高VPN供应商私人密钥的安全性。 downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +??? 检查"独立审计" + + Mullvad has [servers in 41 countries](https://mullvad.net/servers/) (1). 挑一个拥有离你最近的服务器的VPN供应商将减少你的网络流量的发送延迟。 这是因为到达目的地的路由较短(跳数较少)。 + + 我们还认为,如果VPN供应商使用[专用服务器](https://en.wikipedia.org/wiki/Dedicated_hosting_service),而不是使用[虚拟专用服务器](https://en.wikipedia.org/wiki/Virtual_private_server)等更便宜的(与其他客户)共享的解决方案,能提高VPN供应商私人密钥的安全性。 + +1. 如果订阅2年(119.76美元),还可享受10%的折扣。 + +??? 检查"独立审计" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +??? 检查“开源客户端” + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? 检查 "WireGuard支持"。 + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. [WireGuard](https://www.wireguard.com)是一个较新的协议,使用最先进的 [cryptography](https://www.wireguard.com/protocol/)。 + +??? 检查 "WireGuard支持"。 + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com)是一个较新的协议,使用最先进的 [cryptography](https://www.wireguard.com/protocol/)。 此外, WireGuard旨在更简单、更高效。 + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? success "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? success "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? success "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +## Criteria + +!!! 危险 + + 值得注意的是,使用VPN供应商不会使你成为匿名者,但在某些情况下会给你更好的隐私。 VPN不是非法活动的工具。 不要依赖 "无日志 "政策。 + +**请注意,我们与我们推荐的任何供应商都没有关系。 这使我们能够提供完全客观的建议。** 除了 [我们的标准标准](about/criteria.md),我们还为任何希望被推荐的VPN供应商制定了一套明确的要求,包括强大的加密、独立的安全审计、现代技术等。 我们建议你在选择VPN供应商之前熟悉这份清单,并进行自己的研究,以确保你选择的VPN供应商尽可能值得信赖。 + +### 技术 + +我们要求所有我们推荐的VPN供应商提供OpenVPN配置文件,以便在任何客户端使用。 **如果** 一个VPN提供他们自己的定制客户端,我们需要一个killswitch来阻止断开连接时的网络数据泄露。 + +**符合条件的最低要求。** + +- 支持强大的协议,如WireGuard & OpenVPN。 +- 客户端内置的杀毒软件。 +- 多跳支持。 多重跳转对于在单个节点受损的情况下保持数据的私密性非常重要。 +- 如果提供VPN客户端,它们应该是 [开源的](https://en.wikipedia.org/wiki/Open_source),就像它们一般内置的VPN软件。 我们相信, [源代码](https://en.wikipedia.org/wiki/Source_code) 的可用性提供了更大的透明度,了解你的设备实际上在做什么。 + +**Best Case:** + +- 支持WireGuard和OpenVPN。 +- 具有高度可配置的选项(在某些网络上启用/禁用,在启动时,等等)的杀戮开关。 +- 易于使用的VPN客户端 +- 支持 [IPv6](https://en.wikipedia.org/wiki/IPv6)。 我们希望服务器将允许通过IPv6的传入连接,并允许你访问IPv6地址上托管的服务。 +- [远程端口转发的能力](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) 在使用P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) 文件共享软件或托管服务器(如Mumble)时,有助于创建连接。 + +### 隐私 + +We prefer our recommended providers to collect as little data as possible. 不在注册时收集个人信息,并接受匿名的支付方式,这是必须的。 + +**符合条件的最低要求。** + +- Monero或现金支付选项。 +- 注册时不需要提供个人信息。最多只有用户名、密码和电子邮件。 + +**Best Case:** + +- 接受Monero、现金和其他形式的匿名支付方式(礼品卡等)。 +- 不接受个人信息(自动生成的用户名,不需要电子邮件,等等。) + +### 安全性 + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**符合条件的最低要求。** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**符合条件的最低要求。** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**符合条件的最低要求。** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +--8<-- "includes/abbreviations.zh.txt" diff --git a/includes/abbreviations.ar.txt b/includes/abbreviations.ar.txt new file mode 100644 index 00000000..48a0974d --- /dev/null +++ b/includes/abbreviations.ar.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.bn.txt b/includes/abbreviations.bn.txt new file mode 100644 index 00000000..48a0974d --- /dev/null +++ b/includes/abbreviations.bn.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.de.txt b/includes/abbreviations.de.txt new file mode 100644 index 00000000..48a0974d --- /dev/null +++ b/includes/abbreviations.de.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.el.txt b/includes/abbreviations.el.txt new file mode 100644 index 00000000..48a0974d --- /dev/null +++ b/includes/abbreviations.el.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.eo.txt b/includes/abbreviations.eo.txt new file mode 100644 index 00000000..48a0974d --- /dev/null +++ b/includes/abbreviations.eo.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.es.txt b/includes/abbreviations.es.txt new file mode 100644 index 00000000..14af6aed --- /dev/null +++ b/includes/abbreviations.es.txt @@ -0,0 +1,95 @@ +*[2FA]: Autenticación de doble factor +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Adjunto de Tecnología Avanzada +*[attack surface]: La cantidad total de posibles puntos de entrada para el acceso no autorizado a un sistema +*[AVB]: Inicio Verificado de Android +*[cgroups]: Grupos de Control +*[CLI]: Interfaz de Línea de Comandos +*[CSV]: Valores separados por coma +*[CVE]: Vulnerabilidades y Exposiciones Comunes +*[Legado Digital]: El Legado Digital se refiere a las características que le permiten a otras personas el acceso a tu información cuando falleces +*[DNSSEC]: Extensiones de Seguridad del Sistema de Nombres de Dominio +*[DNS]: Sistema de Nombre de Dominio +*[DoH]: DNS sobre HTTPS +*[DoQ]: DNS sobre QUIC +*[DoH3]: DNS sobre HTTP/3 +*[DoT]: DNS sobre TLS +*[E2EE]: Cifrado/Encriptación de Extremo a Extremo +*[ECS]: Subred de Cliente EDNS +*[EEA]: Espacio Económico Europeo +*[entropy]: Una medición de qué tan impredecible puede ser algo +*[EOL]: Fin de vida +*[Exif]: Formato de imagen de archivo intercambiable +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Autenticación de múltiples factores +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.fa.txt b/includes/abbreviations.fa.txt new file mode 100644 index 00000000..48a0974d --- /dev/null +++ b/includes/abbreviations.fa.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.fr.txt b/includes/abbreviations.fr.txt new file mode 100644 index 00000000..d4484d99 --- /dev/null +++ b/includes/abbreviations.fr.txt @@ -0,0 +1,95 @@ +*[2FA]: Authentification à deux facteurs +*[ADB]: Pont de débogage Android +*[AOSP]: Projet Android Open Source +*[ATA]: Attachement de technologie avancée +*[surface d'attaque]: Le nombre total de points d'entrée possibles pour un accès non autorisé à un système +*[AVB]: Démarrage Vérifié d'Android +*[cgroups]: Groupes de contrôle +*[CLI]: Interface de ligne de commande +*[CSV]: Valeurs séparées par des virgules +*[CVE]: Vulnérabilités et expositions courantes +*[Héritage numérique]: L'héritage numérique désigne les fonctions qui vous permettent de donner à d'autres personnes l'accès à vos données à votre décès +*[DNSSEC]: Extensions de sécurité du système de nom de domaine +*[DNS]: Système de nom de domaine +*[DoH]: DNS sur HTTPS +*[DoQ]: DNS sur QUIC +*[DoH3]: DNS sur HTTP/3 +*[DoT]: DNS sur TLS +*[E2EE]: Chiffrement de bout en bout/Chiffré +*[ECS]: Sous-réseau du client EDNS +*[EEA]: Espace économique européen +*[entropy]: Une mesure du degré d'imprévisibilité d'une chose +*[EOL]: Fin de vie +*[Exif]: Format de fichier image échangeable +*[FCM]: Messagerie Cloud Firebase +*[FDE]: Chiffrement complet du disque +*[FIDO]: Identité rapide en ligne +*[fork]: Un nouveau projet de logiciel créé en copiant un projet existant et en le complétant de manière indépendante +*[RGPD]: Règlement Général sur la Protection des Données +*[GPG]: GNU Privacy Guard (implémentation de PGP) +*[GPS]: Système de positionnement global +*[GUI]: Interface utilisateur graphique +*[GnuPG]: GNU Privacy Guard (implémentation de PGP) +*[HDD]: Disque dur +*[HOTP]: HMAC (code d'authentification de message basé sur le hachage) basé sur un mot de passe à usage unique +*[HTTPS]: Protocole de transfert hypertexte sécurisé +*[HTTP]: Protocole de transfert hypertexte +*[superviseur]: Logiciel, micrologiciel ou matériel informatique qui répartit les ressources d'une unité centrale entre plusieurs systèmes d'exploitation +*[ICCID]: Identificateur de carte à circuit intégré +*[IMAP]: Protocole d'accès aux messages internet +*[IMEI]: Identité internationale des équipements mobiles +*[IMSI]: Identité internationale de l'abonné mobile +*[IP]: Protocole internet +*[IPv4]: Protocole internet version 4 +*[IPv6]: Protocole internet version 6 +*[FAI]: Fournisseur d'accès internet +*[FAIs]: Fournisseurs d'accès internet +*[JNI]: Interface native Java +*[LUKS]: Configuration de la clé unifiée Linux (chiffrement complet du disque) +*[MAC]: Contrôle d'accès aux médias +*[MDAG]: Protection des applications Microsoft Defender +*[MEID]: Identificateur d'équipement mobile +*[MFA]: Authentification multi-facteurs +*[NVMe]: Mémoire express non volatile +*[NTP]: Protocole de temps réseau +*[OCI]: Open Container Initiative +*[OCSP]: Protocole d'état des certificats en ligne +*[OEM]: Fabricant d'équipement d'origine +*[OEMs]: Fabricants d'équipement d'origine +*[OS]: Système d'exploitation +*[OTP]: Mot de passe à usage unique +*[OTPs]: Mots de passe à usage unique +*[OpenPGP]: Implémentation open-source de Pretty Good Privacy (PGP) +*[P2P]: Pair à pair +*[PAM]: Modules d'authentification enfichables de Linux +*[POP3]: Protocole de bureau de poste 3 +*[PGP]: Pretty Good Privacy (voir OpenPGP) +*[DCP]: Donnée à charactère personnel +*[QNAME]: Nom qualifié +*[publication continue]: Mises à jour qui sont publiées fréquemment plutôt qu'à intervalles réguliers +*[RSS]: Syndication vraiment simple +*[SELinux]: Sécurité renforcée de Linux +*[SIM]: Module d'identité d'abonné +*[SMS]: Service de messages courts (messagerie texte standard) +*[SMTP]: Protocole de transfert de courrier simple +*[SNI]: Indication du nom du serveur +*[SSD]: Disque d'état solide +*[SSH]: Shell sécurisé +*[SUID]: Identifiant utilisateur du propriétaire défini +*[SaaS]: Logiciel en tant que service (logiciel cloud) +*[SoC]: Système sur puce +*[SSO]: Authentification unique +*[TCP]: Protocole de contrôle de transmission +*[TEE]: Environnement d'exécution de confiance +*[TLS]: Sécurité de la couche transport +*[CGU]: Conditions générales d'utilisation +*[TOTP]: Mot de passe à usage unique basé sur le temps +*[TPM]: Module de plateforme de confiance +*[U2F]: 2ème facteur universel +*[UEFI]: Interface micrologicielle extensible unifiée +*[UDP]: Protocole de datagramme utilisateur +*[VPN]: Réseau privé virtuel +*[VoIP]: Voix sur IP (protocole internet) +*[W3C]: Consortium World Wide Web +*[XMPP]: Protocole extensible de messagerie et de présence +*[PWA]: Application web progressive diff --git a/includes/abbreviations.he.txt b/includes/abbreviations.he.txt new file mode 100644 index 00000000..45c53d2d --- /dev/null +++ b/includes/abbreviations.he.txt @@ -0,0 +1,95 @@ +*[2FA]: אימות דו-שלבי +*[ADB]: Android Debug Bridge +*[AOSP]: פרויקט קוד פתוח של אנדרואיד +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS דרך HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: סוף החיים +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: הצפנת דיסק מלאה +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: כונן קשיח +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: אימות מרובה גורמים +*[NVMe]: Nonvolatile Memory Express +*[NTP]: פרוטוקול זמן רשת +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: מערכת הפעלה +*[OTP]: סיסמה חד - פעמית +*[OTPs]: סיסמאות חד פעמיות +*[OpenPGP]: הטמעת קוד פתוח של פרטיות טובה למדי (PGP) +*[P2P]: עמית-לעמית +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: מעטפת מאובטחת +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: כניסה יחידה +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: תנאי השירות +*[TOTP]: סיסמה חד פעמית מבוססת זמן +*[TPM]: מודול פלטפורמה מהימנה +*[U2F]: גורם שני אוניברסלי +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.hi.txt b/includes/abbreviations.hi.txt new file mode 100644 index 00000000..48a0974d --- /dev/null +++ b/includes/abbreviations.hi.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.hu.txt b/includes/abbreviations.hu.txt new file mode 100644 index 00000000..fa8b206b --- /dev/null +++ b/includes/abbreviations.hu.txt @@ -0,0 +1,95 @@ +*[2FA]: Kétlépcsős Azonosítás +*[ADB]: Android Debug Bridge +*[AOSP]: Android Nyílt Forráskódú Projekt +*[ATA]: Advanced Technology Attachment +*[támadási felület]: Egy rendszerbe való illetéktelen hozzáférés lehetséges belépési pontjainak száma +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[End to End]: Végponttól végpontig terjedő titkosítás +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.id.txt b/includes/abbreviations.id.txt new file mode 100644 index 00000000..48a0974d --- /dev/null +++ b/includes/abbreviations.id.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.it.txt b/includes/abbreviations.it.txt new file mode 100644 index 00000000..f7dc2b3c --- /dev/null +++ b/includes/abbreviations.it.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Autenticazione a più fattori +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.nl.txt b/includes/abbreviations.nl.txt new file mode 100644 index 00000000..59a6d464 --- /dev/null +++ b/includes/abbreviations.nl.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authenticatie +*[ADB]: Android Debug Bridge +*[AOSP]: Android opensource project +*[ATA]: Advanced Technology Attachment +*[aanvalsoppervlakte]: Het totale aantal mogelijke ingangen voor onbevoegde toegang tot een systeem +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digitaal erfgoed]: Digital Legacy verwijst naar functies waarmee je andere mensen toegang kunt geven tot jouw gegevens wanneer je overlijdt +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: Een meting van hoe onvoorspelbaar iets is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: Een nieuw software project gemaakt door een bestaand project te kopiëren en er zelfstandig iets aan toe te voegen +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) gebaseerd eenmalig wachtwoord +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computersoftware, firmware of hardware die de resources van een CPU verdeelt over meerdere besturingssystemen +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multifactor-authenticatie +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementatie van Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (zie OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates die regelmatig worden uitgebracht in plaats van met vaste tussenpozen +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standaard sms) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Eenmalige aanmelding +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.pl.txt b/includes/abbreviations.pl.txt new file mode 100644 index 00000000..65573896 --- /dev/null +++ b/includes/abbreviations.pl.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Uwierzytelnianie wieloskładnikowe +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.pt-BR.txt b/includes/abbreviations.pt-BR.txt new file mode 100644 index 00000000..eaf87f12 --- /dev/null +++ b/includes/abbreviations.pt-BR.txt @@ -0,0 +1,95 @@ +*[2FA]: Autenticação de dois fatores +*[ADB]: Android Debug Bridge +*[AOSP]: Projeto Open Source Android +*[ATA]: Advanced Technology Attachment +*[superfície de ataque]: O número total de pontos de entrada possíveis para o acesso não autorizado a um sistema +*[AVB]: Inicialização Verificada do Android +*[cgroups]: Grupos de Controle +*[CLI]: Interface de Linha de Comando +*[CSV]: Valores Separados por Vírgulas +*[CVE]: Vulnerabilidades e Exposições Comuns +*[Legado Digital]: Legado Digital refere-se a recursos que permitem que você dê a outras pessoas acesso aos seus dados quando você morre +*[DNSSEC]: Extensões de Segurança do Sistema de Nomes de Domínio +*[DNS]: Sistema de Nomes de Domínio +*[DoH]: DNS sobre HTTPS +*[DoQ]: DNS sobre QUIC +*[DoH3]: DNS sobre HTTP/3 +*[DoT]: DNS sobre TLS +*[E2EE]: Criptografia/Criptografia ponto-a-ponto +*[ECS]: Sub-rede de clientes EDNS +*[EEA]: Espaço Econômico Europeu +*[entropy]: Uma medida de quão imprevisível algo é +*[EOL]: Fim da vida útil +*[Exif]: Formato de arquivo de imagem intercambiável +*[FCM]: Firebase Cloud Messaging +*[FDE]: Criptografia total de disco +*[FIDO]: Fast IDentity Online +*[fork]: Um novo projeto de software criado copiando um projeto existente e desenvolvendo ele independentemente +*[GDPR]: Regulamento Geral de Proteção de Dados +*[GPG]: GNU Privacy Guard (implementação PGP) +*[GPS]: Sistema de Posicionamento Global +*[GUI]: Interface Gráfica do Usuário +*[GnuPG]: GNU Privacy Guard (implementação PGP) +*[HDD]: Disco Rígido +*[HOTP]: HMAC (Código de Autenticação de Mensagem Baseado em Hash) baseado em Senha Única +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Software de computador, firmware ou hardware que divide os recursos de uma CPU entre vários sistemas operacionais +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Protocolo de Acesso a Mensagens da Internet +*[IMEI]: Identificação Internacional de Equipamento Móvel +*[IMSI]: Identidade Internacional do Assinante de Celular +*[IP]: Protocolo de Internet +*[IPv4]: Protocolo de Internet versão 4 +*[IPv6]: Protocolo de Internet versão 6 +*[ISP]: Provedor de Internet +*[ISPs]: Provedores de Internet +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Criptografia total de disco) +*[MAC]: Controle de Acesso ao Meio +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Autenticação de Múltiplos Fatores +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Protocolo de Status de Certificado Online +*[OEM]: Fabricante do Equipamento Original +*[OEMs]: Fabricantes de Equipamentos Originais +*[OS]: Sistema Operacional +*[OTP]: Senha de uso único +*[OTPs]: Senhas de uso único +*[OpenPGP]: Implementação de código aberto do Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (veja OpenPGP) +*[PII]: Informações Pessoalmente Identificáveis +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.pt.txt b/includes/abbreviations.pt.txt new file mode 100644 index 00000000..48a0974d --- /dev/null +++ b/includes/abbreviations.pt.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.ru.txt b/includes/abbreviations.ru.txt new file mode 100644 index 00000000..b50d1d1c --- /dev/null +++ b/includes/abbreviations.ru.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[площадь атаки]: Общее количество возможных точек входа для несанкционированного доступа к системе +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values, формат таблиц +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: Сквозное шифрование +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[форк]: Новое программное обеспечение, созданное путем модификации открытого кода существующего проекта +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[ПД]: Персональные данные +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.sv.txt b/includes/abbreviations.sv.txt new file mode 100644 index 00000000..163d24f7 --- /dev/null +++ b/includes/abbreviations.sv.txt @@ -0,0 +1,95 @@ +*[2FA]: Tvåfaktorsautentisering +*[ADB]: Felsökning av Android +*[AOSP]: Android Open Source-projekt +*[ATA]: Avancerad teknikbilaga +*[attackyta]: Det totala antalet möjliga ingångspunkter för obehörig åtkomst till ett system +*[AVB]: Android verifierad uppstart +*[cgroups]: Kontrollgrupper +*[CLI]: Kommandoradsgränssnitt +*[CSV]: Kommaseparerade värden +*[CVE]: Vanliga sårbarheter och exponeringar +*[Digitalt Arv]: Digitalt arv avser funktioner som gör att du kan ge andra personer tillgång till dina uppgifter när du dör +*[DNSSEC]: Säkerhetstillägg för domännamnssystem +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.tr.txt b/includes/abbreviations.tr.txt new file mode 100644 index 00000000..48a0974d --- /dev/null +++ b/includes/abbreviations.tr.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.uk.txt b/includes/abbreviations.uk.txt new file mode 100644 index 00000000..48a0974d --- /dev/null +++ b/includes/abbreviations.uk.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.vi.txt b/includes/abbreviations.vi.txt new file mode 100644 index 00000000..48a0974d --- /dev/null +++ b/includes/abbreviations.vi.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.zh-Hant.txt b/includes/abbreviations.zh-Hant.txt new file mode 100644 index 00000000..02d65c8a --- /dev/null +++ b/includes/abbreviations.zh-Hant.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: 多重身分驗證 +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: 單一登入(Single Sign-On) +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.zh.txt b/includes/abbreviations.zh.txt new file mode 100644 index 00000000..5bdab89b --- /dev/null +++ b/includes/abbreviations.zh.txt @@ -0,0 +1,95 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: 多因认证 +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: 单点登录 +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/mkdocs.common.yml b/mkdocs.common.yml deleted file mode 100644 index 0458aea3..00000000 --- a/mkdocs.common.yml +++ /dev/null @@ -1,127 +0,0 @@ -site_name: Privacy Guides -site_description: | - Privacy Guides is your central privacy and security resource to protect yourself online. -copyright: | - Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
- We do not make money from recommending certain products, and we do not use affiliate links.
- © 2022 Privacy Guides and contributors. Content licensed under CC BY-ND 4.0. - -extra: - social: - - icon: simple/mastodon - link: https://mastodon.neat.computer/@privacyguides - name: Mastodon - - icon: simple/matrix - link: https://matrix.to/#/#privacyguides:matrix.org - name: Matrix - - icon: simple/discourse - link: https://discuss.privacyguides.net/ - name: Forum - - icon: simple/github - link: https://github.com/privacyguides - name: GitHub - alternate: - - name: English - link: /en/ - lang: en - - name: Français - link: /fr/ - lang: fr - - name: עִברִית - link: /he/ - lang: he - - name: Nederlands - link: /nl/ - lang: nl - -repo_url: https://github.com/privacyguides/privacyguides.org -repo_name: "" - -theme: - name: material - custom_dir: theme - logo: assets/img/brand/SVG/Logo/privacy-guides-logo-notext-colorbg.svg - favicon: assets/img/brand/PNG/Favicon/favicon-32x32.png - icon: - repo: simple/github - font: false - features: - - navigation.tracking - - navigation.tabs - - navigation.sections - - navigation.expand - - content.tooltips - - search.highlight - -extra_css: - - assets/stylesheets/extra.css?v=3.2.0 -extra_javascript: - - assets/javascripts/mathjax.js - - assets/javascripts/feedback.js - -watch: - - theme - - includes - - mkdocs.common.yml - -plugins: - tags: {} - search: {} - macros: {} - meta: {} - git-committers: - enabled: !ENV [PRODUCTION, false] - repository: privacyguides/privacyguides.org - branch: main - git-revision-date-localized: - enabled: !ENV [PRODUCTION, false] - exclude: - - index.en.md - social: - cards: !ENV [PRODUCTION, false] - cards_color: - fill: "#FFD06F" - text: "#2d2d2d" - cards_dir: assets/img/social - cards_font: 'Public Sans' - privacy: - external_assets_exclude: - - cdn.jsdelivr.net/npm/mathjax@3/* - - api.privacyguides.net/* - -markdown_extensions: - admonition: {} - pymdownx.details: {} - pymdownx.superfences: - custom_fences: - - name: mermaid - class: mermaid - format: !!python/name:pymdownx.superfences.fence_code_format - pymdownx.tabbed: - alternate_style: true - pymdownx.arithmatex: - generic: true - pymdownx.critic: {} - pymdownx.caret: {} - pymdownx.keys: {} - pymdownx.mark: {} - pymdownx.tilde: {} - pymdownx.snippets: {} - pymdownx.tasklist: - custom_checkbox: true - attr_list: {} - def_list: {} - md_in_html: {} - meta: {} - abbr: {} - pymdownx.emoji: - emoji_index: !!python/name:materialx.emoji.twemoji - emoji_generator: !!python/name:materialx.emoji.to_svg - options: - custom_icons: - - theme/.icons - tables: {} - footnotes: {} - toc: - permalink: true - toc_depth: 4 diff --git a/theme/overrides/home.ar.html b/theme/overrides/home.ar.html new file mode 100644 index 00000000..bf86298b --- /dev/null +++ b/theme/overrides/home.ar.html @@ -0,0 +1,25 @@ +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

The guide to restoring your online privacy.

+

Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.

+ + Start Your Privacy Journey + + + Recommended Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.bn.html b/theme/overrides/home.bn.html index 470892dc..21a3cd39 100644 --- a/theme/overrides/home.bn.html +++ b/theme/overrides/home.bn.html @@ -1,10 +1,10 @@ -{% extends "base.html" %} +{% extends "main.html" %} {% block extrahead %} - - + + {{ super() }} {% endblock %} {% block tabs %} -{{ super() }} + {{ super() }}
diff --git a/theme/overrides/home.de.html b/theme/overrides/home.de.html new file mode 100644 index 00000000..5712bf27 --- /dev/null +++ b/theme/overrides/home.de.html @@ -0,0 +1,25 @@ +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Der Leitfaden zur Wiederherstellung Ihrer Online-Privatsphäre.

+

Riesige Unternehmen überwachen Ihre Online-Aktivitäten. Privacy Guides ist deine zentrale Informationsquelle für Datenschutz und Sicherheit, um dich online zu schützen.

+ + Beginne Deine Reise zur Privatsphäre + + + Empfohlene Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.el.html b/theme/overrides/home.el.html new file mode 100644 index 00000000..bf86298b --- /dev/null +++ b/theme/overrides/home.el.html @@ -0,0 +1,25 @@ +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

The guide to restoring your online privacy.

+

Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.

+ + Start Your Privacy Journey + + + Recommended Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.eo.html b/theme/overrides/home.eo.html new file mode 100644 index 00000000..bf86298b --- /dev/null +++ b/theme/overrides/home.eo.html @@ -0,0 +1,25 @@ +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

The guide to restoring your online privacy.

+

Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.

+ + Start Your Privacy Journey + + + Recommended Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.es.html b/theme/overrides/home.es.html index fcda677e..653ee850 100644 --- a/theme/overrides/home.es.html +++ b/theme/overrides/home.es.html @@ -1,7 +1,7 @@ -{% extends "base.html" %} +{% extends "main.html" %} {% block extrahead %} - - + + {{ super() }} {% endblock %} {% block tabs %} {{ super() }} @@ -10,7 +10,7 @@
-

La guía para restaurar tu privacidad en línea.

+

La guía para recuperar tu privacidad en línea.

Las grandes organizaciones están monitoreando tus actividades en línea. Privacy Guides es tu recurso central de privacidad y seguridad para protegerte en línea.

Inicia tu viaje a la privacidad diff --git a/theme/overrides/home.fa.html b/theme/overrides/home.fa.html new file mode 100644 index 00000000..521592d4 --- /dev/null +++ b/theme/overrides/home.fa.html @@ -0,0 +1,25 @@ +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

راهنمای بازگرداندن حریم خصوصی شما.

+

سازمانهای بزرگ فعالیتهای اینترنتی شما را رصد می‌کنند. وبسایت Privacy Guides منبع اصلی حریم خصوصی و امنیت شما برای محافظت از خودتان در اینترنت است.

+ + Start Your Privacy Journey + + + ابزارهای پیشنهادی + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.fr.html b/theme/overrides/home.fr.html index 03d425fb..f7072096 100644 --- a/theme/overrides/home.fr.html +++ b/theme/overrides/home.fr.html @@ -1,7 +1,7 @@ -{% extends "base.html" %} +{% extends "main.html" %} {% block extrahead %} - - + + {{ super() }} {% endblock %} {% block tabs %} {{ super() }} @@ -11,11 +11,11 @@

Le guide pour restaurer votre vie privée en ligne.

-

Des organisations massives surveillent vos activités en ligne. Privacy Guides est votre ressource centrale en matière de confidentialité et de sécurité pour vous protéger en ligne.

- - Commencez le parcours pour la protection de votre vie privée +

Des organisations massives surveillent vos activités en ligne. Privacy Guides est votre ressource centrale en matière de vie privée et de sécurité pour vous protéger en ligne.

+ + Commencez votre voyage vers la vie privée - + Outils recommandés
diff --git a/theme/overrides/home.he.html b/theme/overrides/home.he.html index 8bf3c14e..0c9f5ea6 100644 --- a/theme/overrides/home.he.html +++ b/theme/overrides/home.he.html @@ -1,6 +1,6 @@ {% extends "main.html" %} {% block extrahead %} - + {{ super() }} {% endblock %} {% block tabs %} diff --git a/theme/overrides/home.hi.html b/theme/overrides/home.hi.html new file mode 100644 index 00000000..bf86298b --- /dev/null +++ b/theme/overrides/home.hi.html @@ -0,0 +1,25 @@ +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

The guide to restoring your online privacy.

+

Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.

+ + Start Your Privacy Journey + + + Recommended Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.hu.html b/theme/overrides/home.hu.html index 23070cfd..3ea08019 100644 --- a/theme/overrides/home.hu.html +++ b/theme/overrides/home.hu.html @@ -1,6 +1,6 @@ {% extends "main.html" %} {% block extrahead %} - + {{ super() }} {% endblock %} {% block tabs %} diff --git a/theme/overrides/home.id.html b/theme/overrides/home.id.html index 1a684db2..0d871b82 100644 --- a/theme/overrides/home.id.html +++ b/theme/overrides/home.id.html @@ -1,6 +1,6 @@ {% extends "main.html" %} {% block extrahead %} - + {{ super() }} {% endblock %} {% block tabs %} diff --git a/theme/overrides/home.it.html b/theme/overrides/home.it.html index 111306bf..d48f3b98 100644 --- a/theme/overrides/home.it.html +++ b/theme/overrides/home.it.html @@ -1,7 +1,7 @@ -{% extends "base.html" %} +{% extends "main.html" %} {% block extrahead %} - - + + {{ super() }} {% endblock %} {% block tabs %} {{ super() }} diff --git a/theme/overrides/home.nl.html b/theme/overrides/home.nl.html index e6d8ff44..9d03ecb3 100644 --- a/theme/overrides/home.nl.html +++ b/theme/overrides/home.nl.html @@ -1,7 +1,7 @@ -{% extends "base.html" %} +{% extends "main.html" %} {% block extrahead %} - - + + {{ super() }} {% endblock %} {% block tabs %} {{ super() }} diff --git a/theme/overrides/home.pl.html b/theme/overrides/home.pl.html index 4867bc6f..7e838f94 100644 --- a/theme/overrides/home.pl.html +++ b/theme/overrides/home.pl.html @@ -1,7 +1,7 @@ -{% extends "base.html" %} +{% extends "main.html" %} {% block extrahead %} - - + + {{ super() }} {% endblock %} {% block tabs %} {{ super() }} diff --git a/theme/overrides/home.pt-BR.html b/theme/overrides/home.pt-BR.html index c9a36ebf..d04d8932 100644 --- a/theme/overrides/home.pt-BR.html +++ b/theme/overrides/home.pt-BR.html @@ -1,6 +1,6 @@ {% extends "main.html" %} {% block extrahead %} - + {{ super() }} {% endblock %} {% block tabs %} diff --git a/theme/overrides/home.pt.html b/theme/overrides/home.pt.html new file mode 100644 index 00000000..bf86298b --- /dev/null +++ b/theme/overrides/home.pt.html @@ -0,0 +1,25 @@ +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

The guide to restoring your online privacy.

+

Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.

+ + Start Your Privacy Journey + + + Recommended Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.ru.html b/theme/overrides/home.ru.html index e1065153..5987d091 100644 --- a/theme/overrides/home.ru.html +++ b/theme/overrides/home.ru.html @@ -1,7 +1,7 @@ -{% extends "base.html" %} +{% extends "main.html" %} {% block extrahead %} - - + + {{ super() }} {% endblock %} {% block tabs %} {{ super() }} @@ -12,7 +12,7 @@

Руководство по возвращению вашей приватности в интернете.

Огромные организации следят за вашей деятельностью в Интернете. Privacy Guides - это ваш главный ресурс по конфиденциальности и безопасности для защиты себя в Интернете.

- + Начните свой путь к приватности diff --git a/theme/overrides/home.sv.html b/theme/overrides/home.sv.html new file mode 100644 index 00000000..bf86298b --- /dev/null +++ b/theme/overrides/home.sv.html @@ -0,0 +1,25 @@ +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

The guide to restoring your online privacy.

+

Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.

+ + Start Your Privacy Journey + + + Recommended Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.tr.html b/theme/overrides/home.tr.html index 0a0d5661..67eaf974 100644 --- a/theme/overrides/home.tr.html +++ b/theme/overrides/home.tr.html @@ -1,7 +1,7 @@ -{% extends "base.html" %} +{% extends "main.html" %} {% block extrahead %} - - + + {{ super() }} {% endblock %} {% block tabs %} {{ super() }} @@ -15,7 +15,7 @@ Gizlilik Yolculuğunuza Başlayın - + Tavsiye Edilen Araçlar
diff --git a/theme/overrides/home.uk.html b/theme/overrides/home.uk.html new file mode 100644 index 00000000..85ed214e --- /dev/null +++ b/theme/overrides/home.uk.html @@ -0,0 +1,25 @@ +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Керівництво з відновлення вашої приватності в мережі.

+

Великі організації стежать за вашою діяльністю в Інтернеті. Privacy Guides - ваш головний ресурс для захисту конфіденційності та безпеки в Інтернеті.

+ + Start Your Privacy Journey + + + Рекомендовані інструменти + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.vi.html b/theme/overrides/home.vi.html new file mode 100644 index 00000000..9fdb1d64 --- /dev/null +++ b/theme/overrides/home.vi.html @@ -0,0 +1,25 @@ +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Hướng dẫn khôi phục quyền riêng tư trực tuyến của bạn.

+

Các tổ chức đông đảo đang theo dõi các hoạt động trực tuyến của bạn. Privacy Guides là tài nguyên bảo mật và quyền riêng tư trung tâm của bạn để bảo vệ bạn khi trực tuyến.

+ + Start Your Privacy Journey + + + Các công cụ được đề xuất + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.zh-Hant.html b/theme/overrides/home.zh-Hant.html new file mode 100644 index 00000000..58b5dca1 --- /dev/null +++ b/theme/overrides/home.zh-Hant.html @@ -0,0 +1,25 @@ +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

把網路隱私歸還於你的線上指南。

+

各種組織和團體正在監視您的線上活動。 Privacy Guides 是您不可或缺的網路隱私安全自衞手冊。

+ + 按此開始您的私隱學習旅程 + + + 推薦工具 + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.zh.html b/theme/overrides/home.zh.html new file mode 100644 index 00000000..b357a998 --- /dev/null +++ b/theme/overrides/home.zh.html @@ -0,0 +1,25 @@ +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

保护你的在线隐私

+

大规模组织正在监控你的在线活动。 Privacy Guides是您保护自己在线隐私的实用资源。

+ + 开始你的隐私之旅 + + + 推荐工具 + +
+
+
+
+{% endblock %}